In this article, we'll show you how to implement two-factor authentication for users on a Windows domain using the multiOTP open source product . MultiOTP is a set of php scripts and utilities that implements the OATH protocol for HOTP/TOTP (Time-based One Time Password). It can be used both in Windows and via RADIUS to implement 2FA in almost anything.
After the implementation of multiOTP for user login, Windows will request an additional one-time password (OTP - one time password), which the user must receive from his mobile device (Microsoft application or Google Authenticator, or other OTP generator). You can set up two-factor authentication for logging into Windows workstations, or for remote RDP access to RDS hosts on a Windows Server.
The main advantages of multiOTP are that it does not need internet access and can be used to implement two-factor user authentication in isolated networks. Most analogues are paid or require direct access to the Internet.
Installing and configuring MultiOTP in an Active Directory domain.
In this section, we will show you how to install MultiOTP on Windows Server 2019 and set up user synchronization from Active Directory.
You can also deploy MultiOTP using a ready-made OVA for VMware, a Hyper-V virtual machine, or a Docker container.Let's start by configuring a MultiOTP server that will fetch users from Active Directory, generate unique QR codes for users, and validate the second factor.
Let's create a separate group in Active Directory and add users to it, for which we will require verification of the second factor when logging into Windows. Let's create a group using PowerShell:
New-ADGroup 2FAVPNUsers -path 'OU=Groups,OU=Moscow,dc=site,DC=io' -GroupScope Global -PassThru –Verbose
Add users to the group:
Add-AdGroupMember -Identity 2FAVPNUsers -Members kbuldogov, user1, user2Create a new user in AD, multiotp_srv, which will be used by multiotp to access AD (with minimal privileges).
$passwd = ConvertTo-SecureString -String "P@ssw0rd!" -AsPlainText -Force
New-ADUser -Name "multiotp_srv" -SamAccountName "multiotp_srv" -UserPrincipalName "multiotp_srv@contoso.com" -Path "OU=ServiceAccounts,OU=Moscow,DC=site,DC=io" –AccountPassword $passwd -Enabled $true
Download the archive with MultiOTP files from the developer site https://download.multiotp.net/.
Open the multiotp_5.8.2.9.zip archive and extract the windows directory from it to a folder on your local drive (C:\MultiOTP).
Open a command prompt and navigate to the directory containing the multiotp.exe utility:
CD C:\MultiOTP\windows
With the following commands, we will configure MultiOTP to get users from the LDAP Active Directory.
multiotp -config default-request-prefix-pin=0REM Domain controller address
multiotp -config default-request-ldap-pwd=0
multiotp -config ldap-server-type=1
multiotp -config ldap-cn-identifier="sAMAccountName"
multiotp -config ldap-group-cn-identifier="sAMAccountName"
multiotp -config ldap-group-attribute="memberOf"
multiotp -config ldap-ssl=0
multiotp -config ldap-port=389
multiotp -config ldap-domain-controllers=msk-dc03.site.io,ldap://192.168.13.10:389REM Account for multiotp authentication in AD:
multiotp -config ldap-base-dn="DC=site,DC=io"
multiotp -config ldap-bind-dn="CN=multiotp_srv,OU=ServiceAccounts,OU=Moscow,DC=site,DC=io"REM group of users for which you want to enable OTP
multiotp -config ldap-server-password="P@ssw0rd!"
multiotp -config ldap-in-group="2FAVPNUsers"REM key to access MultiOTP server
multiotp -config ldap-network-timeout=10
multiotp -config ldap-time-limit=30
multiotp -config ldap-activated=1
multiotp -config server-secret=secretOTP
A more detailed description of all options is in the document https://download.multiotp.net/readme_5.8.2.9.txt in the section “HOW TO CONFIGURE MULTIOTP TO SYNCHRONIZED THE USERS FROM AN ACTIVE DIRECTORY”.
Previously, we created the 2FAVPNUsers group and added 3 users to it. Synchronize AD users in MultiOTP.
multiotp -debug -display-log -ldap-users-sync
OG 2022-01-17 14:36:44 info LDAP Info: 3 users created, based on 3 LDAP entries (processed in 00:00:00)In this case, MultiOTP detected three users and synchronized them.
LOG 2022-01-17 14:36:44 debug System Info: *File created: c:\MultiOTP\windows\.\users\a.ivanov.db
To regularly synchronize new accounts in Active Directory, you need to create a scheduler task with the command:multiotp -debug -display-log -ldap-users-sync
Run the webservice_install.cmd file as an administrator . This will install the MultiOTP web management interface.
Log in to the web interface under the adminhttp://127.0.0.1:8112/ account with a password of 1234 (it is advisable to change it at the entrance).
Configuring MultiOTP Two-Factor Authentication for a Domain User.
In the List of users section , a list of domain users that were synchronized earlier will be available (AD/LDAP source).
Select a user and click Print . You will see the QR code of the user, which you need to add to the authenticator application.
Install the Microsoft Authenticator (or Google Authenticator) app from Google Play or the App Store on the user's smartphone. Launch it and scan the user's QR code.
As a result, a user account will appear in the application, in which a new six-digit numeric password is generated every 30 seconds (the same second factor).
From the command line, you can check that MultiOTP allows you to authenticate a given user using OTP:multiotp.exe -display-log login 719854where 719854 is the one-time password received from the application.
LOG 2022-01-17 15:13:11 notice (user xxx) User OK: User xxx successfully logged in with TOTP token
Filter-Id += "2FAVPNUsers"
You can also check the correct operation of OTP from the web interface. Go to the Check a user section, enter your username and one-time password.
Installing multiOTP CredentialProvider on Windows.
The next step is to install the multiOTP-CredentialProvider on the Windows computers where you want to implement two-factor user authentication with MultiOTP. CredentialProvider can be installed on all versions of Windows 7/8/8.1/10/11 and Windows Server 2012(R2)/2016/2019/2022.
In this example, we will set up two-factor authentication for RDP user login to an RDSH server on Windows Server 2019.
Download and install multiOTP CredentialProvider from GitHub https://github.com/multiOTP/multiOTPCredentialProvider/releases. At the time of writing, this version of 5.8.4.0.
Run the installation:
- Specify the IP of the server where multiOTP was installed
New-NetFirewallRule -DisplayName "AllowMultiOTP" -Direction Inbound -Protocol TCP –LocalPort 8112 -Action Allow
- In the lower field, enter the secret word from the multiOTP configuration ( in our config);
- Select the Windows logon type that you want to use OTP authentication for. In our example, we will limit ourselves to 2FA for RDP logins only ( OTP authentication mandatory for remote desktop only).
You can enable the use of OTP authentication for both RDP and local logins.
The MultiOTP CredentialProvider stores settings in the HKEY_CLASSES_ROOT\CLSID\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978} registry. If necessary, you can change the CredentialProvider settings here without reinstalling.
Restart Windows Server RDS and try to connect to it via RDP. Now, after submitting the username and password, an additional one-time password window appears. Here, the user must enter a one-time password from the Authenticator app on their smartphone.
If NLA for RDP is disabled on the RDS host, the user will simply see three input fields (account name, password, and OTP).
On the MultiOTP server, you can enable logging, this is useful when debugging:
multiotp -config debug=1
multiotp -config display-log=1
Your script is running from C:\MultiOTP\windows\Don't forget to make sure that your domain synchronizes time with time servers on the Internet and the time on clients does not scatter. These are critical to the operation of OTP.
2022-01-17 15:21:07 debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 1 0 SPB-SRV01
2022-01-17 15:21:07 debug Server-Client Info: *CheckUserToken server request. 0 SPB-SRV01
2022-01-17 15:21:07 notice kbuldogov User OK: User kbuldogov successfully logged in (using Credential Provider) with TOTP token 0 SPB-SRV01
2022-01-17 15:21:07 debug Server-Client Info: *Cache level is set to 1 0 SPB-SRV01
2022-01-17 15:21:07 debug Server-Client Info: *Server secret used for command CheckUserToken with error code result 0: secretOTP 0 SPB-SRV01
In any case, before the mass introduction of 2FA based on MultiOTP in your network, we recommend testing all modes of operation and emergency situations (unavailability of the MultiOTP server, DC, errors in CredentialProvider, etc.) within a couple of weeks. If you have significant issues with MultiOTP login, you can uninstall CredentialProvider in safe mode.
This completes the setup of two-factor authentication in Windows Server using MultiOTP. Scenarios are available for using MultiOTP with a RADIUS server to authenticate virtually any type of client over OTP.