Multi Factor User Store
The Multi Factor User Store panel displays the users configured for Multi Factor authentication.
Show or Activate the Multi Factor Users Store Panel
In The Royal Server Configuration Tool Navigation Bar, click on the General group and then on the Multi Factor Users Store entry.
The data grid shows the configured users for multi-factor authentication.
The following functionalities in Royal Server support Multi-Factor Authentication:
- Document Store (triggered when loading or saving a document hosted by Royal Server) or
- Secure Gateway Connections (triggered when connecting using e.g. RDP connections)
Adding a User for Multi-Factor Authentication
- Click on Add....
- Enter a user or click on the Select User... icon.
- Specify an optional comment.
- Select for which functionality this user is required to present a second factor (Document Store and/or Secure Gateway)
- Specify the caching time. Each successful authentication is then cached for the specified minutes.
- Select an MFA provider. Currently, "Generic TOTP", "Duo" and "YubiKey" are supported. Depending on your selection, different additional information will be required.
A Caching Time of 0 minutes means no caching and the user has to provide a second factor for every operation.
Specify which MFA provider should be used for the specified user:
Configuring Generic TOTP
Provide meaningful values for Issuer and Label (these are displayed in the Authenticator Apps on your phone). After completion, a secret will be generated and represented as a QR code for each user. This secret or QR code is needed by the user to create a new entry in the Authenticator app on the mobile phone. This secret and/or QR code need to be sent in a secure way to the user.
You can always show the generated secret again by clicking on the Edit... icon for TOTP configured users.
TOTP time sensitivity
The machine where Royal Server is installed and the device where the TOTP Authenticator App is running need to have correct time settings in order to make TOTP work. Use Time Services to ensure this.
Alternatively, the user can be allowed to use a web based self-service workflow by checking the Allowed under Self Service.
If self-service is allowed, the user needs to login to the Royal Server Website (https://[IpAddress]:[Port]) using the user provisioned for TOTP and then navigate to "TOTP Self Service". He will be presented with his secret/QR code to configure his authenticator app. As soon as he has configured the app, he needs to enter a second factor for verification. Once verified, the workflow will be closed and cannot be accessed anymore.
After refreshing the grid in the Royal Server Configuration Tool and opening "Edit"-dialog for the user, he will be flagged as Verified under Self Service. In order to reset the workflow, so that the user can access it again, just uncheck Verified.
Provide the DUO user Id that corresponds with the user you are configuring for Multi-Factor Authentication.
Check the configuration of the DUO provider
Configuring YubiKey requires the input of the YubiKey ID e.g. by connecting the YubiKey to the machine and pressing the button on the YubiKey device.
Check the configuration of the YubiKey provider