Skip to main content
SnapCenter Software 4.8
A newer release of this product is available.

Manage multi-factor authentication (MFA)

Contributors netapp-soumikd

This topic describes how to manage Multi-factor authentication (MFA) functionality in the Active Directory Federation Service (AD FS) Server and SnapCenter Server.

Enable multi-factor authentication (MFA)

This topic describes how to enable MFA functionality in the Active Directory Federation Service (AD FS) Server and SnapCenter Server.

About this task
  • SnapCenter supports SSO based logins when other applications are configured in the same AD FS. In certain AD FS configurations, SnapCenter might require user authentication for security reasons depending on the AD FS session persistence.

  • The information regarding the parameters that can be used with the cmdlet and their descriptions can be obtained by running Get-Help command_name. Alternatively, you can also see SnapCenter Software Cmdlet Reference Guide.

What you'll need
  • Windows Active Directory Federation Service (AD FS) should be up and running in the respective domain.

  • You should have an AD FS supported Multi-factor authentication service such as Azure MFA, Cisco Duo, and so on.

  • SnapCenter and AD FS server timestamp should be the same regardless of the timezone.

  • Procure and configure the authorized CA certificate for SnapCenter Server.

    CA Certificate is mandatory for the following reasons:

    • Ensures that the ADFS-F5 communications do not break because the self-signed certificates are unique at the node level.

    • Ensures that during upgrade, repair, or disaster recovery (DR) in a standalone or high availability configuration, the self-signed certificate does not get recreated thus avoiding MFA reconfiguration.

    • Ensures IP-FQDN resolutions.

      For information on CA certificate, see Generate CA Certificate CSR file.

Steps
  1. Connect to the Active Directory Federation Services (AD FS) host.

  2. Download AD FS federation metadata file from "https://<host FQDN>/FederationMetadata/2007-06/FederationMetadata.xml".

  3. Copy the downloaded file to SnapCenter Server to enable MFA feature.

  4. Log in to SnapCenter Server as the SnapCenter Administrator user through PowerShell.

  5. Using the PowerShell session, generate the SnapCenter MFA metadata file by using the New-SmMultifactorAuthenticationMetadata -path cmdlet.

    The path parameter specifies the path to save the MFA metadata file in the SnapCenter Server host.

  6. Copy the generated file to the AD FS host to configure SnapCenter as the client entity.

  7. Enable MFA for SnapCenter Server using the Set-SmMultiFactorAuthentication -Enable -Path cmdlet.

    The path parameter specifies the location of the AD FS MFA metadata xml file, which was copied to SnapCenter Server in step 3.

  8. (Optional) Check the MFA configuration status and settings by using Get-SmMultiFactorAuthentication cmdlet.

  9. Go to the Microsoft management console (MMC) and perform the following steps:

    1. Click File > Add/Remove Snapin.

    2. In the Add or Remove Snap-ins window, select Certificates and then click Add.

    3. In the Certificates snap-in window, select the Computer account option, and then click Finish.

    4. Click Console Root > Certificates – Local Computer > Personal > Certificates.

    5. Right-click on the CA certificate bound to SnapCenter and then select All Tasks > Manage Private Keys.

    6. On the permissions wizard perform the following steps:

      1. Click Add.

      2. Click Locations and select the concerned host (top of hierarchy).

      3. Click OK in the Locations pop-up window.

      4. In the object name field, enter ‘IIS_IUSRS’ and click Check Names and click OK.

        If the check is successful, click OK.

  10. In the AD FS host, open AD FS management wizard and perform the following steps:

    1. Right click on Relying Party Trusts > Add Relying Party Trust > Start.

    2. Select the second option and browse the SnapCenter MFA Metadata file and click Next.

    3. Specify a display name and click Next.

    4. Choose an access control policy as required and click Next.

    5. Select the settings in the next tab to default.

    6. Click Finish.

      SnapCenter is now reflected as a relying party with the provided display name.

  11. Select the name and perform the following steps:

    1. Click Edit Claim Issuance Policy.

    2. Click Add Rule and click Next.

    3. Specify a name for the claim rule.

    4. Select Active Directory as the attribute store.

    5. Select the attribute as User-Principal-Name and the outgoing claim type as Name-ID.

    6. Click Finish.

  12. Run the following PowerShell commands on the ADFS server.

    Set-AdfsRelyingPartyTrust -TargetName ‘<Display name of relying party >’ -SigningCertificateRevocationCheck None

    Set-AdfsRelyingPartyTrust -TargetName ‘<Display name of relying party >’ -EncryptionCertificateRevocationCheck None

  13. Perform the following steps to confirm that the metadata was imported successfully.

    1. Right-click the relying party trust and select Properties.

    2. Ensure that the Endpoints, Identifiers, and Signature fields are populated.

  14. Close all the browser tabs and reopen a browser to clear the existing or active session cookies, and login again.

SnapCenter MFA functionality can also be enabled using REST APIs.

For troubleshooting information, refer to Simultaneous login attempts in multiple tabs shows MFA error.

Update AD FS MFA Metadata

You should update the AD FS MFA metadata in SnapCenter whenever there is any modification in the AD FS Server, such as upgrade, CA certificate renewal, DR, and so on.

Steps
  1. Download AD FS federation metadata file from "https://<host FQDN>/FederationMetadata/2007-06/FederationMetadata.xml"

  2. Copy the downloaded file to SnapCenter Server to update the MFA configuration.

  3. Update the AD FS metadata in SnapCenter by running the following cmdlet:

    Set-SmMultiFactorAuthentication -Path <location of ADFS MFA metadata xml file>

  4. Close all the browser tabs and reopen a browser to clear the existing or active session cookies, and login again.

Update SnapCenter MFA metadata

You should update the SnapCenter MFA metadata in AD FS whenever there is any modification in ADFS server such as repair, CA certificate renewal, DR, and so on.

Steps
  1. In the AD FS host, open AD FS management wizard and perform the following steps:

    1. Click Relying Party Trusts.

    2. Right click on the relying party trust that was created for SnapCenter and click Delete.

      The user defined name of the relying party trust will be displayed.

    3. Enable Multi-factor authentication (MFA).

  2. Close all the browser tabs and reopen a browser to clear the existing or active session cookies, and login again.

Disable Multi-factor authentication (MFA)

Steps
  1. Disable MFA and clean up the configuration files that were created when MFA was enabled by using the Set-SmMultiFactorAuthentication -Disable cmdlet.

  2. Close all the browser tabs and reopen a browser to clear the existing or active session cookies, and login again.