Remote Authentication for Multifactor Authentication
By default, CipherTrust Transparent Encryption works with a local Multifactor Authentication login. In CipherTrust Transparent Encryption v7.6 and subsequent versions, you can configure remote authentication for Multifactor Authentication. This allows a user to log into Multifactor Authentication through a machine other than a CTE client. This allows you to enable authentication from remote endpoints accessing CIFS shares, exported by a CTE agent.
Note
- 
Your Windows remote access system logon account name, and your Multifactor Authentication account name, MUST be the same. 
- 
The MFA username, including the domain-name, in the format domain\username or username@hostname, must exist on the MFA provider. 
Remote Authentication configuration requires a non-encrypted private key and certificate. The CipherTrust Transparent Encryption OIDC service uses the key and certificate for TLS communication. CTE stores encrypted keys and certificates internally.
Prerequisites
- 
Create a firewall rule on a CTE agent to allow all incoming TCP traffic on the Multifactor Authentication login port. 
- 
Generate a private key and certificate. You must know the name and location of these files. 
- 
In the Keycloak setup, set the redirect-url parameter for OIDC configuration using the following format: https://<cte-hostname>:<mfa login port>/auth/callback.Note - The Administrator can choose to use a wildcard ( '*' ), if the same configuration is reused across many CTE agents.
 
- 
You must have administrator access so that you can restart secfsd service: - 
To stop secfsd service, type: net stop secfsd 
- 
To start secfsd service, type: net start secfsd 
 
- 
Starting Remote Authentication for Multifactor Authentication
To configure remote authentication:
- 
In a command line, type: voradmin mfa remote-config set [<privateKeyFile> <certificateFile>]Example voradmin mfa remote-config set private-key.pem cert.pemResponse voradmin mfa remote-config set Restart secfsd service to affect changes.
- 
Restart the secfsd service. 
Disabling Remote Authentication for Multifactor Authentication
To disable remote authentication:
- 
In a command line, type: voradmin mfa remote-config unsetResponse Restart secfsd service to affect changes.
- 
Restart the secfsd service. 
Validating Certificate and Private files information
To validate the two certificates:
- 
In a command line, type: voradmin mfa remote-config get [<privateKeyFile> <certificateFile>]Example voradmin mfa remote-config get private-key.pem cert.pemResponse sha256 of key file: dcb8eXXXXa92ac5dff34aXXXXab3811245aXXXXc204733bbead43f4846274674 sha256 of certificate file: 3e2eec5bXXd357d14f5c0047d36aXXXXXXXfc87f2a74ca3b5c2c2627XXXe6db4 certificate: -----BEGIN CERTIFICATE----- MIIFuTCCA6GgAwIBAgIUR+Gh3z7J8TzQr6buZGDcK9h/8MQwDQYJKoZIhvcNAQEL BQAwbDELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQswCQYDVQQHDAJOTzEMMAoG A1UECgwDQ1BMMQwwCgYDVQQLDANESVMxCzAJBgNVBAMMAlRIMRowGAYJKoZIhvcN . . . /31kjs/Kms582KTKFKFqzuZHJ4L6odL6JBOmbvv4UZGB2t99ah0R9BAutivru/0M ZFvotV9Xsxs49PtOgj1vkWFdlWUR7VtcdfOtiIoSvuXhMjCvTq8KtPIXiJJjFFkN 3xD4ZmG7M14u1hzmaXqHfZ02YZOISFltq2PUWqQ= -----END CERTIFICATE-----
Using Remote Authentication for Multifactor Authentication
To login and use Multifactor Authentication from a remote endpoint:
- User must open a browser and enter a valid URL with the format: https://<cte-hostname>:<mfa login port>/login.
Note
When launched from the Etray application on a CTE agent, the browser is launched with the required URL automatically in the URL field.