A few years ago I wrote about How to deploy Microsoft Azure MFA & AD Connect with Citrix NetScaler Gateway and mentioned how you should deploy the MFA User Portal and allow your users self service and easy enrollment into the system. I also discussed allowing Azure MFA Authenticator mobile app. The User Portal is pretty straight forward to setup but recently I was asked how I deploy it in the DMZ on separate servers. This is how I always deploy it for companies in production but it’s a little tricky. Luckily I’ve done it serveral times now so let me show you how to do it.
1. Stand up a couple of web servers in the DMZ that will be used for the User Portal. I am going to assume you followed me previous guide and have a working MFA environment. Go to one of your existing internal MFA authentication servers and navigate to:
C:\Program Files\Multi-Factor Authentication Server
and copy out the following 3 files to your DMZ web servers:
2. Your DMZ web servers do not have to be domain joined obviously. Just login with a local admin or DMZ domain account. We need to install the following pre-reqs:
-IIS 6 Management Compatibility
14. You might get an error message like this saying “You do not have sufficient privileges to complete the installation for all users of the machine. Log on as administrator and retry this installation.”:
I usually login as a local administrator. Do not try and run an elevated Administrator cmd prompt (right click on cmd, Run as Administrator) and then navigate to the location of the .msi and run something like this command:
msiexec /a MultiFactorAuthenticationWebServiceSdkSetup64.msi
It will install but you’re going to end up having to create Virtual directories and Application Pools in IIS manually. It’s kind of a pain to manually have to go do it so save yourself the headache and login as a local admin so it can do it for you.
17. It will say “This setup requires “Visual C++ Redistributable for Visual Studio 2015(x86) Update 2″ or higher. Do you want to download it now?”. Hit Yes. It will open in IE by default and if you have ESC mode on it’s going to block it. You may have to disable ESC temporarily and run the .msi again to get to the download page.
19. You’ll noticed the saved file is missing it’s extension. This happens in every environment I install the User Portal in. The User Portal .msi file is pointing at the wrong redistributable. Just rename and give it the extension .exe to run it.
27. Now we need to install the mobile app web service. If you don’t do this users will not be able to scan the QR code and the Authenticator app won’t work properly. Just double click on MultiFactorAuthenticationMobileAppWebServiceSetup64.msi
30. Navigate to:
31. Near the top of the web.config set the following 3 lines. We’re going to flip the Web Service SDK to true and give it the domain credentials to access the internal Azure MFA servers. It needs to be an MFA service account used only for this purpose and it must be a member of the “PhoneFactor Admins” security group in AD. Double check and make sure the account is part of this group or nothing will work later and you’ll be wondering why. The communication from the DMZ to internal will be over SSL but yes, the user password is saved in plain text. There are ways to encrypt sections of the web.config but that is a little beyond the scope of this article. If you would like to know how to do this please leave a comment at the bottom of this article and I’ll write some instructions. I’ve done it several times for high security environments successfully.
<add key="USE_WEB_SERVICE_SDK" value="true"/>
<add key="WEB_SERVICE_SDK_AUTHENTICATION_USERNAME" value="yourdomain\svc_mfa_user_portal"/>
<add key="WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD" value="yourpassword"/>
32. Scroll down to the “pfup_pfwssdk_PfWsSdk” setting and you will see the current String is set to:
just change the domain part to whatever you want to reference your internal MFA authentication servers. I usually call mine:
and then edit the host file on each web server to point at mfabackend.yourdomain.com which is a load balanced vserver on my DMZ NetScaler that communicates to the internal MFA authentication servers. This way I don’t have to mess with DNS or modify multiple firewall rules since the NetScaler will be doing the talking for me.
33. Save your web config. Sometimes you may need to troubleshoot your configuration in later steps from a browser on your PC rather than on the server itself. To read the actual error messages, I sometimes add this temporarily to disable the custom error messages right before the closing of the system.web section:
DO NOT leave this on or you are exposing everything to the Internet. Use it for temporary troubleshooting only.
34. Open up IIS Manager and install your SSL certificate for your your MFA User Portal. Bind it for https on the Default Web Site like this. Anything user friendly like register.yourdomain.com, enroll.yourdomain.com, etc. will work fine here. Whatever is easy for users to remember.
35. Now we need edit the web.config for the Mobile App Web Service. Navigate to:
and open up this web.config using an elevated Notepad like you did for the User Portal. It will have the same sections, you need to modify. Add the user credentials and edit the URL line again:
Don’t forget to copy this web.config over to your other web server too.
36. Now log in to each of your internal MFA authentication servers. You will need to install IIS and the pre-reqs again like you did on the web servers:
-IIS 6 Management Compatibility
Don’t forget to do this on your other authentication server too.
40. Open up IIS Manager and bind an SSL certificate. The NetScaler will be handling mfabackend.yourdomain.com for you but you still want to encrypt the communication from the NetScaler to your MFA authentication servers. Do this on both your authentication servers.
41. Now on the Master server, click on User Portal and type in the URL for the user portal you decided on in step 33. Again, keep it user friendly. You can select the options here that are allowed on the User Portal. The ones that are usually cleared by Security teams and I am requested to enable are:
42. Now click on Mobile App and add the URL to the mobile app web service. It will be the same URL as the User Portal but with the directory changed:
43. Ensure you have DNS records for register.yourdomain.com (or whatever friendly name you chose for the User Portal) and mfabackend.yourdomain.com in place pointed at the appropriate NetScaler vservers or whatever load balancer you are using. Don’t forget that the register.yourdomain.com DNS record needs to available externally too. Again, all this traffic is SSL so your vservers should be on 443. Then you can navigate to
https://register.yourdomain.com/MultiFactorAuth/ and you should get the MFA User Portal login page.
44. I have imported a user without a phone number in AD to show you how enrollment works. If I did import a user with a phone number it would pause and call me to confirm the 2nd factor of authentication but I want to show you how the User Portal can be used as a tool to collect phone numbers and enroll which is a good use case for external vendors, contractors, etc. who HR usually does not have mobile numbers for. When I login as a user without a phone number, I will be asked for the number and it will call me to authenticate.
45. On the next screen I will choose my 4 security questions. You can choose the number and types of questions asked or even disable this completely in the User Portal. I like to leave it on to minimize Help Desk calls. The more self service you can give users the better.
47. Now let’s activate the Authenticator mobile app. Make sure you have downloaded Microsoft Authenticator from your phone’s mobile app store. Click on Acitivate Mobile App and hit Generate Activation Code.
48. This will invoke the mobile SDK and a QR code and activation code will be displayed. Scan this QR code with your phone using the Microsoft Authenticator mobile app. Keep in mind that the URL needs to available externally at this point or the app won’t be able to resolve the URL and it won’t register the account.
50. Now a couple of things you can fine tune using your NetScaler. When a user navigates to http://register.yourdomain.com it doesn’t automatically switch them over to using https. If they type in https it takes them to the default IIS page instead of the MultiFactorAuth page which can be equally annoying.
51. To do the http to https redirect, just open up the load balanced vserver for the MFA web servers and add an HTTPS redirect URL from port 80:
52. This will get people that type in register.yourdomain.com into their browser bar over to the right URL but will not take care of the users that type in
https://register.yourdomain.com. So you need to create and bind a Responder policy to take care of this.
once you bind this to your MFA web server lb vserver users will no longer be able to see the default IIS page even if they come over SSL.
I hope this guide has helped you. Please leave any questions or comments below.