PrivacyIDEA Credential Provider for Domain User Login with 2FA

From Notes_Wiki

Home > PrivacyIDEA Credential Provider for Domain User Login with 2FA


Steps to Install and Configure PrivacyIDEA Credential Provider for Domain User Login with 2FA

Prerequisites

Before installing the PrivacyIDEA Credential Provider, ensure the following requirements are met:

  1. The Windows machine must be joined to the Active Directory Domain.
  2. Network communication between the Windows machine and the PrivacyIDEA server must be allowed.
  3. Domain users must have a valid token enrolled in PrivacyIDEA (for example, TOTP token).

Step 1: Download the PrivacyIDEA Credential Provider

Download the PrivacyIDEA Credential Provider installer from the following link:

PrivacyIDEA Credential Provider Download

Step 2: Install the PrivacyIDEA Credential Provider

  1. Run the downloaded installer.
  2. The Installation Wizard will appear. Click Next.
  3. In the End User License Agreement page:
    • Select I accept the license agreement.
    • Click Next.

Configuration Page 1/6

  1. In the HTTPS field, enter the PrivacyIDEA server IP address.
  2. Enable the following options:
    • Ignore Unknown CA
    • Ignore Invalid Common Name
  3. Click Next.

Configuration Page 2/6

Enable the following options:

  1. Prompt for username and password in first step
  2. Send domain password to PrivacyIDEA
  3. Show option to reset the authentication
  4. Create a detailed logfile (for debugging)

Click Next.

Configuration Pages 3/6, 4/6, 5/6, and 6/6

  1. Keep the default settings.
  2. Click Next on each page.

After reaching the final page, click Install.

Once the installation is completed, click Finish.

Step 3: Configure PrivacyIDEA Registry Settings

After the installation is complete, configure the required registry values.

  1. Press Win + R.
  2. Type the following command:

regedit

  1. Navigate to the following registry path:

HKEY_LOCAL_MACHINE\SOFTWARE\NetKnights GmbH\PrivacyIDEA-CP

Allow Local Administrator Login Without TOTP

  1. Locate excluded_account.
  2. Set the value to:

.\Administrator

This allows the local Administrator account to log in without requiring TOTP.

Test Local Administrator Login with PrivacyIDEA

  1. Log out from the system.
  2. Log in using the local Administrator account.
  3. Confirm that the login works without TOTP authentication.
Note

If the above login works successfully, then only proceed with enabling the filter. Otherwise, you may get locked out of the system.

Enable Credential Provider Filtering

To remove the default Windows credential provider and enforce PrivacyIDEA authentication:

  1. Locate the registry key enable_filter.
  2. Set the value to:

1

This ensures that PrivacyIDEA authentication is enforced as the default system credential provider and disables the Windows credential provider.

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=PrivacyIDEA_Credential_Provider_for_Domain_User_Login_with_2FA&oldid=10072"