Install-SecureMfaOtpProvider.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
<#
     .SYNOPSIS
        Installs SecureMFA.com MFA OTP authentication provider for ADFS.
    .DESCRIPTION
        Deployment must be done from elevated PowerShell command window
        If you are using federation server farm that uses Windows Internal Database, you must start installation using the primary federation server of the farm as a MAIN node.
        Installation needs to be executed on ADFS farm server (not web application proxy servers).
 
        Dependencies:
            * System which executes a script must have Microsoft Framework 4.6.1 and above installed.
            * SecureMfaOtpProvider.dll file must be present in script directory.
            * SecureMfaOtpProvider.json configuration file must be present in script directory.
                                     
            Bellow is a sample of valid Json config file with minimal configuration required for installation:
                {
                  "company": "MyCompany",
                  "serialkey": "m00000000",
                  "subscriptionid": "1000000000000000000000001",
                  "sqlserver": "asqlaol1.adatum.labnet,1433",
                  "sqldbname": "SecureMfaOTP",
                  "sqlintegratedsecurity": "true",
                  "sqluseraccount": "",
                  "sqluserpassword": "",
                  "data_encryption": "false",
                  "data_encryption_passphrase": "d9GhT=7=Ox8-+LaZ",
                  "ui_customization": "false",
                  "ui_first_login_text": "",
                  "ui_login_text": "",
                  "ui_allow_qr_display_from_networks": "10.0.0.0/255.0.0.0;172.16.0.0/255.255.0.0;192.168.0.0/255.255.0.0",
                  "ui_login_failures": "0",
                  "ui_lockout_minutes": "5",
                  "totp_customization": "false",
                  "totp_remove_user_prefix": "false",
                  "totp_offline_qr_enable": "true",
                  "totp_offline_qr_algorithm": "SHA1",
                  "totp_offline_qr_period": "30",
                  "totp_api_endpoint": "https://chart.googleapis.com/chart?chs=150x150&cht=qr&chl=otpauth://totp/",
                  "totp_api_otpauth_advanced_params": "&algorithm=SHA1",
                  "totp_image_width_pixels": "150",
                  "totp_image_height_pixels": "150",
                  "auth_mode": "SQL",
                  "verboselog": "false"
                }
 
    .PARAMETER NotMainNode
        NotMainNode parameter is required when you do installation on multiple ADFS nodes (not web application proxy servers).
        This needs to be executed on other adfs servers when installation of a provider is done on the MAIN(First) ADFS node.
 
    .NOTES
        Version: 2.0.0.1
        Author: SecureMfa.com
        Creation Date: 27/07/2020
        Purpose/Change: Changed to subscription licensing model.
   
    .EXAMPLE
        C:\PS> Install-SecureMfaOtpProvider
 
        This command will install OTP authentication provider on the MAIN ADFS node.
 
    .EXAMPLE
        C:\PS> Install-SecureMfaOtpProvider -NotMainNode
          
        This command will install OTP authentication provider on OTHER ADFS node(s).
#>


$dllpath = (Join-Path -Path $PSScriptRoot -ChildPath SecureMfaOtpProvider.dll)
$dllversion = [System.Diagnostics.FileVersionInfo]::GetVersionInfo("$dllpath").FileVersion
$configpath = (Join-Path -Path $PSScriptRoot -ChildPath SecureMfaOtpProvider.json)

Write-Host "File: $dllpath"
Write-Host "Version: $dllversion"
Write-Host "Configuration: $configpath"

#Check if windows events source for application log exist, if not create one.
if ([System.Diagnostics.EventLog]::SourceExists("Secure MFA OTP") -eq $False) {New-EventLog -LogName "Application" -Source "Secure MFA OTP" ; Write-Host "Secure MFA OTP Log Source Created."}

#Check if ADFS service is available
if((Get-Service adfssrv -ErrorAction SilentlyContinue).Status -eq "Stopped") {Start-Service adfssrv ; write-host "Starting ADFS Service on $env:COMPUTERNAME" -ForegroundColor Yellow;}

#Load GAC Assembly
Set-location $PSScriptRoot            
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a") 
$publish = New-Object System.EnterpriseServices.Internal.Publish

Function Install-SecureMfaOtpProvider {
Param
(
    [Parameter(Mandatory=$false, ParameterSetName="Default")]
    [Switch]$NotMainNode
)

    #OTHER nodes install
    if ($NotMainNode) {  

    try
    {
        $Error.Clear()
        if (!(Test-Path $dllpath -Type Leaf) ) { throw "The assembly $dllpath does not exist" }

        write-host "Installing SecureMfaOtpProvider on the OTHER node" -ForegroundColor Cyan

        #Remove SecureMfaOtpProvider DLL from GAC assembly
        $publish.GacRemove($dllpath)       

        #Add SecureMfaOtpProvider DLL to GAC assembly
        $publish.GacInstall($dllpath)     

        #Restart ADFS service
        write-host "Restarting adfssrv service." -ForegroundColor Green
        Stop-Service adfssrv
        Start-Service adfssrv

    }
    catch
    {
        Write-Host "$($MyInvocation.InvocationName): $_" -ForegroundColor red
    }
    }

    #MAIN nodes install
    else {

    try
    {
        $Error.Clear()
        if (!(Test-Path $dllpath -Type Leaf) ) { throw "The assembly $dllpath does not exist" }               

        write-host "Installing SecureMfaOtpProvider on the MAIN node using configuration $configpath" -ForegroundColor Cyan
        #Remove additional authentication providers from ADFS global policy and unregister SecureMfaOtpProvider
        write-host "Removing additional authentication providers from ADFS global policy and unregistering SecureMfaOtpProvider." -ForegroundColor Green
        Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider ""
        unregister-AdfsAuthenticationProvider -Name �SecureMfaOtpProvider� -Confirm:$false

        #Restart ADFS service
        write-host "Restarting adfssrv service." -ForegroundColor Green
        Stop-Service adfssrv
        Start-Service adfssrv
    
        write-host "Installing SecureMfaOtpProvider..." -ForegroundColor Green

        #Remove SecureMfaOtpProvider DLL from GAC assembly
        Write-Host "Removing SecureMfaEmailOtpProvider $dllpath" -ForegroundColor yellow;
        $publish.GacRemove($dllpath)       

        #Add SecureMfaOtpProvider DLL to GAC assembly
        Write-Host "Adding SecureMfaEmailOtpProvider $dllpath" -ForegroundColor Green;        
        $publish.GacInstall($dllpath)     

        #Register SecureMfaOtpProvider addapter
        $typeName = �SecureMfaOtpProvider.AuthenticationAdapter, SecureMfaOtpProvider, Version=$dllversion, Culture=neutral, PublicKeyToken=f818a38c51378814, processorArchitecture=MSIL�
        Register-AdfsAuthenticationProvider -TypeName $typeName -Name �SecureMfaOtpProvider� -ConfigurationFilePath $configpath

        #ADFS 2019 requires update to http security headers to allow display of images for QR code to be display from external source.
        #You can update allows source with exact URL instated of any location (*).
        if (Get-Command "Get-AdfsFarmInformation" -errorAction SilentlyContinue) 
        {
        if ((Get-AdfsFarmInformation).CurrentFarmBehavior -ge 4) 
            {
            Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:;" ;
            (get-AdfsResponseHeaders).ResponseHeaders | fl ;
            }
        }

        #Restart ADFS service
        write-host "Restarting adfssrv service." -ForegroundColor Green
        Stop-Service adfssrv
        Start-Service adfssrv

        #Add SecureMfaOtpProvider as additional authentication provider in ADFS
        write-host "Setting SecureMfaOtpProvider as additional authentication provider in global authentication policy." -ForegroundColor Green
        Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider "SecureMfaOtpProvider"     
    
    }
    catch
    {
        Write-Host "$($MyInvocation.InvocationName): $_" -ForegroundColor red
    }
    }

    #List all authentication providers
    Get-AdfsAuthenticationProvider | select name

}