UserLock Documentation
UserLock Documentation
You are here: Use cases > Multi-Factor Authentication > How to apply MFA for IIS

How to apply MFA for IIS

When IIS UserLock MFA is activated for a web application (e.g. Outlook Web Access), the IIS UserLock agent will redirect the user to a dedicated web application where the user can enroll for the MFA and enter the MFA code before accessing the protected IIS application.

In this use case, we are going to protect a single web application (Outlook Web Access) using MFA for IIS.

Procedure

  1. Install the UserLock IIS agent on the IIS server
  2. Install the UserLock IIS MFA feature
  3. Add the UserLock MFA application in IIS
  4. Perform an MFA IIS connection

1. Install the UserLock IIS agent on the IIS server

Prerequisites

  • IIS applications must be protected by the UserLock 'IIS agent' using HTTP Module technology. See specific section below.
  • The UserLock "IIS MFA" feature must be installed on the IIS server to which you want IIS applications to be redirected when MFA is required. See specific section below.
  • Using DNS split brain technology, The IP Address for the IIS Server hosting the IIS MFA module must be accessible as follows:
    • Internally, from within the private network.
    • Externally, from the Internet
  • The external router is configured to allow the designated port to redirected from the outside to the IIS server hosting the IIS MFA module.
  • NOTE: An Exchange Client Access Server is an example of a server that meets the above criteria.


IIS applications must be protected by the UserLock 'IIS agent' using HTTP Module technology.

  1. Run the UserLock console.
  2. In the "Agent distribution" view, select the “IIS” line of the IIS server that will be hosting the IIS applications to protect with UserLock. Right click and select "Install".
  3. On this target IIS server, configure the IIS applications to protect with the UserLock 'IIS agent' using HTTP Module technology. For details, see this page.

2. Install the UserLock IIS MFA feature

The UserLock "IIS MFA" feature must be installed on the IIS server to which you want IIS applications to be redirected when MFA is required. Note that this feature is not installed if you chose “Standard” when you install UserLock.

  1. Log on the IIS server to which you want IIS applications to be redirected when MFA is required.
  2. If UserLock is already installed:

    • Control Panel, Uninstall a program, UserLock, Change:

    • As explained above: left click on “Web Applications”, left click on “IIS MFA”, “The feature will be installed…”.
  3. On a new UserLock installation, choose “Custom” then left click on “Web Applications”, left click on “IIS MFA”, “The feature will be installed…”:

  4. If installing on Windows Server 2012 R2, there are additional dependencies to be installed that are proposed:

    • Choose “Yes”:

    • Auto install of Microsoft Visual C++ 2015 Redistributable Package (x64):

    • Auto install of Microsoft .NET Core 3.1.8:

  5. If no IIS application is protected by UserLock on this server and that you only want to configure IIS MFA in it:

    • Run the UserLock console. In the "Agent distribution" view, select the “IIS” line of the IIS server to which you want IIS applications to be redirected when MFA is required. Right click and select "Install", this will deploy UserLock server name(s) to the registry of that server.
    • Log on the target IIS server. Run Regedit. Delete the following registry value:

      HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IIS\Volatile\UlStatus

3. Add the UserLock MFA application in IIS

  1. In IIS Manager, create a new Application Pool with the following parameters:

    • Name: 'UserLockIisMfaAppPool'
    • .NET CLR version: No Managed Code
    • Managed pipeline mode: Integrated
  2. Navigate to Advanced settings/Process Model; Set the value ”Load User Profile” to True

  3. At the default web site level, create a new application that uses the previous application pool:

  4. Configure this application with the “MFA_IIS” folder under the UserLock installation folder. By default: "%ProgramFiles(x86)%\ISDecisions\UserLock\MFA_IIS". Click OK to continue

  5. Restart IIS (the “W3SVC” service).
  6. Run the UserLock console. In the "Multi-factor authentication" view, fill the “URL of IIS MFA app” with the URL of the IIS MFA application (configured just above) then apply:

4. Perform an MFA IIS connection

  1. Browse your IIS application protected by UserLock.

  2. When prompted, enroll using the IIS MFA (QR code).

  3. For subsequent logons, only the MFA code is requested.

Limitation

Concerning Microsoft Exchange, this feature will function uniquely for Outlook Web Access (OWA) and Exchange Control Panel (ECP) features. In the advanced settings (via F7 in UserLock console), by default all unsupported Exchange applications are listed here.