How to apply MFA for IIS Apps such as OWA, RDWeb and Sharepoint
When IIS UserLock MFA is activated for a specific IIS application such as 'Outlook Web Access' (see this advanced use case for details), RDWeb, SharePoint, CRM etc. or an Intranet website, the IIS UserLock agent will redirect the user to a dedicated web application where the user can enroll for the MFA and enter the MFA code before accessing the protected IIS application.
A walk through on how-to add Two-Factor Authentication for Outlook Web Access and RDWeb, with UserLock
In this use case, we are going to protect a single web application (Outlook Web Access) using MFA for IIS.
- Install the UserLock IIS agent on the IIS server
- Install the UserLock IIS MFA feature
- Add the UserLock MFA application in IIS
- Apply MFA to server connections for protected users
- Perform an MFA IIS connection
1. Install the UserLock IIS agent on the IIS server
- IIS applications must be protected by the UserLock 'IIS agent' using HTTP Module technology. See specific section below.
- The UserLock "IIS MFA" feature must be installed on the IIS server to which you want IIS applications to be redirected when MFA is required. See specific section below.
Using DNS split brain technology, The IP Address for the IIS Server hosting the IIS MFA module must be accessible as follows:
- Internally, from within the private network.
- Externally, from the Internet
- The external router is configured to allow the designated port to redirected from the outside to the IIS server hosting the IIS MFA module.
- NOTE: An Exchange Client Access Server is an example of a server that meets the above criteria.
IIS applications must be protected by the UserLock 'IIS agent' using HTTP Module technology.
- Run the UserLock console.
- In the "Agent distribution" view, select the “IIS” line of the IIS server that will be hosting the IIS applications to protect with UserLock. Right click and select "Install".
- On this target IIS server, configure the IIS applications to protect with the UserLock 'IIS agent' using HTTP Module technology. For details, see this page.
2. Install the UserLock IIS MFA feature
The UserLock "IIS MFA" feature must be installed on the IIS server to which you want IIS applications to be redirected when MFA is required. Note that this feature is not installed if you chose “Standard” when you install UserLock.
- Log on the IIS server to which you want IIS applications to be redirected when MFA is required.
If UserLock is already installed:
Control Panel, Uninstall a program, UserLock, Change:
- As explained above: left click on “Web Applications”, left click on “IIS MFA”, “The feature will be installed…”.
On a new UserLock installation, choose “Custom” then left click on “Web Applications”, left click on “IIS MFA”, “The feature will be installed…”:
If installing on Windows Server 2012 R2, there are additional dependencies to be installed that are proposed:
Auto install of Microsoft Visual C++ 2015 Redistributable Package (x64):
Auto install of Microsoft .NET Core 3.1.8:
If no IIS application is protected by UserLock on this server and that you only want to configure IIS MFA in it:
- Run the UserLock console. In the "Agent distribution" view, select the “IIS” line of the IIS server to which you want IIS applications to be redirected when MFA is required. Right click and select "Install", this will deploy UserLock server name(s) to the registry of that server.
Log on the target IIS server. Run Regedit. Delete the following registry value:
3. Add the UserLock MFA application in IIS
To add UserLock MFA application in IIS there are two possibilities. You can choose to install it with a command line tool or via the IIS Manager console.
To install it with a command line tool (UserLockInstaller.exe):
Run UserLockInstaller.exe (%ProgramFiles(x86)%\ISDecisions\UserLock\UserLockInstaller)
Choose "Install MFA for IIS" (Here n°6) then go directly to step 6 (Add the UserLock MFA application in IIS).
To install it via the IIS Manager console:
In IIS Manager, create a new Application Pool with the following parameters:
- Name: 'UserLockIisMfaAppPool'
- .NET CLR version: No Managed Code
- Managed pipeline mode: Integrated
On old Windows server such as Windows Server 2008 R2 and Windows Server 2012, it it necessary to navigate to Advanced settings/Process Model and set the value ”Load User Profile” to True.
On newer Windows server versions this is optional.
At the default web site level, create a new application that uses the previous application pool:
Configure this application with the “MFA_IIS” folder under the UserLock installation folder. By default: "%ProgramFiles(x86)%\ISDecisions\UserLock\MFA_IIS". Click OK to continue
- Restart IIS (the “W3SVC” service).
Run the UserLock console. In the "Multi-factor authentication" view, fill the “URL of IIS MFA app” with the URL of the IIS MFA application (configured just above). You can click on Test Button to check the connection and then click Apply to save your settings.
- For RDWeb, as it is based on Forms based authentication, configure the related registry value as explained at https://www.youtube.com/watch?v=SL_1b1AJrek from 1:59 to 2:50.
4. Apply MFA to server connections for protected users
A connection to an IIS session is considered a Server session in the MFA settings. For users to be prompted with MFA for the IIS applications that you have configured, they must have MFA enabled for server connections in their protected account:
If a user has already authenticated with MFA on another session (desktop for example) from the same IP address, they will not be prompted again if the settings "When logging on from a new IP address" or "At the first logon of the day" are selected.
5. Perform an MFA IIS connection
Browse your IIS application protected by UserLock.
When prompted, enroll using the IIS MFA (QR code).
For subsequent logons, only the MFA code is requested.
Concerning Microsoft Exchange, this feature will function uniquely for Outlook Web Access (OWA) and Exchange Control Panel (ECP) features. In the advanced settings (via F7 in UserLock console), by default all unsupported Exchange applications are listed here.