May 2018
Introduction
Short description
Long description
SMSPassword’s mission
Features
2.6 Time-based one-time password / token
Also accept previous time-based one-time password
Determine the number of user object in your Active Directory
Troubleshooting / error messages / FAQ
General Disclaimer and Copyright Notice
Introduction
Short description
SMSpassword is a redundant two-factor authentication radius server.
Long description
With security becoming more and more important, SMSPassword allows secure two-factor authentication. The brilliant part about this system is that it adapts to your existing infrastructure. It uses your existing Active Directory and your employee’s mobile phone. First users log on with their normal credentials, then SMSPassword will send a one-time/temporary password to the person’s mobile phone. The user enters this password and is allowed access. There you go, two-factor authentication without the need for tokens, using existing resources in your company.
SMSPassword’s mission
To offer save, redundant two-factor authentication with the least possible nuisance for end users and management. Where possible utilize existing resources or standards.
Terms used;
CAL – Client Access License
OTP – One-time password
AD – Active Directory
Features
- Enables two-factor authentication
- Designed for redundancy
- Integrates seamlessly with your existing Active Directory
- Supports for cross domain/global catalog lookup for samaccountnames, UPN (Universal Principal Name), iUPN (implicit UPN) and eUPN (explicit UPN).
- A better alternative to tokens, no need to distribute hardware
- Can be configured as 100% on premise, you own the hardware
- Works on all major hypervisors: vMware, Hyper-V, XenServer and Microsoft Azure
- Works with Netscaler, Cisco ASA, Juniper, Vmware Horizon, F5, Palo Alto
- Works with everything that supports RADIUS challenge.
- Use your existing plan/sim card
- Locks out users after failed login attempts
- Redundant over several GSM providers
- Works with every phone that can receive SMS messages
- Operational management is done with existing tools
- Flexible license pool
- GSM signal monitoring
- Perpetual licenses, no recurring costs
- Citrix ready/Vmware Ready
- Cost effective, the system uses existing phones
- Competitively priced licenses
- Can be installed on existing machines, alongside Storefront or on your Domain controller
- Also available as a portable .exe, which does not require installation.
Enables two-factor authentication
Enables an extra layer of security, recommend when giving access to internal resources over the internet.
Designed for redundancy
SMSpassword is built for redundancy, it reports heart-beats to the load balancers. SMSPassword can be configured with as many nodes as you like.
Integrates seamlessly with your existing Active Directory
SMSPassword reads existing values from your Active Directory. There is no need to change the AD schema, or do complicated user replication. Supports for cross domain/global catalog lookup for samaccountnames, UPN (Universal Principal Name), iUPN (implicit UPN) and eUPN (explicit UPN).
A better alternative to tokens, no need to distribute hardware
People always carry their mobile phone.
Can be configured as 100% on premise, you own the hardware
With the A100 ethernet SMS dispatcher, you have all the hardware on premise. This is extra secure, the one-time password is sent using your own GSM hardware.
Works on all major hypervisors (vMware, Hyper-V, XenServer)
Virtual installation is supported
Use your existing plan/sim card
If you use the A100 ethernet SMS dispatcher, you can use your existing plan with your existing SIM card.
Locks out users after failed login attempts
When users enter their one-time password wrong, x times, people will be locked out for a specific time. These values are configurable.
Redundant over several GSM providers
When configured over several nodes, there is the possibility to dispatch the SMS messages over several GSM networks.
Works with every phone that can receive SMS messages
Some people don’t like smart phones, and still have that old Nokia model. That’s no problem for SMSPassword, as long as the phone can receive SMS messages.
Operational management is done with existing tools
Changing the license pool or mobile numbers is done in Active Directory. So ,all operational aspects of SMSPassword are managed in Active Directory.
Works even abroad
Even if your users go abroad, they still carry their mobile phones
Flexible license pool
Licensing is determined by AD group membership, and thus totally flexible.
GSM signal monitoring
SMSpassword nodes detect if the GSM signal is becoming weak, and flag that node as being down, for as long as the signal stays weak
Perpetual licenses, no returning costs
Apart from the SMS sending costs, there are no recurring fees. The licenses are valid for a lifetime.
Citrix certified/Citrix ready
SMSPassword is Citrix ready, it’s been tested to work with Citrix products.
Cost effective, the system uses existing phones
No need to buy and distribute hardware tokens.
Competitively priced licenses
SMSPassword offers a competitive license price, much lower than the competitors.
Can be installed on existing machines, alongside Storefront
Installation of SMSPassword is a light windows server, that can be placed on an existing windows server, for example the Storefront server.
Step 1 – Enter your usual username and password
Step 2 – You receive an SMS on your mobile phone;
Step 3 – Enter the password
Requirements
- .NET Framework 4.0 or newer
- Active Directory
- 2 GB of RAM
- Radius capable client device, a Radius client,like a Citrix Netscaler, VMware Horizon, Cisco ASA etc
- A domain joined server to install the service software. Windows server 2008,2012 2016.
- Virtual installation fully supported, Hyper-V,VMWare,AWS, Azure or XenServer.
- A domain administrator account
- Internal or external SMS dispatcher (SMSPassword A100 SMS dispatcher)
- For redundant setups; A load balancer like Citrix Netscaler 9.2 or newer.
The SMSPassword service can only be installed once per Windows installation. Running the service twice on one machine is not supported. For windows server 2008 installations it’s recommended to use .NET framework 4.6 or newer.
SMSPassword is tested to work with:
- Citrix Netscaler
- VMWare Horizon
- Cisco
- Juniper
- F5
- Barracuda
- Check point
SMSPassword works with any radius client that implements the challenge, response protocol correctly. Get a free trial version and see for yourself.
Design considerations
SMSPassword can be used in many ways, see the chart below.
Installation
SMSPassword comes with two executables;
-SMSPasswordConfig.exe
-SMSPasswordService.exe
These two files need to be in the same folder at all times. And they cannot be on a network share; they need to be on a local hard drive.
The SMSPasswordConfig.exe file is used to configure everything. When running this program, a config file named smspassword.cfg is created. It’s very important that these tree files are in the same folder.
SMSPasswordService.exe is the service executable. You cannot run this program from the shell. It needs to be installed as a service. This is easily done from the ‘Service Control’ tab of the SMSPasswordConfig utility.
It is best practice to provide your servers running the SMSPassword service with a fixed IP address.
SMSPassword config tool
Starting the SMSPassword config tool must be done as ‘administrator’, right click, and choose ‘run as administrator’. Or change the starting shortcut like this;
The configuration tool has 5 main tabs;
- Information, here you find the quick guide
- Configuration, here you can change settings
- Service control, here you can install, start the service
- Licensing, here you can add license codes
- About, versioning information
1. Information
In this tab of the configuration tool you can find a link to the manuals. And it displays the General Disclaimer and Copyright notice.
2. Configuration
In this tab of the configuration tool you can edit the settings. The settings are divided into 6 categories;
- General
- Radius
- Active Directory
- SMS
- One-time Password
- Time-based token
If you save your configuration, settings will be written to the file smspassword.cfg, in the same folder;
The smspassword.cfg can be copied, but can only be edited with the SMSPasswordConfig.exe tool. The config file also contains your licenses.
If you save your configuration, you need to restart the SMSPassword service before they are applied!
2.1 General
Turn on verbose logging when you need to troubleshoot SMSPassword. This will generate extra information in the event viewer. Only enable this when troubleshooting SMSPassword. Disable this in normal operation mode because it will generate a lot of event log entries.
Log packet level
This is even more precise logging, and is useful for troubleshooting load balancing purposes.
2.2 Radius
Here you can configure your radius clients. For each radius client you need to enter the IP address and the Shared Secret. Make sure that you enable network traffic from and to your Radius client from the server running SMSPassword. Consult your network/firewall engineer for this.
The Radius client is, for example, your Citrix Netscaler. By default, Netscaler uses the NSIP to communicate with Radius. When you use a load balancing virtual server, Netscaler uses the SNIP as the Radius client IP.
You can configure the radius port, default is 1812.
2.3 Active Directory
You have to fill in your domain name in the Active Directory group. You can easily find your domain name like so:
-Start a command prompt by typing: cmd.exe
– Enter the command: set userdns
It’s important to fill in the correct domain information for licensing purposes. If the domain name doesn’t match the name in the license, the CALS won’t work.
You can specify a domain controller for LDAP queries, use only when the default does not work properly.
The referral chasing option is using in a multi domain setup.
The group option has to contain your Active Directory group which holds your remote users. The number of users in this group is important for your license. If you have bought 50 CALS (client access licenses), SMSPassword will only process the first 50 people in this group. If you have more users in this group, you have to buy additional client access licenses.
The ‘Phone number attribute’ must contain the mobile number on which users will receive their OTP (One-time password). By default, a Windows Active Directory will have the numbers of mobile phones in the ‘mobile’ attribute.
More information: http://msdn.microsoft.com/en-us/library/ms674997(v=vs.85).aspx
This attribute can be set using the ‘Active Directory Users and Computers’ tool.
‘Leading string’ is an optional parameter. If for example all your numbers in AD are stored as 555 123 456 and your carrier only accepts 001 555 123 456, you fill in 001 in this box. This will be applied to every user.
Please notice your GSM operator or SMS dispatcher’s allowed number notation. It’s recommended to use the E.123 international notation. This notation has the leading + with the country code, followed by the national number. Examples:
+47 2295 0313
+1 800 555 1234
You can choose to have another attribute hold the mobile phone number.
When users are added to the Active Directory group, it can take up to 15 minutes before SMSPassword recognizes them as licensed users.
2.4 SMS
In the group SMS, you can configure the SMS options.
The A100 SMS dispatcher
| SMS dispatcher mode | Here you can configure how SMS messages are send. This can be using the A100 SMS dispatcher device or external dispatchers like Message Bird or BlukSMS. |
| Send flash SMS (class 0, only with BulkSMS) | Setting this option will send ‘flash SMS’ messages to the mobile phone. These messages displayed only once, and are not stored in your inbox. Please test this feature with care, some operators or phones don’t handle this well. |
| Sending frequency in milliseconds | This is the maximum sending frequency for outgoing SMS messages. Default is 6000, this means, a SMS is attempted to send every 6 seconds. |
| SMS text | This is the text users will receive. The %p is replaced by the one-time password. |
| A100 SMS dispatcher IP | Enter the IP address of the A100 SMS dispatcher here. Make sure routing or firewalls are not blocking traffic from or to this IP address. |
| A100 SMS dispatcher Port | The default port is 44444, you can change this. But keep in mind to also change it in the configuration of the A100 SMS dispatcher. Make sure that firewalls won’t block this port. |
| SMS dispatcher URL | This setting is only used when an external dispatcher is used. Consult the external dispatcher for the correct URL. |
| SMS dispatcher Username | You account name for the external SMS dispatcher |
| SMS dispatcher password | For the A100, it’s the password configured in the A100 SMS dispatcher. For the external dispatcher, the password for the account. |
| Test message phone number | Enter your phone number for test message here. The notation method can vary depending on your SMS dispatcher. Some expect 00155533311 and some expect 155533311. Consult your GSM/SMS provider for more information. |
2.5 One-time Password
In this section you can configure the One-time Password options (OPT). Because the one-time password is only valid for a short time, it does not need to be a very complex password. It is an additional password to the existing one. Best practice is to use 6 character passwords. The lifespan of the one-time password must be long enough for your users to receive the message and enter it. So, 120 seconds would be enough for most environments. If you want your password to contain or exclude characters, you can enter your selection in the Valid characters field. The password will be randomly created from the available characters in this field.
If, for example, you wish to send passwords which only contains numbers, you should fill in ‘1234567890’ in the valid characters field.
Pronounceable passwords
When selecting ‘Pronounceable passwords’ make sure;
-the password length is 5 or higher
-the valid characters contain at least two vowels
-the valid characters contain at least two consonants
-the valid characters contain at least two numbers
If one of the four above rules are not met, a random password is generated. The pronounceable password is generated from vowels, consonants and numbers available in the valid characters field.
OTP Override
When selecting OTP override, you also need to specify the OTP override active directory property. This can be used for users who don’t have a mobile phone, or are out of reach. In this example we use the ‘othermobile’ property. This can be filled using AD users and computers.
The property field must contain: OTP:[follow by the password]. And must contain only one value, not more.
Warning!!! Using this feature is introduces a security risk which is at the customer’s own risk.
Lockout threshold
Lockout threshold, this the maximum number of incorrect one-time password attempts a user can make before SMSPassword stops accepting logins for this user for the duration of ‘Lockout duration’ in minutes. If one of your users enter a wrong one-time password for 5 times, SMSPassword will disallow access to the system for 15 minutes.
Lockout duration in minutes
The ‘Lockout duration in minutes’ sets the amount of minutes a user should get locked out after the lockout threshold times entering a bad password.
2.6 Time-based one-time password / token
Also accept previous time-based one-time password
If you check this option, the SMSPassword-service also allowed the previous (from 30 seconds ago) one-time password. This is more user friendly, because it will accept the last two one-time passwords. But it is less secure.
5 seconds correction
From reading the one-time password on your phone, to having it entered takes roughly 5 seconds. If you enable this option, the SMSPassword service will check the one-time password as if it were 5 seconds ago.
3. Service control
In the service control of the configuration tool you can Install, Uninstall, Start and Stop the SMSPassword service.
It also gives you an overview of recent event log entries concerning SMSPassword. You can find the logging of the SMSPassword service in the event viewer under
Event Viewer, Applications and Services log, SMSPassword.
If the service is unable to stop or stuck, you can terminate its process using the task manager;
4. Licensing
On the licensing tab of the configuration tool you can paste your license keys. You can add up to 9 licenses. CALS will only be added when the domain and group of the licenses 2 to 9 match the name of the domain and group of license 1. So, the first license determines the domain/group name. Additional licenses must match the domain/group name of the first license.
You can configure what domain/group to use in the Configuration tab.
If you add a license, you have to restart the service. When you start the service with new licenses, you can find the combined total licenses in the event viewer;
Licensing rules
- You cannot combine licenses for different domains.
- You cannot combine licenses for different groups.
- Licenses are private and may not be sold or given to other people.
- You cannot use the same license twice.
- Licenses cannot be revoked. Once a license is bought, it cannot be traded back for money or an other license.
- It is the customer’s/reseller’s responsibility to supply the correct domain/group name.
- It is the customer’s/reseller’s responsibility to supply the correct user count.
- Renaming incorrectly bought licenses depends on the courtesy of SMSPassword, and will only be done when special conditions apply, or when it is clearly a mistake.
Determine the number of user object in your Active Directory
To determine the number of user objects in your active directory, you can open a powershell command windows and give the following command:
Type the command: (get-aduser -filter ‘*’).count
This could take a while.
5. About
The About tab contains version information.
Upgrade guide
When upgrading an old version to a new version please take these steps;
Removing SMSPassword
-make a backup of your smspassword.cfg file from where you have installed SMSPassword. Default is %program files%\SMSPassword\smspassword.cfg.
-Start the old version of the configuration tool
-Stop the SMSPassword service if running
-Uninstall the SMSPassword service if installed
-Close the SMSPassword configuration tool
-Go to add/remove programs and uninstall SMSPassword
-It is possible that the config stays in the installation folder
Installing the new version
-Start the setup
-Accept the setup with the default values if agreed
-Run the Config tool and change the settings you want, see other part of this manual for details
Troubleshooting / error messages / FAQ
Error creating radius server
Message:
Error creating radius server: Only one usage of each socket address (protocol/network address/port) is normally permitted
Cause:
Something else is already listening on your configured radius port
Solution:
Find out what’s occupying your radius port number, or configure a different radius port;
Open an command box and do: netstat -aon
In the task manager find the matching PID.
event ID 1000
Message:
In windows server 2008, when starting the SMSPasswordConfig tool, the event log get’s flooded with event ID 1000, Level: Error, Source: SMSPasswordConfig. Node: [ComputerName] Object reference not set to an instance of an object.
Cause:
The old .net framework does not handle subscriptions to the event log well.
Solution:
Install .NET framework version 4.6.1 or better.
General Disclaimer and Copyright Notice
Disclaimer
Whilst every care has been taken by SMSPassword Software to ensure that the information contained in this document is correct and complete, it is possible that this is not the case. SMSPassword Software provides the information “as is”, without any warranty for its soundness, suitability for a different purpose or otherwise. To the maximum extent permitted by applicable law, SMSPassword Software is not liable for any damage which has occurred or may occur as a result of or in any respect related to the use of this information. SMSPassword Software may change or terminate this document at any time without further notice and shall not be responsible for any consequence(s) arising therefrom. Subject to this disclaimer, SMSPassword is not responsible for any contributions by third parties to this information.
Copyright Notice
Copyright © on software and all Materials 1998-2017 SMSPassword Software. SMSPassword and the SMSPassword Logo are either registered trademarks or service marks of SMSPassword in Europe, the United States and other countries. All other product and company names mentioned may be trademarks and/or service marks of their respective owners.