Two-Factor Authentication on DaaS

By default, DaaS uses Active Directory authentication. Horizon DaaS does not have a standard feature for 2FA. It does have the ability to integrate 2FA through RSA Secure ID or RADIUS. These 2FA integrations will enable 2FA at the portal or Horizon client level. Due to the number of available 2FA providers that can potentially be used, Green Cloud does not offer support. It is assumed that the partner has the necessary knowledge of the solution to deploy and support it. This appendix is not comprehensive and provided only to illustrate the available integration options for 2FA at the DaaS portal level. Additionally, it provides a high overview of how to enable 2FA within your tenant. Any assistance provided by Green Cloud is done on a fee based per incident basis.

Both RSA Secure ID and RADIUS work with authentication managers that are typically installed on separate servers. These servers must be accessible by the DaaS connection server. Some of these 2FA options require the purchase of services form the 2FA provider.

Note: This enables 2FA at the tenant level and not at the desktop level.

 

RSA Secure ID

RSA Secure ID is one of the more well-known 2FA service providers. Prior to enabling this 2FA method with DaaS, you must have an active service and support with RSA Secure ID. To deploy 2FA with RSA Secure ID perform the following tasks:

  1. Deploy the RSA Authentication Manager software.
  2. Export the sdconf,rec file
  3. Log into the admin portal
  4. Go to ‘Configuration>Multi-factor Authentication’
  5. Select RSA Secure ID
    1. Check whether or not you want to use the same username throughout authentication
    2. Check whether or not you want to use 2FA only for external connections.
  6. Upload the file and click ‘Save’.
  7. Test and confirm everything is working.

 

RADIUS

RADIUS can be provided by a number of different vendors. Microsoft has RADIUS (NPS) functionality built-into Windows Server or you can use a free radius provider such as FreeRadius with Ubuntu Server. Typically, RADIUS will be used to proxy the 2FA request to a third party such as Google Authenticator or Azure Multi-Factor Authentication. Follow the vendors guide to deploy RADIUS to a server that is accessible by your DaaS connection server. Make note of the hostname/IP, ports, authentication types and shared secret. Once your RADIUS server is deployed, perform the following tasks to configure DaaS:

  1. Login into the admin portal
  2. Go to ‘Configuration>Multi-factor Authentication’
  3. Select RADIUS
    1. Check whether or not you want to use the same username throughout authentication
    2. Check whether or not you want to use 2FA only for external connections.
  4. Complete the required fields. Below is the list of all fields with a description.
    1. Provider name: descriptive name for the authentication provider displayed to Enterprise Center and User Portal users at login.
    2. Hostname/Address: the DNS name or IP address of the authentication server.
    3. Authentication port: the UDP port configured to send/receive authentication traffic.
    4. Accounting port: the UDP port configured to send/receive accounting traffic.
    5. Authentication type: RADIUS authentication supports multiple authentication protocols. Select the appropriate one from the options: PAP, CHAP, MS-CHAPv1 and MS-CHAPv2.
    6. Shared secret: the secret for communicating with the server. It must be exactly the same as the server configured value.
    7. Server timeout: the number of seconds to wait for a response from the RADIUS server.
      1. Max retries: the maximum number of times to retry failed requests.
    8. Realm prefix: name and delimiter of realm to be prepended to the username during authentication.
    9. Realm suffix: name and delimiter of realm to be appended to the username during authentication.
  5. Test and confirm.

 

Below are two links for two different methods of deploying RADIUS and two-factor authentication. The first article is a blog from VMWare that illustrates how to use Ubuntu, freeradius and Google Authenticator. The second article illustrates how to use Microsoft Windows NPS (RADIUS) with Azure two-factor authentication. These are only two potential options. It is the responsibility of the partner to determine the right solution for the customer.

  1. http://blogs.vmware.com/consulting/files/2015/02/VMW_15Q1_TD_Horizon-View-Google-Authenticator_021715_FINAL_EMonjoin.pdf
  2. https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server-rdg/#configure-nps

Was this article helpful?

Related Articles