How do I setup Active Directory User Synchronization with 2FA?

Supported Operating Systems

  • Windows Server 2008
  • Small Business Server 2008
  • Essential Business Server 2008
  • Windows Server 2008 R2
  • Small Business Server 2011
  • Windows Server 2012
  • Windows Server 2012 R2

 

Note: When you install ADUS v1.1.0 you will see a prompt to hot-fix your AuthAnvil 2FA server. This hot-fix only applies to 2FA v5.0 servers.

Please do not apply this hot-fix to 2FA v5.5 - newer servers as it is not compatible.

 

Installing the ADUS Client

If AuthAnvil Two Factor Auth is installed on a domain controller, you have the option to install ADUS during the AuthAnvil Two Factor Auth install. If you do not install AuthAnvil Two Factor Auth on a domain controller, or choose not to install ADUS during the AuthAnvil Two Factor Auth install, you can install ADUS standalone but must be installed on a Domain Controller.

  1. Get the ADUSSetup.exe file from C:\Program Files\Scorpion Software\AuthAnvil\AuthAnvilTools on the AuthAnvil Two Factor Auth Server and copy it to the server that you would like to install it on. (See this Article for the Latest ADUS release.)
  2. Run the Installation Wizard, and click “Next” to begin.
  3. Click “I Agree” to accept the License Agreement and click “Next”.
  4. Click “Next” to complete the installation.
  5. Click “Finish” to close the installer and launch the ADUS configuration tool.

Note: ADUSSetup is available as an MSI package in the same location for convenient silent-mode installation using your favorite RMM tool, such as Kaseya, LabTech, or LPI.
Note: The use of special characters in the OU is not supported in ADUS. Example: Acme Widgets (AW) ADUS will not be able to add users belonging to a Security group with special characters.

Configuring the ADUS Client

The ADUS Configuration tool allows you to configure the ADUS Client’s settings. This tool is available under Start > All Programs > Scorpion Software > AuthAnvil Two Factor Auth > ADUS Configuration Editor on any machine where the ADUS Client is installed.

The ADUS Configuration Window

The following ADUS settings are configurable:

ADUS Beacon Information - Configuration information about the AuthAnvil Two Factor Auth server that ADUS synchronizes with.

  • The URL of the ADUS web service on the AuthAnvil Two Factor Auth Server.
  • The Site ID of the AuthAnvil Two Factor Auth site that ADUS is synchronizing against. (If you’re not sure, this is usually 1).
  • The Shared Secret between the ADUS clients and the ADUS web service. This needs to be the same on all clients that report in to the ADUS service on the same AuthAnvil Two Factor Auth site.

ADUS Service Settings – Settings for the local ADUS Windows service.

  • The location of the Cache File where ADUS keeps its synchronization database.
  • The time of day that ADUS performs a full synchronization of users with the ADUS Web Service on the AuthAnvil Two Factor Auth server.
  • How often the ADUS Windows Service synchronizes changes with the ADUS Web Service on the AuthAnvil Two Factor Auth Server.

Active Directory Information – Information about the Active Directory groups synchronized by ADUS.

  • Whether or not to synchronize hardware and software token users with AuthAnvil Two Factor Auth.
  • What group should be used to synchronize each token type.

When finished, click “OK” to save the configuration changes.

Configuring the ADUS Web Service

The ADUS Web Service is the back-end web service that runs on the AuthAnvil Two Factor Auth server and receives updates from the ADUS Agents deployed in the field. If you install AuthAnvil Two Factor Auth on a domain controller, you have the option of installing the ADUS client and activating the ADUS web service at install time, otherwise ADUS starts disabled and needs to be enable through the AuthAnvil Two Factor Auth Manager. To activate and configure ADUS, complete the following steps:

  1. Log into the AuthAnvil Two Factor Auth Manager (http(s)://<yourserver>/AuthAnvil/Manager), and click on the “Settings” tab, then the “Active Directory User Synchronization (ADUS)” tab.
  2. Click “Enable ADUS” and enter a shared secret into the boxes. This shared secret is used to authenticate connections between the ADUS Web Service and the ADUS agents, and must be the same on all ADUS agents that communicate with this AuthAnvil Two Factor Auth server.
  3. Optionally, click “Advanced ADUS Policies” and set the policies to match the requirements of your organization.

    ADUS-Config-2fa

  4. Click “Save Settings” when finished.

ADUS Policies

ADUS allows you to set policies to chose what actions it will take in the cases of the following scenarios:

Scenario 1: A user has been added to one of the ADUS groups in Active Directory.

ADUS can:

  1. Add the user to AuthAnvil Two Factor Auth and automatically provision them a token based on their group membership (Default).
  2. Add the user to AuthAnvil Two Factor Auth, but not provision a token.
  3. Do nothing.

Scenario 2: The user’s details, such as first name or last name, have been changed in Active Directory.

ADUS can:

  1. Reflect these changes to the user in AuthAnvil Two Factor Auth (Default).
  2. Do nothing.

Scenario 3: The user has been deleted from Active Directory, or has been removed from the ADUS group.

ADUS can:

  1. Disable the user and disable their token (Default).
  2. Delete the user’s AuthAnvil Two Factor Auth account.
  3. Do nothing.

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments