Configure Multi-factor Authentication

Article Contents:

 

 

Overview and External User Experience

 

ExCM 2016 and 2013 R2 offers multi-factor authentication that is directly integrated into the custom sign-in page that ships with the software.  The feature is licensed as an add-on to ExCM 20162013 R2 and therefore requires an additional license key(s).

 

Here is an example of a lightly branded version of the ExCM 2013 R2 SignIn.aspx page with the multi-factor authentication feature enabled:

 

Extranet Collaboration Manager with Multi-Factor Authentication requirement

 

When multi-factor authentication is enabled and a license(s) activated, the user experience will consist of these steps on the sign-in page:

Extranet Collaboration Manager with Multi-Factor Authentication user steps

 

  1. The external user will type in their email address in the "User Name" text box,
  2. The external user will accept the default method of delivery ("Test Message" in the screenshot above) or choose a different delivery method,
  3. The external user will click on the "Request Code" button and a lightbox type of display will overlay the page indicating that the code is being sent to the user via the requested delivery method,
  4. Once the code has been sent, the Sign-in page will regain the focus and the user will enter the received authorization code into the "Enter authorization code" text box,
  5. Upon entry of the authorization code, the password box will be opened for entry and the user will enter their password,
  6. Finally, the user will click on the Sign In button to login to the site and both authorization code and password will be validated by the system before logging the user in.

 

Setup and Configuration of Multi-Factor Authentication

Important Note:  Multi-factor Authentication is provided as an add-on to ExCM 2016 and 2013 R2 and requires an additional license(s).  Please contact our Sales department for pricing and a trialpermanent license key(s) if you need them.
Warning: If you are a customer that has an existing ExCM-based extranet deployed, we encourage you to read this section AND the following section, "Additional tasks required for customers who have upgraded from ExCM 2013 R1", before you begin setting up Multi-factor Authentication.  You will likely have some pre and post work to do in addition to this section.

 

 

  1. Once you have a trial or permanent license key for the multi-factor authentication add-on installed and activated on each web front-end (WFE) server in your farm and on your Central Administration server if it is not a WFE, navigate to the General Application Settings page in Central Administration and select Multi-factor Authentication from the Extranet Collaboration Manager menu items:

    Extranet Collaboration Manager Multi-Factor Authentication settings
  2. Select the extranet web application that you would like to configure MFA on:
     
    Important Note:  The Multi-factor Authentication settings shown below are automatically deployed to your IIS web application's web.config file for the "Default" SharePoint Zone onlyIf you have extended your web application to use multiple zones, after you complete the steps below, you must manually copy the modified web.config file from your Default zone to your extended zone(s) on each server in your SharePoint farm.  Please contact our support department if you have questions about this process.

    Extranet Collaboration Manager select web application
     
  3. Check the "Enable multi-factor authentication" check box:

    Extranet Collaboration Manager Enable multi-factor authentication
     
  4. Enter any desired Authorization Code expiration time, in minutes.  If you leave the value set to zero, the Authorization code will never timeout.  Therefore, we recommend setting the timeout to 10 minutes which should allow enough time for the external user to receive the authorization code via email or text message.  You can set the value to less or more than 10 minutes depending on the characteristics of your environment and user preferences:

    Extranet Collaboration Manager multi-factor authentication code expiration timeout
  5. Select the desired delivery method(s) for the authorization code.  If you select to allow both email and text message, you should specify which one will be checked by default on the Sign-in page:

    Extranet Collaboration Manager multi-factor authentication code delivery options
  6.  If you only selected to send authorization codes via email, you should skip the next two steps (related to configuring the text message delivery method) and proceed to Step 9.
  7.  For sending authorization codes via text message, it is necessary to send a Country dialing code along with the mobile phone number.  In general, your external user's will select the correct Country code when they register for an account for your extranet.  However, there are scenarios where a Country code may have not been properly associated with an external user's account.  Therefore, we recommend that you set a Default Country in Central Administration.  The Default Country should be the country where the majority of your extranet users are located:

    Extranet Collaboration Manager multi-factor authentication set default country for text messages
  8. When you license the MFA add-on from PremierPoint Solutions, you will receive an email from Sales with values that are specific to your text message account and should be entered in these fields:

    Extranet Collaboration Manager multi-factor authentication text message account information
  9. Click Save at the bottom of the page.
  10. Your MFA configuration settings will be saved to the Extranet Global Configuration Timer Job processing queue and within 5 - 10 minutes will be pushed out to each server in your farm.  Once that happens multi-factor authentication will automatically be enabled on your extranet Sign-In page.

 

Additional tasks required for customers who have upgraded from ExCM 2013 R1

Some special prerequisite steps may be required to be performed if you are an existing ExCM 2013 R1 customer andor you have been using ExCM for a while but are just beginning to use the MFA add-on.

 

For customers that are currently using a brandedcustomized ExCM 2013 R1 Sign-In page:

If you originally followed our instructions about how to brandcustomize your Sign-In page AND you did that to a ExCM 2013 R1 version of the page (Build 3905.1 or earlier), you will need to repeat your customizations starting with a copy of the new out-of-the-box ExCM 2016 or 2013 R2 Sign-In page, just like you did with the original out-of-the-box R1 Sign-In page.  Your current, customized R1 version of the Signin.aspx page will not work with new multi-factor authentication add-on - a 2016 or 2013 R2-based SignIn.aspx page is required.

 

 

For customers that are upgrading from ExCM 2013 R1 (build 3905.1 or earlier) and have existing extranet user accounts stored in the SQL extranet directory database:

In ExCM 2016 and 2013 R2 we have added a new external user profile field in the SQL extranet directory database to store the external user's Country dialing code.  This field is necessary to successfully send MFA authorization codes via text message.  

 

When you first setup MFA, any existing external user profiles will have a blank Country dialing code value.  If you plan to send authorization codes to these existing external users via text message, the message will not successfully send until a valid Country name is entered for each external user account that will be using the feature in this way.

 

We provide two options for filling in the Country dialing code for existing external users:

  1. Manually enter the correct Country value into the external user's profile field, or
  2. Set all external user profile records in the extranet directory to a default Country of your choosing.

 

Manually entering missing Country values:

  1. From the root site collection in your extranet web application, go to Site Settings > Extranet Management > Extranet Users (note:  you must be an Extranet Account Manager to do this), and select an external user account and click on Edit User in the ribbon:

    Extranet Collaboration Manager Edit User
  2. On the Edit Extranet User page, enter the name of the country that corresponds to the external user's phone number:

    Extranet Collaboration Manager Edit External User to add Country for text messages
    Warning: also, the Phone Number field must contain a phone number that is capable of receiving text messages.

 

 

Run a job to automatically set missing Country values:

  1. On the root site collection for your extranet web application, go to Site Settings > Site Collection Features and de-activate and re-activate the Extranet feature so that you will be sure to have the latest ExCM code running in the root site collection:

    SharePoint Site Collection Features de-activate Extranet feature

    then:

    SharePoint Site Collection Features re-activate Extranet feature
  2. Navigate to Site Settings > Extranet Management > Registration Settings and click on the "Set default field value" link at the bottom of the Registration Fields section:

    Extranet Collaboration Manager set default field value
  3. Select the Country field from the drop-down list box, and then type in the Country name that you would like to be set on existing external user accounts that currently have a blank Country value.  (Note: if you also select "Overwrite existing values", any existing Country values, not just blank ones, will be replaced.):

    Extranet Collaboration Manager set default field value for country for text messages
  4. Click the Save button.  This will cause an operation to be performed on every external user account record in your extranet directory database.  Depending on how many external user account records you have, this could take a few minutes to complete and return control to the screen.
  5. As shown in the previous section, go examine the profiles of a few external user accounts to verify that the default Country value has been saved to their profile.

 

©2019 PremierPoint Solutions. All Rights Reserved. 

 

Create your own Knowledge Base