Directions on enabling MFA using the Microsoft Authenticator

Hi @Ken_H 

To understand your question correctly, do you want to:

• Generate a pin with the app, which then can be entered in the pin field / behind the password, or
• Only enter username and password resulting in an authorization request in the app which only needs to be approved in order to proceed with the login?

Hello @Jos Meijer,

The second option (enter username/password, approve authorization request in the app) is the one I’m more familiar with but the first option (enter username / password then pin from the app) would work.  My CISO has identified the lack of MFA in CommVault as an issue of concern and doesn’t really care which option we use to solve it so either option should be acceptable.  I’m looking for some step-by-step documentation as this is new territory for me.

Ken

Hi @Ken_H 

In order to generate a pin with the app (1st option) you can enable MFA using these instructions:

https://documentation.commvault.com/2022e/essential/7893_two_factor_authentication_for_administrators.html

When users log on the first time after enabling the MFA they are presented with a QR code and a Secret Key, this is needed to add the pin to the MS Authenticator app using this instruction:

https://documentation.commvault.com/2022e/essential/126153_adding_commcell_account_to_microsoft_authenticator_app.html

In regard to the 2nd option as where authentication is performed, what authentication method are you using? On-premises AD, Azure AD, ADFS etc.. Do you already have the MFA authentication request via the app enabled for other purposes?

I don’t mean to be rude but your instructions are a hot mess.  I followed them and now I’m authenticating to the Password app on my iPhone instead of the Microsoft authenticator app and there doesn’t seem to be any way to switch it.  The CV documentation just says “scan the QR code” but there’s no way to get back to it.  Turning 2FA off and back on doesn’t reset it - it just goes back to using the Password app. 

I want to switch from the Passwords built-in iPhone app to the Microsoft authenticator.  I’ve run the Microsoft Authenticator on my phone, clicked Add, entered my Microsoft AD account name and now need a secret key.  I Google and find instructions to change the secret key here:

https://documentation.commvault.com/hitachivantara/v11/essential/136831_resetting_secret_key_for_two_factor_authentication.html

I’m already signed on to Command Center on the CommServer host > navigate to Manage > Security > Users.  The directions from the above link say:

In the row for the user that you want to reset the secret key for, click the action button , and then click Reset secret key.

but when I do that I get “No actions”.  

To be clear, it’s not just my account that is missing the “Reset secret key” option, none of the accounts show that as an option.  

Ticket 221012-607 create to get MFA configured.

Sorry that you experienced the instructions to be a hot mess, but 1. These aren't my instructions, I don't work for Commvault. And 2. I have no issues managing the MFA. Also confused how you ended up with your iPhone password app, as I clearly exchanged information regarding the MS Authenticator App. If there is confusion just ask for additional help before acting, we are happy to assist.

To correct your situation you can reset the secret key using the commandline:

qoperation execscript -sn QS_DeleteTFASecretForUser -si @user='userName'

Don't forget to login first using command: qlogin. Token needs to be entered directly after the password, there is no seperate entry for it.

Source: https://documentation.commvault.com/2022e/essential/7913_reissuing_secret_key_for_two_factor_authentication_administrator.html

Log out and log in again, then register the key/QR code in the app you want to use.

My apologies @Jos Meijer, I had the impression that you were CV staff. 

I got to this point by following the first link which discusses enabling MFA and scanning the QR code which I did but which ended up registering in the iOS Passwords app.  When I went to the second link about registering in Microsoft Authenticator, the QR code was gone and there’s no way to get it back.  Attempts to use the Command Center to reset the secret code don’t succeed because the “Reset secret key” option doesn’t appear.  Sadly the command line option also fails and gives:

qoperation execscript -sn QS_DeleteTFASecretForUser -si @user='APACORP\a-khemmerling'

execscript: Error 0x139: Token Validation failed with error [313]: [Token Invalid/Expired. Relogin Required]

As mentioned earlier, I am working with CommVault support to try and get this configured.

Ken

No worries 👍 I take it as a compliment you thought I was CV staff 🙂

Okidoki, hopefully you get this sorted out quickly 👍

Thanks for the detailed steps!

a question here, 

in order to use MS authenticator or google authenticator, CS must have an internet access? 

My servers have a connection to the internet so it seems likely that a connection is required.

Hey @Jos Meijer @Ken_H  I know this is a fairly old thread by I wanted to ask if the second option here is really available within the CV Configuration? Do I have the ability to actually not use the PIN with MS Authentication, but instead request have an authorization request "Allow/Deny" sort of message in the MS App? I would much rather have that then typing a PIN. Maybe @Anand @Divya Trivedi  you know the answer to this?

@dude that is possible but not with the Commvault implementation as that one is based on OTP. For that you would have to move to MFA solutions like OKTA. 

@Onno van den Berg Thanks