Administrator Tasks for Multifactor Authentication
Using the Proper Filter
Note
The Multifactor Authentication feature requires the CTE VMLFS driver. This driver must be running in order for Multifactor Authentication to work.
-
All new installations of 7.3.0.x contain this driver. Type
fltmcto verify. A table displays listing all current drivers.Filter Name Num Instances Altitude Frame WdFilter 4 328010 0 storqosflt 0 244000 0 wcifs 0 189900 0 vmlfs 4 142900 0 FileCrypt 0 141100 0 luafv 1 135000 0 npsvctrig 1 46000 0 Wof 1 40700 0 -
Agents upgraded from 7.2.0, and previous versions, may be using the vmfiltr driver. If the agent ran the vmfiltr driver, then when you upgrade to 7.3.0, it will start with the vmfiltr driver. If the previous agent ran the vmlfs driver, then when you upgrade to 7.3.0, it will start the vmlfs driver. Type the following to switch to the vmlfs driver:
voradmin config enable vmlfs
User Authentication
Authentication is provided for the entire client and is enforced the first time a user opens a file. After the initial file opening, the user can perform read/writes to the file.
To authenticate, a user can login to MFA from the Windows system tray:
-
Click on the CTE icon in the System Tray.
-
Select Multi-Factor Authentication > Authenticate.
-
Login in to access the STA OIDC template.
After you log in, a message displays confirming your authentication and your access to the GuardPoint.
-
Close the Window to continue.
Note
If you logout, you disable your access to the GuardPoint.
Voradmin Commands
voradmin mfa status
Displays the MFA information for a user.
Syntax
voradmin mfa status
Example
C:\Windows\system32>voradmin mfa status
Response
User \dram is allowed access.
MFA enabled guardpath(s) (Number of paths: 2):
C:\cm\gp2
C:\cm\gp1
voradmin mfa config
Displays configuration information.
Syntax
voradmin mfa config
Response
HostMfaEnable is set.
MFA enabled guardpath(s) (Number of paths: 2):
C:\cm\gp2
C:\cm\gp1
MFA access allowed users(s) (Number of users: 2):
Users\dram
NT AUTHORITY\SYSTEM
MFA Exempt-List: (Number of entries: 1)
user: "system", group: "", domain(s): "NT AUTHORITY"
OIDC configuration:
login-port : 5560
notification-port : 5562
client-id : 6653gd25-e1c7-4257-6034-46c77ffc8cb6
url : https://idp.eu.safenetid.com/auth/realms/1UWUA52A8A-STA
voradmin mfa check-connection
Allows the admin user to check the connection to the OIDC provider.
Syntax
voradmin mfa check-connection <name_of_OIDC-configuration-url>
Example
C:\Windows\system32>voradmin mfa check-connection https://idp.eu.safenetid.com/auth/realms/1UWUA6OA8A-STA/.well-known/openid-configuration
Response 1: Success
Connection ok to https://idp.eu.safenetid.com/auth/realms/1UWUA6OA8A-STA/.well-known/openid-configuration
Response 2: Failure
Connection failed to https://idp.eu.safenetid.com/auth/realms/1UWUA6OA8A-STA/.well-known/openid-configuration-bad
voradmin mfa update-ports
Allows the administrator to update the OIDC ports.
- Updating the ports restarts the CipherTrust Transparent Encryption Multifactor Authentication application. Users must login to Multifactor Authentication again after the ports are updated.
Warning
If the OIDC-login-port is changed, then the redirect-URI for the OIDC application at the Multifactor Authentication provider must also be changed. It is specified in the format: http://127.0.0.1:<oidc-login-port>/auth/callback. If redirect-URI is not changed, CipherTrust Transparent Encryption may fail to connect to the provider.
Syntax
voradmin mfa update-ports <oidc-login-port> <oidc-notification-port>
Example
C:\Windows\system32> voradmin mfa update-ports 8000 8075
Response
Updated OIDC ports
voradmin mfa set-auth-expiry
Allows the admin to set an authentication expiry time.
Note
Changing authentication expiry clears all existing MFA logins. Users must login again.
Syntax
voradmin mfa set-auth-expiry <time interval in minutes (specify 0 to disable expiry time)>
Example
C:\Windows\system32> voradmin mfa set-auth-expiry 5
Response
Authentication will expire every 5 minute(s).
Re-authenticate for new settings.
voradmin mfa localhost-redirect-uri
You do not need to manually set a parameter for this command. If you use set it automatically uses http://localhost:5590/auth/callback as the redirect URI. If you use unset it automatically uses the default redirect URI for the MFA provider. This command is useful if an MFA provider does not allow 127.0.0.1 as the redirect URI.
Syntax
voradmin mfa localhost-redirect-uri <get|set|unset>
voradmin mfa domains-map
Domain mapping is generally applicable for use with all providers, though it is only required for Entra ID.
Syntax
voradmin mfa domains-map <get|set|unset> <domain1>:<domain2>
Example
voradmin mfa domains-map set thalesgroup.com:<localhost>.com
Response
Restart secfsd service to affect changes.
Note
You can map multiple domains using a comma in between domain names. For example:
voradmin mfa domains-map set <domain-1-onMFA-provider>:<domain-1-onHost>,<domain-2-onMFA-provider>:<domain-2-onHost>
voradmin mfa remote-config
Remote authentication allows a user to log into Multifactor Authentication through a machine other than a CTE client. This allows you to enable authentication from remote endpoints accessing CIFS shares, exported by a CTE agent.
Syntax
voradmin mfa remote-config [<get|set|unset>] [<privateKeyFile> <certificateFile>]
| Options | Description |
|---|---|
| certificateFile | Presented to web browser during TLS communication to the web browser. |
| get | Displays the 'sha256' encryption for keys and certificates. It allows the customer to check for a valid key and certificate that they imported using the set option. |
| privateKeyFile | Used by the OIDC service for TLS communication with the web browser. |
| set | Imports the key and certificate in use by CTE. |
| unset | Disables the remote authentication for Multifactor Authentication and reverts back to local Multifactor Authentication authentication. |
See Remote Authentication for Multifactor Authentication for more information.
Restarting SecFSD
Many Multifactor Authentication commands require restarting SecFSD to enable.
-
To stop secfsd, type:
net stop secfsd -
To restart secfsd, type:
net start secfsd
