PrivacyIdea with OWA

I am trying to configure PrivacyIdea to use it for 2FA with Exchange OWA. I have gone through soem documentations and installed PrivacyIDEA server and ADFS adn configured Privacyidea adfs provider. But I am not able to get any guide on how to integrate it completely and use 2FA with OWA. Please provide me step by step guide on configuring Privacyidea with OWA.

Thanks,

This is not how this forum works…

You start with outlining in details what you want to accomplish and how.
What you have done and where it did not work…

If there is enough interest in what you are doing, people might chime in and give you a hand…

First simple question: have you googled it? If you do, this would be the first hit

And was discussed a year ago here

That guide will get you 99% of the way there but the ADFS rules are slightly wrong syntactically…don’t recall where. However, if you use ADFS on Server 2019 (possibly 2016), implementing MFA can all be done through it’s GUI, no need for custom rules like provided in the guide.

High level steps:

  • Install PrivacyIDEA
  • Install ADFS on Windows Server
  • Install PrivacyIDEA-ADFS provider plugin on Windows ADFS server
  • Configure relying party trust in ADFS to use the PrivacyIDEA-ADFS provider

This is actually one of the easier integrations to setup…although I guess that depends on your comfort level with Windows vs. Linux.

I could probably write up a guide once I get my lab set back up and working.

1 Like

That would be nice…!

Thanks henry and wwalker,

For some reason blog.quickbreach.io was not accessible from my network. But I managed to configure Privacyidea server and ADFS.

My owa page now comes up with ADFS page and then requesting for OTP, but keeps on getting login failed even with correct OTP from privacyidea android app. When I test OTP on privacyidea server it can successfully verify OTP. Not sure why ADFS is not able to verify OTP. Please help.

Have you looked at this?

Did you properly configure the PrivacyIDEA-ADFS provider config.xml file specifying your PI server in it before you installed it on the ADFS server? If you have to make a config change, that config file isn’t referenced after installation, so you’d have to uninstall the provider then reinstall it.

Do you have a load balancer in front of the PI server? I had issues with my lab setup going through a virtual kemp. Never worked on getting that to play nice though…

Enable debug logging in your pi.cfg file and run through an auth attempt, there’s usually something in there to help.

I configured my PrivacyIDEA server without SSL cert. Hence I was getting SSL errors. I updated config file for PrivacyIDEA-ADFS Provider and disabled SSL cert and that resolved the issue. I will be getting my SSL cert soon and then I will enable Cert check again. For now 2FS is working with OWA

As a next step I am trying to implement 2FS for RDP connections. I downloaded PrivacyIDEA Credential Provider, but it is missing required dll files. I believe Credential Provider is only available with enterprise edition and not as open source or is there other way to implement 2FA for RDP sessions.

Thanks,
Rushi

The credential provider is available for anyone to use, but you have to compile it yourself. I went down that rabbit hole and got pretty close but could never get it to work right. I found all the dependencies and the compiled MSI installer would run but it appeared as if it wasn’t doing anything. There are registry keys it was configured to change but when I looked at the keys post-install, they didn’t exist or were not modified as expected.

I read somewhere that the window auth mechanisms were actually pretty easy to work through (if your an experienced developer) so developing an intercept application wasn’t too difficult. It may have even been PrivacyIDEA that wrote the article. It’s been too long and I don’t remember.

My point is, there’s definitely a way to do it, but if you’re anything but an experienced developer, you probably aren’t gonna be able to do it.

I also downloaded Credential Provider Installer and tried to install manually, but I am unable to find PrivacyIDEACredentialProvider.dll file anywhere. Also can’t find MSI package, it seems to be only available with enterprise edition. If you have link to download MSI package or PrivacyIDEACredentialProvider.dll, please share.

I am not a developer so won’t even try to go for other option.

Thanks,
Rushi

It is available as open source. As Open Source. You are free to get it, to adapt it, to change it, to compile it.
It is not available as Binary.

Please understand, that Open Source is not about getting things to work at no cost. It is about your right to use and adapt it. Open Source has nothing to do with free in free beer.

What’s available online is the source code, you have to compile it like @cornelinux said. If you’ve got time to spend, download Visual Studio 2017 (I think that’s the correct version) and then get to work reverse engineering it through the error messages. There are package dependencies you’ll have to download, Wix I think is one of them. There’s also a couple lines to change within one of the files. The person that developed it kept all the files in their user profile so the code tries to save or lookup files located in like C:\users\derrick or something like that. It’s been close to a year since I tried to figure it out and came up short. I was surprised at how far I was able to get, but not surprised that I couldn’t get it to work in the end…I’m not a developer by any means. I tried to enlist a developer friend but he turned me down because he hated going through other peoples code (though he may have just not wanted to do it :smiley:)

If you pay for Enterprise, then you’ll be given the compiled MSI installer

Got it. Thanks for your help. I will try to figure it out in weekend.