If you want to have an extra layer of security on your workspaces environment, AWS allows you to configure multi factor authentication.
There are however some prerequisites for this.
This post will guide you through the steps needed to setup multi-factor authentication for your workspaces.
We will be using the opensource version of Multiotp for windows. ( https://github.com/multiOTP/multiotp/wiki )
This is a nice package which included, nginx as a webserver, the php based multiotp webservice, and a radius server based on freeradius.
The time of writing this article version 5.1.1.2 was release so this post is based on this version.
For the purpose of this blog post i will be using a standard windows 2012R2 server promoted to a domain controller.
My test domain is called corp.example.com.
On this domain controller i will install Multiotp webservice and the Multiotp radius service through a powershell script.
Reference architecture
The authentication flow ‘high” level will be:
- Workspaces client will connect to a workspaces endpoint of amazon registered to his aws account.
- User will authenticate with the ad connector
- The ad connector will proxy all the user authentication details to active directory and multiotp radius
- User is authenticated and allowed to login to his workspaces
Prerequisites
Aws only has the multi factor authentication option for the directory service “AD Connector”.
This also implies that you have your own active directory domain to connect the AD connector to.
So the components you already need in place are:
- aws account
- vpc with at least one subnet
- a working domain controller ( in the extra’s below i have a cloudformation template that deploys a new domain controller in an new domain for testing purposes)
- Powershell script included in this blog post -> multiotp-setup
Install and configure Multiotp
For the purpose of this blog the script can only function on a domain controller.
(If you want to install it to a separate server, this is possible, but your need to change the $server_name in the script…)
Copy the powershell script from this blog post to a folder on your domain controller.
Download and install powershell version 5.1 (https://www.microsoft.com/en-us/download/details.aspx?id=54616), else the included script will not work.
In the same folder of the powershell script download version 5.1.1.2 of the multiotp zip file. (https://download.multiotp.net/5.x/multiotp_5.1.1.2.zip)
First we will need to create a multiotp service user in active directory, this user is used by multiotp to authenticate and sync the users from ad.
Just a normal domain users without any special rights or groups is fine!
I called it “otp-service”.
Next up is to create an active directory group for users that are allowed to authenticate against multiotp.
My group name is “OTP”.
Now we can kick off powershell, open up a powershell as Administrator go to the script directory and run it with .\multiotp-setup.ps1
The script will ask you for some input, depending on your own setup fill those in correctly.
A pop-up will then show, here you can select the installation folder of multiotp, in my case this is c:\multiotp.
Next input your users base_dn ( ou where all you users live), for this blog i just have everything under users ou.
Now enter the dn for the multiotp service user you created earlier, my case otp-service.
Input the multiotp service password.
Here select the multiotp ad group you created earlier, my case OTP.
Now input the credentials for the scheduled task.
The script will now extract the multiotp zip to your preferred installation directory, my case c:\multiotp.
Now we will install the multiotp webservice, i just re-used their own installation scripts.
When the webservice is installed, a web page will open to https://127.0.0.1:8112/
Now the script will install the radius service, i just re-used their own installation scripts.
When that is done, multiotp will be configured to connect to your domain controller.
If the credentials are correct you will see that multiotp will sync all the users.
Also a scheduled task is created to re-sync all users every hour. (if your need it more frequently, modify “RepetitionInterval (New-TimeSpan -Minutes 60)” )
That is the basic configuration that is needed to make it work.
Of course for a production worthy environment, change:
- The default multiotp admin password
- The radius secret to something else then “multiotpsecret” (C:\your-install-directory\windows\radius\etc\raddb\clients.conf )
- Multiotp backend from flat files to a mysql based database.
- !Configure BACKUPS!
Workspaces users
Add existing users to the ad group you created earlier, or create some testusers.
In my case i have created testuser1 and testuser2.
Go to https://127.0.0.1:8112/ and login. Default credentials are admin with password 1234
Find a user and click on “print”, a new page will open, here you can find the QRcode for that user to add to his google authenticator (or similar like authy, etc ).
Ad-Connector
Next up is configuring an ad-connector in aws.
For this to work the ad connector service will spin up some proxies in the background.
But they need to be able to resolve your domain.
If not already done, go to the VPC console (https://eu-west-1.console.aws.amazon.com/vpc/)
Select “DHCP options sets” menu from the left side and then create a new one.
For this blog i have only one domain controller on ip 172.31.28.38.
Now go to “Your VPC’s” and for the vpc you are using select “Edit DHCP Options Set” en select the just created set.
Now we are ready to deploy the actual ad connector proxies.
Open up the directory services console. (https://eu-west-1.console.aws.amazon.com/directoryservice/)
Set up ad new AD Connector and fill in the details.
You will need to know your domain controllers ip and use an account that has the right to create and delete computer objects in your domain.
The this blog i’m just using the default domain administrator…
Review the data and click “Create AD Connector”
After a few minutes your ad connector will be deployed and ready to use.
As you can see the status of “Radius” is still “None”, lets go and configure it.
Click on your “Directory ID” and you to the “Multi-Factor authentication” tab.
Fill in you details, since for this blog everything is installed on my ad controller, i will use the same ip here.
Port 1812, the still default shared secret code is “multiotpsecret”, leave pap and fill in some timeout and retry values.
( you can also use MS-CHAPv2 as protocol if you want to be even more secure)
Click on “Update” and after a few seconds the “Radius Status” should change to “completed”.
The overview page will now show the “Radius Status ” as “completed”.
Create Workspaces
Go to the workspaces console (https://eu-west-1.console.aws.amazon.com/workspaces)
Select your newly created ad connector.
Click on show all users or search for a specific user, select it and click on “add selected”.
Select the bundle you want to use, i just selected the free tier here.
Configure the options you want, left the defaults for this blog.
Review and launch
After a few minutes your workspaces will be ready to use.
If your user has it’s email field filled in, he will get a mail when the workspaces is ready to use with some instructions inside.
And the status will go from PENDING to AVAILABLE.
Workspace Client
Now we are ready to login.
( please install the workspace client for your platform https://clients.amazonworkspaces.com/ )
Enter the registration code you got and click register.
You will now see a login page, fill in your username and password and the mfa code from your google authenticator.
If all is setup correctly in a few seconds you will be taken to your workspace.
Fast en secured with mfa!
Thanks for reading this rather long post. 🙂
Extra
As promised here is a cloudformation template to setup an active directory server with a new domain, for testing purposes.
!You will need to create a key pair first!
Download the template here -> cf-demo-ad-mfa
Deploy it through the cloudformation console (https://eu-west-1.console.aws.amazon.com/cloudformation)
Fill in the details.
For this post i used the below details…
You will find your domain admin password when you go to the ec2 console (https://eu-west-1.console.aws.amazon.com/ec2/v2) and select your instance and click on connect.