DSPA: Integration with Active Directory for Secure Two-Factor Authentication

The Protectmus DSPA (Dynamic Strong Password Authentication) component allows integrating Protectimus two-factor authentication solution with Microsoft Active Directory or any other user directory (AD/LDAP, DBMS). After that, the 2FA dynamic passwords will be requested on all services connected to this directory (for example on Winlogon, RDP, ADFS, and OWA at once).

Protectimus DSPA adds six-digit time-based one-time passwords onto users’ static passwords. The resulting passwords look somehow like this: P@ssw0rd!459812. Where:

• P@ssw0rd! is the fixed part;
• 459812 is a TOTP one-time password that changes within a set time interval.

The administrator sets the one-time password change interval, which must be a multiple of 30 seconds.

From the end-user side, authentication will look like this: to access their accounts, a user must enter their fixed password and a one-time code in one line. To generate OTPs, users should use the app Protectimus SMART.

1. Install Protectimus On-Premise Platform

1.1. Windows

1.2. Another OS

2. Get Registered

3. Add User Provider

1. After installing the platform and registering in the Protectimus system, log into your account, open the DSPA tab, and select Add task -> Add LDAP user provider.

2. Fill in the details about your user directory.

keytool -import -alias ___ -file '___.cer' -keystore 'C:\Program Files\Java\jre___\lib\security\cacerts' -storepass changeit

DC=domain,DC=local

CN=Administrator, CN=Users, DC=demo, DC=domain, DC=local

administrator@domain.local

3. After filling in details about your user directory, add synchronization attributes.
   
   Click on the Attributes button.
   
   
   Then add your attributes as shown in the example.
   
   Additionally, the OpenLDAP configuration is available from the provided vendors. You can select it in the Vendor field.
   
   

4. Now configure the Password Encoder setting.
   
   Select an algorithm that matches your configuration. Available algorithms: AD-specific (UTF-16LE), Plain, BCRYPT, SHA256, SSHA256, SHA512, SSHA512, MD4, MD5, SMD5, SHA, and SSHA.
   
   

5. After successfully adding the user provider, you need to import the users into the Protectimus system and synchronize them with your user directory.
   
   In the Synchronization mode field, you should choose how you would like to import your users.
   
   Importing users can be set up in three ways:
   • Import — will never update user data.
   • Import and Update — will always update user data when possible.
   • Import, Update and Delete — will always update user data when possible. Protectimus users, as well as the software tokens assigned to them, will be removed upon the user’s removal from external user storage.

6. Now configure the Use pagination setting.
   
   When Use pagination is activated, it means that if the number of records exceeds 200 or 500, multiple queries will be used for retrieval. This is due to LDAP typically returning a limited number of entries by default.

7. Set up a filter to be applied during synchronization.
   
   Use this filter to select only the users you want to synchronize.
   
   For example, to import only those users who have the telephoneNumber and mail attributes specified, set up such a filter:
   
   

   (&(telephoneNumber=*)(mail=*))

   To import users from a specific group, choose the required group. In our example, it is the Users group.

8. Leave thr Enroll SMS token empty.

9. In the Resource associations section, you can choose the resource to which the users will be assigned during synchronization.
   
   

10. The next step is to enable user synchronization. This can be accomplished in three ways:
    
    
    1. Use the Synchronize now button to synchronize all users at once.
       
       
       You can also select the Synchronize modified button to synchronize only the users who have been modified since the last synchronization.
       
       
       
    2. Use the Synchronize individuals feature to synchronize only the selected users from your user directory.
    
    
    
    3. Or enable automatic user synchronization by activating the Enabled option at the top of the page.
    

4. Add Passwords

PLEASE NOTE! You can activate the Users’ Self-Service Portal so that your users could add their passwords to the system themselves. Read how to set up a Users’ Self-Service Portal in the Users’ Self-Service Portal Setup Instructions.

1. Go to the user editing page: click Users in the menu on the left > click on the user’s Edit button on the right side

2. Enter the user password in the corresponding field and click Save.

5. Add Tokens

So far, the Protectimus DSPA component is only compatible with the in-app 2FA tokens Protectimus Smart OTP, available on iOS and Android, therefore we recommend activating the User Self-Service Portal so that your end users could issue tokens on their own. Read our Self-Service Portal Setup Guide for detailed instructions.

1. Select a synced user and click Assign Token, then click New.

2. Select the Protectimus SMART token and configure it. Protectimus Smart OTP App is available for free on Google Play and App Store.

6. Protectimus DSPA Activation and Deactivation

1. To activate the Protectimus DSPA component, go to the DSPA tab and click on the name of DSPA:
   
   
   Then activate the Enabled parameter.
   
   
   Accordingly, to deactivate the Protectimus DSPA component, it is necessary to uncheck the Enabled parameter.
   
   When DSPA is disabled, all passwords will be reset automatically (i.e., the dynamic part will be removed).

2. For the Protectimus DSPA component to work, you need:
   • A configured user provider;
   • A synchronized user;
   • A password set for the user;
   • A token assigned to the user.
   You can check whether these conditions are fulfilled on the Affected users section on the DSPA tab.

3. You can see the results of the passwords update in the Report section.

4. The result of updates can be viewed by clicking on the icon in the table of reports.

7. How to Activate the Users’ Self-Service Portal

8. Users Interaction with the Self-Service Portal

8.1. Authorization on the Users’ Self-Service Portal

8.2. Enrolling the token Protectimus SMART OTP

1. The user needs to choose the tab Register New Token -> Software Tokens -> Protectimus SMART.

2. After that the user needs to enter the name of the token, set the length of the one-time password, select the lifetime of the one-time password and click on the “Show QR code” button.
   
   To create a token, the user should scan the QR code using the Protectimus SMART OTP application, having previously installed it on their smartphone. The Protectimus Smart OTP app is available for free on Google Play and the App Store.
   
   And to finish the token enrollment, the user must enter the OTP code generated using the Protectimus SMART OTP application.

8.3. Creating a password

1. The user should navigate to the Create Password tab in Self-Service.

2. The user should enter the password identical to their password in user directory.