Multi Factor Authentication
The Multi Factor Authentication panel enables the configuration of different Multi-Factor Authentication provider for Royal Server.
Show or Activate the Multi Factor Authentication Panel
In the Royal Server Configuration Tool Navigation Bar, click on the General group and then on the Multi Factor Authentication entry.
Multi-factor authentication for users requires the following settings:
- Multi-factor authentication must be enabled (see below)
- The required multi-factor authentication provider (Generic TOTP, DUO or YubiKey) must be enabled and configured (see below), and
- Users must be configured for the multi-factor authentication authentication provider.
For information on configuring users please see Multi-Factor User Store configuration
Changes to the the multi-factor authentication configuration require a restart of Royal Server.
Enable Multi-Factor Authentication
This setting enables or disables the multi-factor authentication on a server level.
Disabling this setting will leave all multi-factor provider and user configurations untouched, but will render them inactive.
Reject Unknown Users
If the multi-factor authentication is enabled, any not configured user who attempts an action which secured without a second factor (e.g. load/save a document, open a Secure Gateway connection), will be rejected by Royal Server. This means that all users must be configured to gain access.
If disabled, the second factor is only required for users who have a configuration. Other users may pass.
Royal Server supports the following MFA providers:
TOTP Provider Configuration
TOTP is a generic algorithm for time-based one-time-passwords that is implemented by a many services and apps. Since it is a generic algorithm, any app that supports it can be used as a second factor for this provider. There are, for example, apps from Microsoft, Google and many others.
Configuring the TOTP Provider
In the Royal Server Configuration Tool ensure that the "Generic TOTP Authenticator (Google, Microsoft, etc)" provider is enabled.
Optionally, users can be allowed to configure TOTP authentication via self-service pages which might be useful in scenarios where users are added programmatically e.g. via a Powershell script.
This feature can be (de-/)activated on the Create/Edit dialog for TOTP MFA Users.
- Allowed: Indicates whether a user is allowed to access and verify the QR code under https://[IPAddress]:[Port]/mfa/totp.
- Verified: Indicates whether the self service user is already verified. Once verified, the user will not be allowed to use the self service page again.
DUO Provider Configuration
DUO provides security solutions for companies and can be integrated into Royal Server.
In order to configure a DUO application and DUO secured users first. Therefore you need to log in to the DUO Admin Panel at https://duo.com/.
Configuring an Application in DUO
With the DUO Admin Panel, you need to configure an Application that is being secured by DUO - in our case, you want to secure Royal Server operations by DUO.
Navigate to Applications and Protect an Application. Look for Partner Auth API and click Protect this Application. You will be presented with a number of details, most notable the
Integration Key, the
Secret Key and the
API Hostname. Remember these as you need them later for configuring the Royal Server DUO integration.
Creating Users in DUO
With the DUO Admin Panel, add users to your DUO configuration by clicking on Users and then on Add User.
After the creation of a user (or when you editing it), take a close look at the URL in your browser. At the end of it, you see a long sequence of letters and numbers - this is the DUO user id and you need it to configure it in the Royal Server Configuration Tool.
Notice the bold part at the end. The user id in this example is HUGA65C32A3T2U0I20TF.
Creating 2FA Devices in DUO
If you do not have 2FA devices (e.g. smart phone or a token) in your DUO configuration, navigate to an existing user in the DUO Admin Panel and add a phone or hardware token.
Make sure the new device is activated by clicking on Activate and assigned to a DUO user.
Configuring the DUO Provider
In the Royal Server Configuration Tool ensure that the "DUO" provider is enabled.
Expand the details panel and enter the
Integration Key, the
Secret Key and the
Host (=API Hostname) from the DUO Application created in the DUO web console backend previously.
YubiKey Provider Configuration
YubiKey provides security solutions for companies using hardware authentication and can be integrated with Royal Server.
Configuring a YubiKey API Key
First, you need to configure a YubiKey API key for Royal Server. This can be done at https://upgrade.yubico.com/getapikey/.
Enter an email address, insert a YubiKey, then press the Yubikey button while the input focus is on YubiKey OTP. As a result, you get the
Client ID and a
Secret Key. Remember these as you need them later for configuring the Royal Server YubiKey integration.
Alternatively, you can use the YubiKey Manager tool to configure
Client ID and
Configuring the YubiKey Provider
In the Royal Server Configuration Tool ensure that the "YubiKey" provider is enabled.
Expand the details panel under YubiKey and enter the
Client ID, the
Secret Key that you previously generated while getting a YubiKey API Key.