Multi Factor Authentication

The Multi Factor Authentication panel enables the configuration of different Multi-Factor Authentication provider for Royal Server.

Show or Activate the Multi Factor Authentication Panel

In the Royal Server Configuration Tool Navigation Bar, click on the General group and then on the Multi Factor Authentication entry.

Multi-factor authentication for users requires the following settings:

1. Multi-factor authentication must be enabled (see below)
2. The required multi-factor authentication provider (Generic TOTP, DUO or YubiKey) must be enabled and configured (see below), and
3. Users must be configured for the multi-factor authentication authentication provider.

Note

For information on configuring users please see Multi-Factor User Store configuration

Note

Changes to the the multi-factor authentication configuration require a restart of Royal Server.

Enable Multi-Factor Authentication

This setting enables or disables the multi-factor authentication on a server level.

Note

Disabling this setting will leave all multi-factor provider and user configurations untouched, but will render them inactive.

Reject Unknown Users

If the multi-factor authentication is enabled, any not configured user who attempts an action which secured without a second factor (e.g. load/save a document, open a Secure Gateway connection), will be rejected by Royal Server. This means that all users must be configured to gain access.

If disabled, the second factor is only required for users who have a configuration. Other users may pass.

MFA Providers

Royal Server supports the following MFA providers:

• TOTP
• DUO
• YubiKey

TOTP Provider Configuration

TOTP is a generic algorithm for time-based one-time-passwords that is implemented by a many services and apps. Since it is a generic algorithm, any app that supports it can be used as a second factor for this provider. There are, for example, apps from Microsoft, Google and many others.

Configuring the TOTP Provider

In the Royal Server Configuration Tool ensure that the "Generic TOTP Authenticator (Google, Microsoft, etc)" provider is enabled.

Configuring Self-Service

Optionally, users can be allowed to configure TOTP authentication via self-service pages which might be useful in scenarios where users are added programmatically e.g. via a Powershell script.

This feature can be (de-/)activated on the Create/Edit dialog for TOTP MFA Users.

• Allowed: Indicates whether a user is allowed to access and verify the QR code under https://[IPAddress]:[Port]/mfa/totp.
• Verified: Indicates whether the self service user is already verified. Once verified, the user will not be allowed to use the self service page again.

DUO Provider Configuration

DUO provides security solutions for companies and can be integrated into Royal Server.

In order to configure a DUO application and DUO secured users first. Therefore you need to log in to the DUO Admin Panel at https://duo.com/.

Configuring an Application in DUO

With the DUO Admin Panel, you need to configure an Application that is being secured by DUO - in our case, you want to secure Royal Server operations by DUO.

Navigate to Applications and Protect an Application. Look for Partner Auth API and click Protect this Application. You will be presented with a number of details, most notable the Integration Key, the Secret Key and the API Hostname. Remember these as you need them later for configuring the Royal Server DUO integration.

Creating Users in DUO

With the DUO Admin Panel, add users to your DUO configuration by clicking on Users and then on Add User.

Important
After the creation of a user (or when you editing it), take a close look at the URL in your browser. At the end of it, you see a long sequence of letters and numbers - this is the DUO user id and you need it to configure it in the Royal Server Configuration Tool.

Example: https://admin-12abcdef.duosecurity.com/users/HUGA65C32A3T2U0I20TF

Notice the bold part at the end. The user id in this example is HUGA65C32A3T2U0I20TF.

Creating 2FA Devices in DUO

If you do not have 2FA devices (e.g. smart phone or a token) in your DUO configuration, navigate to an existing user in the DUO Admin Panel and add a phone or hardware token.

Note

Make sure the new device is activated by clicking on Activate and assigned to a DUO user.

Configuring the DUO Provider

In the Royal Server Configuration Tool ensure that the "DUO" provider is enabled.

Expand the details panel and enter the Integration Key, the Secret Key and the Host (=API Hostname) from the DUO Application created in the DUO web console backend previously.

YubiKey Provider Configuration

YubiKey provides security solutions for companies using hardware authentication and can be integrated with Royal Server.

Configuring a YubiKey API Key

First, you need to configure a YubiKey API key for Royal Server. This can be done at https://upgrade.yubico.com/getapikey/.

Enter an email address, insert a YubiKey, then press the Yubikey button while the input focus is on YubiKey OTP. As a result, you get the Client ID and a Secret Key. Remember these as you need them later for configuring the Royal Server YubiKey integration.

Alternatively, you can use the YubiKey Manager tool to configure Client ID and Secret Key.

Configuring the YubiKey Provider

In the Royal Server Configuration Tool ensure that the "YubiKey" provider is enabled.

Expand the details panel under YubiKey and enter the Client ID, the Secret Key that you previously generated while getting a YubiKey API Key.