Configure or Deploy Multifactor Authentication Services Windows Hello for BusinessApplies to. This guide only applies to Windows 1. On premises deployments must use the On premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third party MFA server that provides an AD FS Multifactor authentication adapter. Prerequisites. The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet. Primary MFA Server. The Azure MFA server uses a primary and secondary replication model for its configuration database. Table of Contents. Release Notes for Cisco Identity Services Engine, Release 1. Contents. Introduction. Deployment Terminology, Node Types, and Personas. WEB&tkn=*jOdjVFr_hHHigelPRuqZPOFPecQ' alt='Microsoft Internet Explorer 8 Redistributable Primary' title='Microsoft Internet Explorer 8 Redistributable Primary' />Microsoft Windows, or simply Windows, is a metafamily of graphical operating systems developed, marketed, and sold by Microsoft. It consists of several families of. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers. For this documentation, the primary MFA uses the name mfaor mfa. All secondary servers use the name mfa or mfan. Microsoft Internet Explorer 8 Redistributable Primary' title='Microsoft Internet Explorer 8 Redistributable Primary' />MFA server. The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched. Enroll for Server Authentication. The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. Sign in the primary MFA server with domain admin equivalent credentials. Start the Local Computer Certificate Manager certlm. Expand the Personal node in the navigation pane. Right click Personal. Select All Tasks and Request New Certificate. Click Next on the Before You Begin page. Click Next on the Select Certificate Enrollment Policy page. On the Request Certificates page, Select the Internal Web Server check box. Click the More information is required to enroll for this certificate. Click here to configure settings link. Under Subject name, select Common Name from the Type list. Type the FQDN of the primary MFA server and then click Add mfa. Click Add. Click OK when finished. Click Enroll. A server authentication certificate should appear in the computers Personal certificate store. Install the Web Server Role. The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role. To install the Web Server IIS role, please follow Installing IIS 7 on Windows Server 2. Windows Server 2. R2 or Installing IIS 8. Windows Server 2. R2 depending on the host Operating System youre going to use. The following services are required Common Parameters Default Document. Common Parameters Directory Browsing. Common Parameters HTTP Errors. Common Parameters Static Content. Health and Diagnostics HTTP Logging. Performance Static Content Compression. Security Request Filtering. Security Basic Authentication. Management Tools IIS Management Console. Management Tools IIS 6 Management Compatibility. Application Development ASP. NET 4. 5. Update the Server. Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. Configure the IIS Servers Certificate. The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. Sign in the primary MFA server with administrator equivalent credentials. From Administrators, Start the Internet Information Services IIS Manager console. In the navigation pane, expand the node with the same name as the local computer. Expand Settings and select Default Web Site. In the Actions pane, click Bindings. In the Site Bindings dialog, Click Add. In the Add Site Binding dialog, select https from the Type list. In the SSL certificate list, select the certificate with the name that matches the FQDN of the computer. Click OK. Click Close. From the Action pane, click Restart. Configure the Web Services Security. The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Services security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group. Sign in the domain controller with domain administrator equivalent credentials. Create Phonefactor Admin group. Open Active Directory Users and Computers. In the navigation pane, expand the node with the organizations Active Directory domain name. Right click the Users container, select New, and select Group. In the New Object Group dialog box, type Phonefactor Admins in Group name. Click OK. Add accounts to the Phonefactor Admins group. Open Active Directory Users and Computers. In the navigation pane, expand the node with the organizations Active Directory domain name. Select Users. In the content pane. Right click the Phonefactors Admin security group and select Properties. Click the Members tab. Click Add. Click Object Types. In the Object Types dialog box, select Computers and click OK. Enter the following user andor computers accounts in the Enter the object names to select box and then click OK. The computer account for the primary MFA Server. Take Command 14 36 Set Up Keyboard here. Group or user account that will manage the User Portal server. Review. Before you continue with the deployment, validate your deployment progress by reviewing the following items Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names. Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the Certificate serial number. Certificate thumbprint. Common name of the certificate. Subject alternate name of the certificate. Name of the physical host server. The issued date. The expiration date. Issuing CA Vendor if a third party certificateConfirm the Web Services Role was installed with the correct configuration including Basic Authentication, ASP. NET 4. 5, etc. Confirm the host has all the available updates from Windows Update. Confirm you bound the server authentication certificate to the IIS web site. Confirm you created the Phonefactor Admins group. Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal. User Portal Server. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi Factor Authentication call or answer security questions to complete their authentication.