Enable Multi-factor authentication (MFA)

Contributors netapp-nsriram netapp-soumikd

To enable MFA functionality, you should perform some steps in the Active Directory Federation Service (AD FS) Server and SnapCenter Server.

What you will need

  • Windows Active Directory Federation Service (AD FS) should be up and running in the respective domain.

  • You should have any AD FS supported Multi-factor authentication services such as Azure MFA, Cisco Duo, and so on.

  • SnapCenter and AD FS server timestamp should be the same regardless of the timezone.

  • Procure and configure the authorized CA certificate for SnapCenter Server.

    CA Certificate is mandatory for the following reasons:

    • Ensures that the ADFS-F5 communications will not break because the self-signed certificates are unique at the node level.

    • Ensures that during upgrade, repair, or disaster recovery (DR) in a standalone or high availability configuration, the self-signed certificate does not get recreated thus avoiding MFA reconfiguration.

    • Ensures IP-FQDN resolutions.

      For information on CA certificate, see Generate CA Certificate CSR file.

About this task

  • SnapCenter supports SSO based logins when other applications are configured in the same AD FS. In certain AD FS configurations, SnapCenter might require user authentication for security reasons depending on the AD FS session persistence.

  • The information regarding the parameters that can be used with the cmdlet and their descriptions can be obtained by running Get-Help command_name. Alternatively, you can also refer to the SnapCenter Software Cmdlet Reference Guide.

Steps

  1. Connect to the Active Directory Federation Services (AD FS) host.

  2. Download AD FS federation metadata file from "https://<host FQDN>/FederationMetadata/2007-06/FederationMetadata.xml"

  3. Copy the downloaded file to SnapCenter Server to enable MFA feature.

  4. Log in to SnapCenter Server as the SnapCenter Administrator user through PowerShell.

  5. Using the PowerShell session, generate the SnapCenter MFA metadata file by using the New-SmMultifactorAuthenticationMetadata -path cmdlet.

    The path parameter specifies the path to save the MFA metadata file in the SnapCenter Server host.

  6. Copy the generated file to the AD FS host to configure SnapCenter as the client entity.

  7. Enable MFA for SnapCenter Server using the Set-SmMultiFactorAuthentication -Enable -Path cmdlet.

    The path parameter specifies the location of the AD FS MFA metadata xml file, which was copied to SnapCenter Server in step 3.

  8. (Optional) Check the MFA configuration status and settings by using Get-SmMultiFactorAuthentication cmdlet.

  9. Go to the Microsoft management console (MMC) and perform the following steps:

    1. Click File > Add/Remove Snapin.

    2. In the Add or Remove Snap-ins window, select Certificates and then click Add.

    3. In the Certificates snap-in window, select the Computer account option, and then click Finish.

    4. Click Console Root > Certificates – Local Computer > Personal > Certificates.

    5. Right-click on the CA certificate bound to SnapCenter and then select All Tasks > Manage Private Keys.

    6. On the permissions wizard perform the following steps:

      1. Click Add

      2. Click Locations and select the concerned host (top of hierarchy)

      3. Click OK in the Locations pop-up window.

      4. In the object name field, enter ‘IIS_IUSRS’ and click Check Names and click OK.

        If the check is successful, click OK.

  10. In the AD FS host, open AD FS management wizard and perform the following steps:

    1. Right click on Relying Party Trusts > Add Relying Party Trust > Start.

    2. Select the second option and browse the SnapCenter MFA Metadata file and click Next.

    3. Specify a display name and click Next.

    4. Choose and access control policy as required and click Next.

    5. Set the settings in the next tab to default.

    6. Click Finish.

      SnapCenter is now reflected as a relying party with the provided display name.

  11. Select the name and perform the following steps:

    1. Click Edit Claim Issuance Policy.

    2. Click Add Rule and click Next.

    3. Specify a name for the claim rule

    4. Select Active Directory as the attribute store.

    5. Select the attribute as User-Principal-Name and the outgoing claim type as Name-ID.

    6. Click Finish.

  12. Run the following PowerShell commands on the ADFS server.

    Set-AdfsRelyingPartyTrust -TargetName ‘<Display name of relying party >’ -SigningCertificateRevocationCheck None

    Set-AdfsRelyingPartyTrust -TargetName ‘<Display name of relying party >’ -EncryptionCertificateRevocationCheck None

  13. Perform the following steps to confirm that the metadata was imported successfully.

    1. Right-click the relying party trust and select Properties.

    2. Ensure that the Endpoints, Identifiers, and Signature fields are populated.

SnapCenter MFA functionality can also be enabled using REST APIs.

After you finish

After enabling, updating, or disabling the MFA settings in SnapCenter, close all the browser tabs and reopen a browser to login again. This will clear the existing or active session cookies.

For troubleshooting information see SnapCenter Login in multiple tabs shows MFA error

Update AD FS MFA Metadata

You should update the AD FS MFA metadata in SnapCenter whenever there is any modification in the AD FS Server, such as upgrade, CA certificate renewal, DR, and so on.

Steps

  1. Download AD FS federation metadata file from "https://<host FQDN>/FederationMetadata/2007-06/FederationMetadata.xml"

  2. Copy the downloaded file to SnapCenter Server to update the MFA configuration.

  3. Update the AD FS metadata in SnapCenter by running the following cmdlet:

    Set-SmMultiFactorAuthentication -Path <location of ADFS MFA metadata xml file>

After you finish

After enabling, updating, or disabling the MFA settings in SnapCenter, close all the browser tabs and reopen a browser to login again. This will clear the existing or active session cookies.

Update SnapCenter MFA metadata

You should update the SnapCenter MFA metadata in AD FS whenever there is any modification in ADFS server such as repair, CA certificate renewal, DR, and so on.

Steps

  1. In the AD FS host, open AD FS management wizard and perform the following steps:

    1. Click Relying Party Trusts.

    2. Right click on the relying party trust that was created for SnapCenter and click Delete.

      The user defined name of the relying party trust will be displayed.

    3. Enable Multi-factor authentication (MFA).

After you finish

After enabling, updating, or disabling the MFA settings in SnapCenter, close all the browser tabs and reopen a browser to login again. This will clear the existing or active session cookies.

Disable Multi-factor authentication (MFA)

Disable MFA and clean up the configuration files that were created when MFA was enabled by using Set-SmMultiFactorAuthentication -Disable cmdlet.

After you finish

After enabling, updating, or disabling the MFA settings in SnapCenter, close all the browser tabs and reopen a browser to login again. This will clear the existing or active session cookies.