Installing Trusona for Windows 2FA

This guide details the steps required to install and configure Trusona's Active Directory Agent and Credential Provider.

Updated Oct 6, 2021

• 1. Install Active Directory Certificate Services (ADCS)
  • 1.1. ADCS installation Steps
  • 1.2. ADCS installation walk through
• 2. Configure Active Directory Certificate Services
  • 2.1. ADCS configuration steps
  • 2.2. ADCS configuration walk through
• 3. Configure Active Directory Server Authentication Enrollment Settings
  • 3.1. AD authentication enrollment steps
  • 3.2. AD authentication enrollment walk through
• 4. Server KDC Enrollment
  • 4.1. Server KDC enrollment steps
  • 4.2. Server KDC enrollment walk through
• 5. Agent Service Installation
  • 5.1. Agent install steps
  • 5.2. Agent install walk through
  • 5.3. Agent Status Validation
• 6. Credential Provider Installation
  • 6.1. Manual Installation
  • 6.2. CLI Installation
  • 6.3. Automated Install using Active Directory Group Policy
    • 6.3.1. Prerequisite: Create the policy central store for your domain
    • 6.3.2. Prerequisite: Install and configure the Wait For Network Policy
    • 6.3.3. Install and configure the Trusona Group Policy Template
    • 6.3.4. Deploying the Trusona Credential Provider
    • 6.3.5. Assign the GPO

1. Install Active Directory Certificate Services (ADCS)

1.1. ADCS installation Steps

1. Login as an Enterprise Administrator
2. Open the Server Manager on the Active Directory instance to be used
3. On the right hand side, click on Manage and select Add Roles and Features
4. Next, for installation type, select Role-based or feature-based installation
5. Select the target server from the provided selection
6. Check off Active Directory Certificate Services from the list of available Server Roles
7. Click on Add Features on the screen that pops up
8. Accept the pre-selected values on the features list
9. Click on Next
10. In the list of Role Services, check off Certification Authority and click on Next
11. Check off the option to restart the destination server automatically if required
12. Finally, review previously made selections then click on Install
13. Installation should complete successfully in a short while. When done click on Close

1.2. ADCS installation walk through

Open the Server Manager on the Active Directory instance to be used.

Server manager

On the right hand side, click on Manage and select Add Roles and Features:

Add Roles and Features

Next, for installation type, select Role-based or feature-based installation:

Role-based or feature-based installation

Select the target server from the provided selection:

server pool selection

Check off Active Directory Certificate Services from the list of available Server Roles:

Active Directory Certificate Services

Click on Add Features on the screen that pops up:

Add Features

Accept the pre-selected values on the features list:

Select Features

Click on Next

In the list of Role Services, check off Certification Authority and click on Next

Role Services

Check off the option to restart the destination server automatically if required:

Restart if required

Finally, review previously made selections then click on Install

Installation should complete successfully in a short while. When done click on Close

2. Configure Active Directory Certificate Services

2.1. ADCS configuration steps

1. Inside the Server Manager, click on Manage on the top right menu, and select Configure Active Directory Certificate Services...
2. Provide appropriate credentials as recommended in the details, then click on Next
3. Select Certification Authority, then click on Next
4. Select Enterprise CA, then click on Next
5. Select Root CA, then click on Next
6. For a new installation, select create a new private key, then click on Next. If this is not a new installation, provide a existing private key
7. Keep the default pre-selected values on this screen, then click on Next
8. Make the appropriate changes on this screen by providing correct values for all three fields, then click on Next
9. Specify an appropriate validity period, then click on Next
10. Keep the default values, then click on Next
11. Confirm the previously select values. If you want, you may go back and make changes as necessary, then click on Configure
12. Configuration should complete in a short while. After it is done, click on Close

2.2. ADCS configuration walk through

Inside the Server Manager, click on Manage on the top right menu, and select Configure Active Directory Certificate Services...

Provide appropriate credentials as recommended in the details, then click on Next

Select Certification Authority, then click on Next

Select Enterprise CA, then click on Next

Select Root CA, then click on Next

For a new installation, select create a new private key, then click on Next. If this is not a new installation, provide a existing private key:

Keep the default pre-selected values on this screen, then click on Next

Make the appropriate changes on this screen by providing correct values for all three fields, then click on Next

Specify an appropriate validity period, then click on Next

Keep the default values, then click on Next

Confirm the previously select values. If you want, you may go back and make changes as necessary, then click on Configure

Configuration should complete in a short while. After it is done, click on Close

3. Configure Active Directory Server Authentication Enrollment Settings

3.1. AD authentication enrollment steps

1. From the Start Menu, click on Windows Administrative Tools
2. Double-click on Certification Authority
3. Right click on Certificate Templates and click on Manage
4. On the list of templates, right click on Web Server and click on Duplicate Template
5. The initial tab will be the Compatibility tab. Do not make any changes there.
6. On the General tab, set the Template display name to be exactly TrusonaAgentEnrollment
7. Make sure to check the box next to Publish certificate in Active Directory and check the box next to Do not automatically reenroll if a duplicate certificate exists in Active Directory
8. On the Subject Name tab, select the second radio button and from the Subject name format dropdown, select Common name.
9. Also, uncheck all boxes except for DNS name
10. On the Security tab, click on Add... and type in Domain Computers and then click on OK
11. In the list Group or user names, highlight each row and confirm that they have Read and Enroll permissions. If they do not, enable both.
12. When completed, click on OK
13. Right click on Certificate Templates, navigate to New and then to Certificate Template to Issue
14. Select TrusonaAgentEnrollment and click on OK

3.2. AD authentication enrollment walk through

From the Start Menu, click on Windows Administrative Tools

Double-click on Certification Authority

Right click on Certificate Templates and click on Manage

On the list of templates, right click on Web Server and click on Duplicate Template

The initial tab will be the Compatibility tab. Do not make any changes there.

On the General tab, set the Template display name to be exactly TrusonaAgentEnrollment

Make sure to check the box next to Publish certificate in Active Directory and check the box next to Do not automatically reenroll if a duplicate certificate exists in Active Directory

On the Subject Name tab, select the second radio button and from the Subject name format dropdown, select Common name.

Also, uncheck all boxes except for DNS name. Make sure that the box Include e-mail name in subject name is also unchecked.

On the Security tab, click on Add... and type in Domain Computers and then click on OK

In the list Group or user names, highlight each row and confirm that they have Read and Enroll permissions. If they do not, enable both.

When completed, click on OK

Right click on Certificate Templates, navigate to New and then to Certificate Template to Issue

Select TrusonaAgentEnrollment and click on OK

4. Server KDC Enrollment

4.1. Server KDC enrollment steps

1. From a PowerShell administrative prompt, start the Microsoft Management Console:
2. From the File menu, click on Add/Remove Snap-in...
3. Select Certificates and click on Add
4. On the next selection prompt, choose Computer account and click on next
5. On the next prompt, choose Local computer and click on Finish
   1. We are making the assumption that the computer running the Trusona Agent is the local computer:
6. Expand on Certificates and right click on Personal and follow All Tasks -> Request New Certificate...
7. When loaded, click on Next
8. Select Active Directory Enrollment Policy
9. Click on Enroll after selecting the check boxes for:
   1. Domain Controller
   2. Domain Controller Authentication; and
   3. Kerberos Authentication
10. Wait a couple of seconds and you should have successful enrollment

4.2. Server KDC enrollment walk through

From a PowerShell administrative prompt, start the Microsoft Management Console:

From the File menu, click on Add/Remove Snap-in...

Select Certificates and click on Add

On the next selection prompt, choose Computer account and click on next

On the next prompt, choose Local computer and click on Finish

We are making the assumption that the computer running the Trusona Agent is the local computer:

Expand on Certificates and right click on Personal and follow All Tasks -> Request New Certificate...

When loaded, click on Next

Select Active Directory Enrollment Policy

Click on Enroll after selecting the check boxes for:

1. Domain Controller
2. Domain Controller Authentication; and
3. Kerberos Authentication

Wait a couple of seconds and you should have successful enrollment

5. Agent Service Installation

5.1. Agent install steps

1. Before beginning, make sure you are logged in with local administrative rights.
2. To begin, double-click on the provided installer. You should see this initial screen, and be able to click on Next.
3. Enter the Token as copied from the Trusona Dashboard into the SDK Token field.
4. Enter the Secret as copied from the Trusona Dashboard into the SDK Secret field.
5. Enter the Integration ID as copied from the Trusona Dashboard into the Integration ID field.
6. Certificate Thumbprint field is optional.
7. Click on Install
8. After a short while, it will complete the installation and you should be able to click on Close which will exit you from the installer.
9. After installation, please open firewall port 34182 for TCP IN

5.2. Agent install walk through

First, access your Trusona Dashboard.

Create both SDK Server Credentials and a Windows Integration.

Note the SDK Token, SDK Secret and Integration ID.

Secondly, right-click on the provided installer and click on Run as administrator. You should see this initial screen, and be able to click on Next

Enter the SDK Token that was copied from the Trusona Dashboard.

Enter the SDK Secret that was copied from the Trusona Dashboard.

Enter the Integration ID that was copied from the Trusona Dashboard.

Certificate Thumbprint field is optional, and should only be filled in if you are providing your own SSL certificate to the agent.

Click on Install

After a short while, it will complete the installation and you should be able to click on Close which will exit you from the installer.

5.3. Agent Status Validation

Once the agent is installed, you can visit the URL https://FQDN_Agent_Hostname:34182/configuration to confirm it loads.

Replace FQDN_Agent_Hostname with the correct FQDN of the agent’s host.

6. Credential Provider Installation

6.1. Manual Installation

1. Before beginning, make sure this computer has a TPM and that you are logged in with local administrative rights
2. On the client workstation, run the Trusona Credential Provider Installer
3. When prompted, specify the Fully Qualified Hostname of the server hosting the Agent, and click on Install
4. After installation, please open firewall port 34182 for TCP OUT

6.2. CLI Installation

On an elevated command prompt, type the following command to complete a silent command-line installation:

Example showing 2FA sign-in installation.

6.3. Automated Install using Active Directory Group Policy

The Trusona Credential Provider may be installed and configured using Active Directory Group Policy.

6.3.1. Prerequisite: Create the policy central store for your domain

msiexec.exe /q /i Z:\path\to\trusona-credential-provider-x.y.z.msi ENDPOINT=FQDN_agent_hostname MFAMODE=yes

Be sure to specify the correct path the MSI file.

Be sure to specify the correct FQDN of the hostname where the Trusona Agent is installed.

Set MFAMODE=yes to require password and Trusona at sign-in.

You may wish to create a central policy store if you have multiple domain controllers. For more information, visit How to create and manage the Central Store for Group Policy Administrative Templates in Windows

1. Create a new group policy object which will be used to configure the Trusona Credential Provider

6.3.2. Prerequisite: Install and configure the Wait For Network Policy

1. Copy %WINDIR%\PolicyDefinitions\en-us\Logon.adml to the corresponding location within your central policy store, if not using the default.
2. Copy %WINDIR%\PolicyDefinitions\Logon.admx to the corresponding location within your central policy store, if not using the default.
3. Within the previously created policy object, expand Computer Configuration → Policies → Administrative Templates → Logon and open the setting item Always wait for the network at computer startup and logon
4. Mark the item as Enabled and click OK.

6.3.3. Install and configure the Trusona Group Policy Template

Trusona will provide to you an ADMX template that can be used to remotely configure the Credential Provider.

1. Copy TrusonaAgentPolicy.adml to your GPO policies en-us directory. If you are using a central policy store, this directory is \\<HOST>\SYSVOL\policies\PolicyDefinitions\en-us, otherwise it is %WINDIR%\PolicyDefinitions\en-us
2. Copy TrusonaAgentPolicy.admx to your GPO policies directory. If you are using a central policy store, this directory is \\<HOST>\SYSVOL\policies\PolicyDefinitions, otherwise it is %WINDIR%\PolicyDefinitions
3. Within the previously created policy object, expand Computer Configuration → Policies → Administrative Templates → Trusona and open the setting item Trusona Sign-in Options
4. Mark the item as Enabled provide the FQDN of the server hosting the agent
5. Select Sign-in options Require password and Trusona at sign-in and click OK.

6.3.4. Deploying the Trusona Credential Provider

Once the Credential Provider configuration has been deployed, you can easily distribute the package to your computers silently.

1. Copy the Trusona Credential Provider Installer to an accessible network location
2. Expand Computer Configuration → Policies → Software Settings
3. Right-click Software installation and choose New → Package
4. Select the Trusona Credential Provider Installer MSI from the network location in Step 1
5. When prompted, choose Assign

6.3.5. Assign the GPO

1. Using the Group Policy Management tool, assign the Trusona Group Policy Object to an OU containing the workstations you wish to target for 2FA users.

---