Windows Two Factor Authentication
note
Window two factor authentication is supported via TRASA Windows Credential Provider.
Prerequisite
- User profile in TRASA
- Service profile in TRASA
- TRASA Windows tfa agent installer.
- Windows OS (windows 7 and above)
- visual c++ redestributable (Optional)
Installation
Download TrasaWIN and proceed installation.
caution
Do not reboot or sign out from your computer until you configure the agent. Broken configuration may lock your access to operating system.
After installation and before you close the installer, it is very important to configure agent.
Check on Launch TrasaWIn to configure now checkbox which will launch configuration panel.
Configuration
If you checked on "Launch TrasaWIN to configure now" checkbox, configuration application will open. You will need to input configuration values in required field.
What values goes in input fields?
- ServiceID: Copy from service profile page
- ServiceKey: Copy from service profile page
- TRASA server address: IP or domain of where TRASA server is hosted.
- Offline Users: Usernames which are allowed to login if the agent could not contact TRASA server (eg. network failure)
- Skip TLS verification: Allows to connect to TRASA server if self signed certificate is used at port 443.
In following image, you can see serviceID, serviceKey and TRASA server address entered as per service created earlier. Note TRASA server address "app.trasa.io" always remains same for TRASA SaaS users and can be custom url for self hosted (On-Premise) TRASA users.
Below is example on how configuration would look like.
Once you are ready with required configuration values, click Save Configuration button. It will
- Verify configuration values
- Save it in a file if verification is successful.
Finishing
If your verification was success, you will be prompted for TRASA tfa process in next login.
To check, you can try swithing user (from alt+F4 key).
If your username and password validation was successful, you will be prompted with TRASA TFA prompt.
- You will need to enter your TRASA username or email address.
- On Choose 2FA method, you can leave it empty for push U2F or select TOTP option for TOTP.
FAQ
What happens if agent could not resolve TRASA server?
When user tries to login to windows protected with TRASA TFA agent, agent will contact TRASA server for 2FA verification.
What happens when agent cannot contact TRASA server?
In case that you have a network problem, and the agent cannot resolve TRASA server address, your access will be blocked. To overcome this situation, TRASA allows you to set an emergency access account or offline user.
Offline user account can be any currently being used user account in your windows logon (domain or local account). Do note that the username must be exactly matched to the existing user account.
tip
If the user is local account, but windows is domain joined, you will need to assign full user path in format
local-workgroup-name\username