Page History

The Indeed IIS Extension product makes it possible to add the second user authentication factor for web applications that use Forms Authentication and are deployed at Microsoft Internet Information Services (IIS) platform with Indeed authentication technology.

Installation and configuration of the Indeed IIS Extension

1. Install Indeed IIS Extension by running

1. IndeedAM.IIS.Extension-v1.2.7.x64

1. .msi

1.  installer.
2. Modify the following parameters

1. in HKEY_LOCAL_MACHINE\SOFTWARE\Indeed-ID\AuthProxy section:

   1. ServerUrlBase parameter. This parameter defines the URL of your IndeedAM server.

1. 1. Note
      There must be no “/” character at the end of URL in application settings.

      
      

   2. IsIgnoreCertErrors parameter with the value of 0. This parameter is intended to verify the Indeed AM server certificate. Value of 1 means that certificate errors are ignored.
   3. AppId parameter with the value of IIS Extension. This parameter defines the name of the component used.Image Added
2. Create a key named IISHTTPModule in  HKEY_LOCAL_MACHINE\SOFTWARE\Indeed-ID section. In this key, create the following:

   1. LSUrl string parameter. This parameter defines the URL of your log server.

1. 1. Note
      There must be no “/” character at the end of URL in application settings.

      
      

   2. Create LSEventCacheDirectory string parameter. Specify the path to local cache storage folder as the value.

   3. ProviderId string parameter. Specify ID of the provider that is to be used for authentication as the value.

1. 1. Info

      id parameter of ProviderId have different provider ID {EBB6F3FA-A400-45F4-853A-D517D89AC2A3} - SMS OTP {093F612B-727E-44E7-9C95-095F07CBB94B} - EMAIL OTP {F696F05D-5466-42b4-BF52-21BEE1CB9529} - Passcode {0FA7FDB4-3652-4B55-B0C0-469A1E9D31F0} - Software OTP {AD3FBA95-AE99-4773-93A3-6530A29C7556} - HOTP Provider {CEB3FEAF-86ED-4A5A-BD3F-6A7B6E60CA05} - TOTP Provider {DEEF0CB8-AD2F-4B89-964A-B6C7ECA80C68} - AirKey Provider

      Image Added

IIS configuration.

1. Open the application (owa for Outlook Web Access) that is to use

1. IIS Extension in IIS Manager and switch to Modules section.Image Added
2. Click "Configure Native

1. Modules…" in Actions menu, activate Indeed modules and click Ok.Image Added

Component configuration

Two-factor authentication is configured separately for each target application. To configure, create a key with the name of application or IIS site in the  HKEY_LOCAL_MACHINE\SOFTWARE\Indeed-ID\IISHTTPModule section of Windows registry. Then create the following parameters in the key and define their values:

1. AuthCookie – string parameter. This defines the name of cookie that is used for authentication in the target application. This is defined experimentally for each application. The parameter value might be obtained in F12 IE Developer Toolbar. To do so, proceed as follows:
   1. Run Enable network traffic capturing in the Network section.
   2. Perform authentication in the application.
   3. Switch to Cookie tab of Details section.
   4. The value in question is specified in the Key column.Image Added
2. sMFAEnabled – DWORD parameter. This enables two-factor authentication.
3. LoginURL – string parameter. This is relative URL, to that the data is transmitted from the application login form using POST method The parameter value must start with / character. The URL is defined relatively to the target site.
4. MatchTargetRedirect - DWORD parameter. If the value is 1, then the page to enter the second authentication factor is displayed before transition to the main page. The target page is not saved in the buffer. After the second factor is entered, redirect to the main page is performed (TargetURL parameter).
5. OTPURL – string parameter. Alternate URL to send the data of Indeed authentication form for the second factor to. By default, the data is sent to the same URL as the form data of the target application. The IIS module intercepts this data and either replaces it with original one if Indeed authentication is successful or does not, if Indeed authentication is unsuccessful and target application displays authentication error itself. The value should be used if the target application does not consider the Indeed form data as incorrect for authentication. Or it is necessary to display authentication errors explicitly to the Indeed user. Thus, the value might be left blank.
6. PasswordField – string parameter. This defines the value of name attribute for password field of the application login form.
7. RedirectToTarget - DWORD parameter. This defines the redirect to the target page. 

8. TargetURL – string parameter. This defines the URL of the target page, where the user is redirected to after authentication in the application. 

1. Info
   For Exchange 2013 and 2016, specify "/owa" (without the end / character). For Exchange 2010, specify "/owa/" (with / character at the end).

   
   

2. UsernameField – string parameter. This defines the value of name attribute for username field of the application login form.

The values of LoginURL, PasswordField, UsernameField parameters reside in the authentication form of the target application. You can obtain those with Internet Explorer F12 Developer Tools, for example.Image AddedImage Added

Example of extension operation.

1. Open the OWA application and enter domain username and password.Image Added
2. If correct, the second factor prompt window appears.Image Added

1. If entered correctly, the application opens.