uihvk (uihvk) asked a question.
Hello Okta,
Our company now has an Okta licensing and we are in the process of testing Okta on a test domain. While Okta has many capabilities and has very strong options for apps/provisioning, first we are anxious to get MFA to trigger right when a user logs into their windows (10) computers. After checking the tutorial videos and online documentation I want to verify we are on the correct track to do so in as direct manner as possible.
Our current path:
1) AD Integration (complete)
2) AD accounts from test domain imported and activated (complete)
3) SSO and MFA policies set in Okta Admin page (complete)
-At this point the test accounts can now log into the okta website with MFA (Okta Verify)
4) My assumption is that our next step is to get either IWA agent (for local computers) and/or agentless SSO (for those with internet connection) working. It is my understanding once we set up AD desktop SSO that means that windows login users (or those included in the SSO and MFA rule) will now be prompted for MFA when they try to log into windows. (And users not included within the SSO or MFA rules will NOT be prompted for MFA). We are currently working through:
https://help.okta.com/en/prod/Content/Topics/Directory/ad-desktop-sso-main.htm
(Which I believe includes setting either IWA or agentless SSO in a routing rule)
Or is setting up https://help.okta.com/en/prod/Content/Topics/Mobile/Okta_Mobile_Device_Trust_Windows-desktop.htm or downloading the browser plugin also required?
Just wanting to verify we are on the right track to ensure our users logging into windows 10 computers are prompted for MFA. Thank you in advance.
Hello Will,
I've escalated your question to our Customer Support team. They will respond to you shortly here.
Thanks!
Tim
Okta, Inc.
I can answer one part - desktop SSO merely allows your users to open a browser and sign into their Okta org without being prompted for credentials, because it redirects their browser to the IWA server, which uses Windows Integrated Authentication to sign them in using the same username that they've used to sign into their computer.
IWA is not involved in the Windows login process. You'll need some sort of third-party product that integrates with the Windows GINA, to integrate with the Windows login process.
Hi Will,
Thank you for reaching out to Okta Support, my name is Daniel and I'll be assisting you with this case. So far the implementation is going good. The thing here (regarding point 4) IWA and Device Trust. This method is basically to use certificates to authenticate to Okta as you can see in the workflow https://help.okta.com/en/prod/Content/Topics/Mobile/Okta_Mobile_Device_Trust_Windows-desktop.htmRegarding this part of the statement: It is my understanding once we set up AD desktop SSO that means that windows login users (or those included in the SSO and MFA rule) will now be prompted for MFA when they try to log into windows.R/ The MFA will be prompted when logging into Okta, not to Windows. For MFA gets promped when a user logs in to windows there's a non-supported way to accomplish that. Refer to the document below.MFA for Windows Credential Provider
https://help.okta.com/en/prod/Content/Topics/Security/proc-mfa-win-creds-rdp.htm
If your goal is having MFA getting prompted when a user logs in to windows that should work but as mentioned it's not supported yet by Okta, I mean in case you encounter MFA issues right after configured. I would suggest a partner solution like Hypr or Tecnics for their desktop MFA offering.
Mike thank you for your response!
Daniel, thank you for your response too, I appreciate you doing so. I'm going to go over it in a bit more detail to make sure I got our next steps right, and I do have a few questions.
1) So it sounds like I start by getting the IWA agent working. It looks like this process will not work with the agentless SSO option.
2) Then we use certificates to authenticate through Okta through all the steps of https://help.okta.com/en/prod/Content/Topics/Mobile/Okta_Mobile_Device_Trust_Windows-desktop.htm
including the 11 prerequisites and then four steps (only three are listed, is there another one?)
Prerequisite "Shared-terminal scenarios not supported" - So this looks like only a single user can connect to each computer, so if we have servers that have multiple users that need to access a specific windows 10 or windows server computer, that wouldn't work. (ie if we had a windows server we couldn't take turns logging into it with different accounts)
3) Then at that point we would set up MFA for Windows Credential Provider and run through the steps of https://help.okta.com/en/prod/Content/Topics/Security/proc-mfa-win-creds-rdp.htm . I have a few concerns:
a) It seems like it is only for Microsoft Server OS and not Windows 10
b) And it looks like this may only relate to the Microsoft Remote Desktop App that can be downloaded
c) Does this also automatically work for the Remote Desktop Connection program that is included in the computer? Usually found at: %windir%\system32\mstsc.exe)
4) At this point once it's set up any computers who will use device MFA will need to be on the network (or have a vpn connection that predates login) so they can attach to the IWA agent, at which point MFA will trigger upon login. (but it will only work for situations were a single user logs into said computer)
Thank you Danial I appreciate your input on this.
PS: Regarding the connection to the IWA agent using VPN, do you know if Check Point Endpoint Security VPN using 'Enable Secure Domain Logn - Windows login to Active Directory will be Encrypted' would qualify for Okta's needs regarding a pre-emptive network connection?
Hi Will,
Regarding your question:
R/ for IWA to work the browser needs to get a hold of a kerberos ticket and able to reach the IWA URL
if your VPN solution is capable of both, then it should work.