Hi Stewart, The MS Authenticator app supports basic TOTP protocol. All you need to do is enable TOTP (not Duo) on guacamole. During the first login of the user, it will ask you to setup the TOTP and display a QR code. In the MS Authenticator app, open top right menu, add new account and select "Other account". Scan the QR code and you are done. This method is not true Azure MFA however. No wonderful Microsoft Azure policies, etc.
Some issues I've noticed - I have many guacamole installs and I've had to rename the guacadmin username specific to each install. It seems the MS authentication app uses the username as the key, so if you use the same username over multiple installs it will overwrite the existing account and locking you out of the previous instance. I haven't even tested this with Google Authenticator so your mileage may vary. The other issue, which is much bigger to me, (discovered via the above problem 🙂 ) is the lack of TOTP reset function in the web based panel in the event the user looses their phone or deletes the Authenticator app. Basically, you need to manually delete the TOTP keys in the db, so I just re-create the users as of now. Bit of a pain, but it works. Also, TOTP will not work with LDAP/AD. It needs to be able to write back the TOTP keys to the directory - which isn't implemented with AD yet (or will? I suggest like how ownCloud does this and store them in the local db even with AD auth) Andrew ________________________________ From: Stewart Alexander <[email protected]> Sent: Wednesday, March 4, 2020 9:54 AM To: [email protected] <[email protected]> Cc: Andrew Kopp <[email protected]> Subject: Re[2]: Using 2 factor authentication with Active Directory Hi all, Can you tell us more about TOTP and the MS Authenticator App? Sounds intriguing .. What's the process for integrating this into Guacamole, can someone point us to some documentation? But yeah, 2 factor authentication would be very nice ------ Original Message ------ From: "Andrew Kopp" <[email protected]<mailto:[email protected]>> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Sent: 3/4/2020 9:45:44 AM Subject: Re: Using 2 factor authentication with Active Directory CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders. +1 I would like this too, but based on my testing I do not think its possible quite yet. Microsoft's graph API's just went under a lot of changes and they discontinued support for a lot of their own dev libraries. This will need some development effort for sure. If you disable NLA you could potentially do it on the RDP login screen, but this will force the user to authenticate twice. For now I'm happy with totp and using the MS authenticator app. I'd probably help fund a project bounty for this add-on however. ________________________________ From: Stewart Alexander <[email protected]<mailto:[email protected]>> Sent: Wednesday, March 4, 2020 9:30:20 AM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Using 2 factor authentication with Active Directory Hi all, We are interested in using 2 factor authentication with Active Directory to have our users log in via RDP to their computer Microsoft Windows systems. Is this something possible? Is there documentation on setting this up? Thanks... Best Regards, Stewart Alexander ACC Network Administrator E [email protected]<mailto:[email protected]> P: +1 (336) 506-4181 "Chi poco pensa, molto erra."- Leonardo Di Vinci (Those who think little err often) ________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please disregard. This message may contain confidential information and is intended only for the individual named. For more information about our privacy policy and how we process data, please visit our website and use the Privacy Notice link located on the main page. ________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please disregard. This message may contain confidential information and is intended only for the individual named. For more information about our privacy policy and how we process data, please visit our website and use the Privacy Notice link located on the main page.
