commvault.com commvault.com
Solved

Directions on enabling MFA using the Microsoft Authenticator

Ken_H
Rank
Userlevel 4
Badge +15

Currently my CommVault is using AD authentication which requires me to enter the same password I use when connecting to any server.  I’ve been asked to implement MFA using the Microsoft Authenticator as the second factor but the documentation is spread across several pages.  Is there a single step-by-step document that shows how to set up MFA with the Microsoft authenticator?  Do I have to disable SSO and the link to AD to get the Authenticator to work?

Ken

icon

Best answer by Ken_H 21 October 2022, 22:57

View original

16 replies

Jos Meijer
Rank
Userlevel 7
Badge +17

Hi @Ken_H 

To understand your question correctly, do you want to:

  • Generate a pin with the app, which then can be entered in the pin field / behind the password, or
  • Only enter username and password resulting in an authorization request in the app which only needs to be approved in order to proceed with the login?
Ken_H
Rank
Userlevel 4
Badge +15

Hello @Jos Meijer,

The second option (enter username/password, approve authorization request in the app) is the one I’m more familiar with but the first option (enter username / password then pin from the app) would work.  My CISO has identified the lack of MFA in CommVault as an issue of concern and doesn’t really care which option we use to solve it so either option should be acceptable.  I’m looking for some step-by-step documentation as this is new territory for me.

Ken

Jos Meijer
Rank
Userlevel 7
Badge +17

Hi @Ken_H 

In order to generate a pin with the app (1st option) you can enable MFA using these instructions:

https://documentation.commvault.com/2022e/essential/7893_two_factor_authentication_for_administrators.html

When users log on the first time after enabling the MFA they are presented with a QR code and a Secret Key, this is needed to add the pin to the MS Authenticator app using this instruction:

https://documentation.commvault.com/2022e/essential/126153_adding_commcell_account_to_microsoft_authenticator_app.html

 

In regard to the 2nd option as where authentication is performed, what authentication method are you using? On-premises AD, Azure AD, ADFS etc.. Do you already have the MFA authentication request via the app enabled for other purposes?

Ken_H
Rank
Userlevel 4
Badge +15

I don’t mean to be rude but your instructions are a hot mess.  I followed them and now I’m authenticating to the Password app on my iPhone instead of the Microsoft authenticator app and there doesn’t seem to be any way to switch it.  The CV documentation just says “scan the QR code” but there’s no way to get back to it.  Turning 2FA off and back on doesn’t reset it - it just goes back to using the Password app. 

Ken_H
Rank
Userlevel 4
Badge +15

I want to switch from the Passwords built-in iPhone app to the Microsoft authenticator.  I’ve run the Microsoft Authenticator on my phone, clicked Add, entered my Microsoft AD account name and now need a secret key.  I Google and find instructions to change the secret key here:

https://documentation.commvault.com/hitachivantara/v11/essential/136831_resetting_secret_key_for_two_factor_authentication.html

I’m already signed on to Command Center on the CommServer host > navigate to Manage > Security > Users.  The directions from the above link say:

In the row for the user that you want to reset the secret key for, click the action button 98598.png, and then click Reset secret key.

but when I do that I get “No actions”.  

To be clear, it’s not just my account that is missing the “Reset secret key” option, none of the accounts show that as an option.  

Ken_H
Rank
Userlevel 4
Badge +15

Ticket 221012-607 create to get MFA configured.

Jos Meijer
Rank
Userlevel 7
Badge +17

Sorry that you experienced the instructions to be a hot mess, but 1. These aren't my instructions, I don't work for Commvault. And 2. I have no issues managing the MFA. Also confused how you ended up with your iPhone password app, as I clearly exchanged information regarding the MS Authenticator App. If there is confusion just ask for additional help before acting, we are happy to assist.

To correct your situation you can reset the secret key using the commandline:

qoperation execscript -sn QS_DeleteTFASecretForUser -si @user='userName'

Don't forget to login first using command: qlogin. Token needs to be entered directly after the password, there is no seperate entry for it.

Source: https://documentation.commvault.com/2022e/essential/7913_reissuing_secret_key_for_two_factor_authentication_administrator.html

Log out and log in again, then register the key/QR code in the app you want to use.

Ken_H
Rank
Userlevel 4
Badge +15

My apologies @Jos Meijer, I had the impression that you were CV staff. 

I got to this point by following the first link which discusses enabling MFA and scanning the QR code which I did but which ended up registering in the iOS Passwords app.  When I went to the second link about registering in Microsoft Authenticator, the QR code was gone and there’s no way to get it back.  Attempts to use the Command Center to reset the secret code don’t succeed because the “Reset secret key” option doesn’t appear.  Sadly the command line option also fails and gives:

qoperation execscript -sn QS_DeleteTFASecretForUser -si @user='APACORP\a-khemmerling'

execscript: Error 0x139: Token Validation failed with error [313]: [Token Invalid/Expired. Relogin Required]

As mentioned earlier, I am working with CommVault support to try and get this configured.

Ken

Jos Meijer
Rank
Userlevel 7
Badge +17

No worries 👍 I take it as a compliment you thought I was CV staff 🙂

Okidoki, hopefully you get this sorted out quickly 👍

Ken_H
Rank
Userlevel 4
Badge +15

This is a bit convoluted and I’ve had to reset the “secret key” for every user so far in order to get them to work but here are my steps:

Turn on MFA authentication

  1. Sign on to the Command Center and navigate to Manage > CommCell
  2. In the General section, enable two factor authentication

Configure the Microsoft Authenticator app on the mobile device

  1. On your phone, open the Microsoft authenticator app and click the + sign in the upper right corner.
  2. Select Other account (Google, Facebook, etc.)
  3. On your computer, attempt to log into the Command Center.  If you are prompted with a QR code, proceed to step 4.  If you are not presented with a QR code, do the following steps to reset the secret key by using the instructions from https://documentation.commvault.com/hitachivantara/v11/essential/7913_reissuing_secret_key_for_two_factor_authentication_administrator.html.
    1. Sign on to the CommServer
    2. The CommVault directions say: “From the command prompt, navigate to software_installation_directory/Base” but there may be more than one software_installation_directory and there’s no way to tell which one you need as the qlogin command runs without error in either location but is actually effective in only one place. 
    3. Run: qlogin and log in using an administrator account
    4. Run: qoperation execscript -sn QS_DeleteTFASecretForUser -si @user='userName'
    5. Have the user close the browser used to log into Command Center, reopen the browser, and reattempt the login to see if they are presented with a QR code.  If they are not presented with a code, repeat the above steps but run the qlogin command from a different installation_directory.
  4. Once the user has the QR code screen, return to the mobile device running the Microsoft authenticator.  They can attempt to scan the QR code but it probably won’t work.  Instead, they need to enter the account and key information manually.

Testing the Command Center login

  1. Once the Authenticator app is configured, click return on the Command Center login and complete a login using the code from their phone as the PIN.

Testing the Java GUI

  1. Run the java GUI, cancel the SSO, change the login account as appropriate
  2. In the password field enter the password with the six digit PIN from the authenticator app appended to the end.
Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

Thanks for the detailed steps!

https://www.linkedin.com/in/michael-struening
M
Rank
Userlevel 1
Badge +9

a question here, 

in order to use MS authenticator or google authenticator, CS must have an internet access? 

Ken_H
Rank
Userlevel 4
Badge +15

a question here, 

in order to use MS authenticator or google authenticator, CS must have an internet access? 

My servers have a connection to the internet so it seems likely that a connection is required.

dude
Rank
Badge +15

Hi @Ken_H 

To understand your question correctly, do you want to:

  • Generate a pin with the app, which then can be entered in the pin field / behind the password, or
  • Only enter username and password resulting in an authorization request in the app which only needs to be approved in order to proceed with the login?

Hey @Jos Meijer @Ken_H  I know this is a fairly old thread by I wanted to ask if the second option here is really available within the CV Configuration? Do I have the ability to actually not use the PIN with MS Authentication, but instead request have an authorization request "Allow/Deny" sort of message in the MS App? I would much rather have that then typing a PIN. Maybe @Anand @Divya Trivedi  you know the answer to this?

Onno van den Berg
Rank
Userlevel 7
Badge +19

@dude that is possible but not with the Commvault implementation as that one is based on OTP. For that you would have to move to MFA solutions like OKTA. 

dude
Rank
Badge +15

@Onno van den Berg Thanks

Reply


Terms & ConditionsCookie settings