Remote Authentication for Multifactor Authentication
By default, CipherTrust Transparent Encryption works with a local Multifactor Authentication login. In CipherTrust Transparent Encryption v7.6 and subsequent versions, you can configure remote authentication for Multifactor Authentication. This allows a user to log into Multifactor Authentication through a machine other than a CTE client. This allows you to enable authentication from remote endpoints accessing CIFS shares, exported by a CTE agent.
Your Windows remote access system logon account name, and your Multifactor Authentication account name, MUST be the same.
The MFA username, including the domain-name, in the format domain\username or username@hostname, must exist on the MFA provider.
Remote Authentication configuration requires a non-encrypted private key and certificate. The CipherTrust Transparent Encryption OIDC service uses the key and certificate for TLS communication. CTE stores encrypted keys and certificates internally.
Create a firewall rule on a CTE agent to allow all incoming TCP traffic on the Multifactor Authentication login port.
Generate a private key and certificate. You must know the name and location of these files.
In the Keycloak setup, set the redirect-url parameter for OIDC configuration using the following format:
https://<cte-hostname>:<mfa login port>/auth/callback
- The Administrator can choose to use a wildcard ( '*' ), if the same configuration is reused across many CTE agents.
You must have administrator access so that you can restart secfsd service:
To stop secfsd service, type:
net stop secfsd
To start secfsd service, type:
net start secfsd
Starting Remote Authentication for Multifactor Authentication
To configure remote authentication:
In a command line, type:
Restart the secfsd service.
Disabling Remote Authentication for Multifactor Authentication
To disable remote authentication:
In a command line, type:
Restart the secfsd service.
Validating Certificate and Private files information
To validate the two certificates:
In a command line, type:
Using Remote Authentication for Multifactor Authentication
To login and use Multifactor Authentication from a remote endpoint:
- User must open a browser and enter a valid URL with the format:
https://<cte-hostname>:<mfa login port>/login
When launched from the Etray application on a CTE agent, the browser is launched with the required URL automatically in the URL field.