logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
Jake  
#1 Posted : Wednesday, November 14, 2012 2:44:23 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
We've put together a simple TFA (Two Factor Authentication) sample using OTPs (One-Time Passwords).

Here is the video that explains it all:


I've attached the Login.aspx page mentioned in the video, and I'll keep it updated here.

This will likely be incorporated into the product at some point.

Original discussion in this thread:
http://forum.screenconne...ctor-Authentication.aspx

Mono/Linux/OSX requires additional work to import the root certificates for mono:

Code:
sudo mozroots --import --machine --ask-remove


SPECIAL LOGIN PAGE NOT NEEDED FOR 3.1 OR HIGHER. IT IS INCLUDED.

Edited by user Friday, March 15, 2013 5:16:01 PM(UTC)  | Reason: Not specified

File Attachment(s):
Login.aspx (12kb) downloaded 186 time(s).
ScreenConnect Team

Jake  
#2 Posted : Tuesday, December 11, 2012 12:50:51 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Yeah, shown in the video.
ScreenConnect Team
ComputerHero  
#3 Posted : Tuesday, December 11, 2012 1:09:32 PM(UTC)
ComputerHero


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/20/2011(UTC)
Posts: 40
Location: Calgary, Canada

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Hi Jake, one question I have that I'm not clear about, is will the the OTP (or can it if not) be optionally bypassed when NTLM is used?
I'm only worried about OTP externally.
Jake  
#4 Posted : Tuesday, December 11, 2012 1:10:20 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Windows Auth (NTLM) and the TFA are not compatible
ScreenConnect Team
peterh  
#5 Posted : Thursday, December 20, 2012 11:50:17 AM(UTC)
peterh


Rank: Newbie

Joined: 11/28/2012(UTC)
Posts: 1
Location: Bermuda

will this file work with the latest release?
Jake  
#6 Posted : Thursday, December 20, 2012 11:51:22 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Yes
ScreenConnect Team
maacevedo  
#7 Posted : Friday, January 4, 2013 11:42:53 AM(UTC)
maacevedo


Rank: Member

Joined: 11/18/2011(UTC)
Posts: 25
Location: Puerto Rico (USA)

Thanks: 1 times
Works perfectly!!. I am using Google Authenticator and e-mail and it works great.

I do have one addition that should be implemented. When the user clicks on the "keep me logged in" checkbox in the main screen. If the user is two-factor authenticator enabled it should still ask for the authentication even if the user does not enter a user ID and password.
haastility  
#8 Posted : Friday, January 4, 2013 11:59:21 AM(UTC)
haastility


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/25/2011(UTC)
Posts: 40
Location: Cincinnati, OH

Was thanked: 1 time(s) in 1 post(s)
maacevedo wrote:
Works perfectly!!. I am using Google Authenticator and e-mail and it works great.

I do have one addition that should be implemented. When the user clicks on the "keep me logged in" checkbox in the main screen. If the user is two-factor authenticator enabled it should still ask for the authentication even if the user does not enter a user ID and password.


I like this too, This should be an option, not required.
maacevedo  
#9 Posted : Tuesday, January 8, 2013 6:26:19 PM(UTC)
maacevedo


Rank: Member

Joined: 11/18/2011(UTC)
Posts: 25
Location: Puerto Rico (USA)

Thanks: 1 times
In the screen to enter the Two-Factor Authenticator the default action for pressing enter is not bound to the "Login" button. When I press enter, no matter if the TFA is entered correctly it will bring me back to the TFA Screen. Only by clicking the "Login" button with the mouse do I get it to go through. It is a minor thing but something that may be making other people think that their implementation was incorrect.
Reid  
#10 Posted : Thursday, January 10, 2013 4:21:31 PM(UTC)
Reid


Rank: Administration

Medals: Level 2: Lent a Helping Hand! 10 Thanks!

Joined: 4/22/2010(UTC)
Posts: 475
Location: NC

Was thanked: 17 time(s) in 15 post(s)
Thanks--got it registered.
ScreenConnect Team
wellssd  
#11 Posted : Friday, January 11, 2013 12:00:59 AM(UTC)
wellssd


Rank: Newbie

Joined: 1/10/2013(UTC)
Posts: 2
Location: Indiana

I've been through this a couple times now, and haven't had much luck...I'm wondering if anyone else has had similar experiences and might be able to offer some suggestions...

I've added the login.aspx from the first post in this thread. Additionally, set SecurityPanel.PasswordQuestionVisible to true and added a new account with a Google authenticator key and administration role.

Each time I login using the new account, however, it lets me login with the username and password, I'm not prompted for the OTP.

I'm using ScreenConnect 3.0.3913.

Thanks,

Scott
ian  
#12 Posted : Friday, January 11, 2013 5:19:05 PM(UTC)
ian


Rank: Newbie

Joined: 12/29/2012(UTC)
Posts: 1
Location: Melbourne, Australia

You may have already done but as well as setting SecurityPanel.PasswordQuestionVisible to 'true' you also have to set SecurityPanel.PasswordQuestionHeaderText.

I have mine set to 'OTP (goog,email)' to allow the option of Google Auth and Email
Jake  
#13 Posted : Friday, January 11, 2013 5:28:51 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
ian wrote:
You may have already done but as well as setting SecurityPanel.PasswordQuestionVisible to 'true' you also have to set SecurityPanel.PasswordQuestionHeaderText.

I have mine set to 'OTP (goog,email)' to allow the option of Google Auth and Email


The heading is just for display purposes and won't affect behavior.

Are you _sure_ your login.aspx has been replaced?
ScreenConnect Team
wellssd  
#14 Posted : Saturday, January 12, 2013 12:24:15 AM(UTC)
wellssd


Rank: Newbie

Joined: 1/10/2013(UTC)
Posts: 2
Location: Indiana

Jake,

I'd like to say, yeah...but in fact, the problem in this case appears to be me. Thanks for highlighting the obvious...after downloading the file, it always helps to actually put it in the proper directory.

Thanks...
lucknuts  
#15 Posted : Sunday, April 7, 2013 3:21:59 PM(UTC)
lucknuts


Rank: Member

Joined: 4/5/2013(UTC)
Posts: 22
Location: Madison,wI

Thanks: 4 times
Implemented Goog Auth 2-factor yesterday, works flawless. Appreciate implementing that! :)
--
Nate
Chris@Taieri  
#16 Posted : Sunday, June 2, 2013 2:32:46 AM(UTC)
Chris@Taieri


Rank: Member

Joined: 6/23/2011(UTC)
Posts: 28
Location: New Zealand

I implemented Google Auth 2-factor recently and have had a change of mobile and now locked out of Screenconnect. Where is the code located to change authentication back to false so I can get access again.
Chris@Taieri  
#17 Posted : Sunday, June 2, 2013 4:41:31 AM(UTC)
Chris@Taieri


Rank: Member

Joined: 6/23/2011(UTC)
Posts: 28
Location: New Zealand

Chris@Taieri wrote:
I implemented Google Auth 2-factor recently and have had a change of mobile and now locked out of Screenconnect. Where is the code located to change authentication back to false so I can get access again.


Worked it out. Stop all SC services, copy the QR Code to the user.xlm file, scan the same code into phone and start the services again. Can access again.

I needed to work this out as mobile lost, changed to a temp mobile and installed Google Authenticator so had to rescan a new code. Will have to do again when I get new mobile.
bradyosborne  
#18 Posted : Saturday, November 2, 2013 1:59:45 AM(UTC)
bradyosborne


Rank: Newbie

Joined: 7/19/2012(UTC)
Posts: 5
Man
United States
Location: Tulsa, OK

Hi, I have TFA enabled per this article, but am not prompted for a OTP when logging in. Using version 4.0.5454.5032_Release on CentOS 6.4.

I tried the Login.aspx page attached just in case, but my server was inaccessible then, so I reverted to the original.

Any ideas? Thanks.
nehringtech  
#19 Posted : Tuesday, December 10, 2013 4:31:24 PM(UTC)
nehringtech


Rank: Newbie

Joined: 12/10/2013(UTC)
Posts: 1
Location: Stephenville

Is there any way to enable two factor authentication with LDAP? LDAP needs to sync with rotating passwords that expire every x days. We need this to work before we can use this at several of our clients.
Jake  
#20 Posted : Tuesday, December 10, 2013 5:09:27 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
We just added support, but you'll have to add that TFA info to your ldap directory: http://forum.screenconne...LDAP-Authentication.aspx
ScreenConnect Team
mikeystark  
#21 Posted : Thursday, June 19, 2014 12:18:46 PM(UTC)
mikeystark


Rank: Newbie

Joined: 6/19/2014(UTC)
Posts: 3

I have tried Google Authentication but it says I used an incorrect one time code. But the Email one time setup works. I have twice recreated the Google Authentication setup here "http://www.screenconnect.com/Google-Authenticator-Generator". Once it generates it I scan the code with my android phone and then enter the info to paste into the user field in Screenconnect. I was running the latest stable version 4.3.???, but now tried upgrading to the latest unstable 4.4.6940.5276. Neither version made a difference. I then tried replacing the login.aspx file even though it stated I did not need to, this made no difference also.

Any ideas?

Thanks,
Adam
Reid  
#22 Posted : Friday, June 20, 2014 4:10:19 PM(UTC)
Reid


Rank: Administration

Medals: Level 2: Lent a Helping Hand! 10 Thanks!

Joined: 4/22/2010(UTC)
Posts: 475
Location: NC

Was thanked: 17 time(s) in 15 post(s)
Are you remembering to preface the code from the Google Authenticator with "goog:"? For example, the user in the Security tab would look like:

User Name Password OTP (email, goog, yubi) Roles
Freddy ******** goog:OP6F4TCN6DIGOLB3 Domain Admins

Thanks,
Reid
ScreenConnect Team
Users browsing this topic
Similar Topics
Only require two factor authentication once in any particular browser (Feature Requests)
by user3235442 1/13/2016 4:49:00 AM(UTC)
Two Factor Authentication using LDAP (Advanced Customization)
by KBrickler 3/10/2015 2:45:19 PM(UTC)
two factor authentication stopped working since switch to SC 5.1 (Bug Reports)
by nobody961 1/17/2015 11:20:42 AM(UTC)
LDAP with Two Factor Authentication, account management (Advanced Customization)
by WDavidson 7/10/2014 5:59:55 PM(UTC)
Yubikey two factor authentication (Feature Requests)
by srf21c 10/5/2012 2:49:43 AM(UTC)
two factor authentication (General Information)
by g00tag 9/6/2012 1:52:32 AM(UTC)
Two Factor Authentication (Advanced Customization)
by g00tag 9/6/2012 1:52:32 AM(UTC)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.