Support Center > Search Results > SecureKnowledge Details
How to install the Check Point MFA Adapter (AD FS plugin) Technical Level
Solution

Table of Contents:

  • Introduction
  • Requirements
  • Download
  • Installation
  • Post Installation
    • Post Installation configuration (Windows Server 2012 r2 with AD FS 3.0 installed)
    • Post Installation configuration (Windows Server 2016 with AD FS 4.0 installed)
  • Uninstall

Introduction

This article describes the step-by-step process of installing the Check Point MFA Adapter on an AD FS server.

Requirements

  • Windows Server 2012 r2 with AD FS 3.0 installed, or Windows Server 2016 with AD FS 4.0 installed
  • .Net framework 4.5 and above
  • Modern authentication is enabled in Exchange Online. See Modern Authentication section below

Modern Authentication

Modern Authentication is a Microsoft OAuth2-based authentication. It is required by Microsoft in order to use features like Multi-Factor Authentication (MFA) or a SAML-based third-party Identity Provider.

The CloudGuard SaaS MFA Adapter allows Multi-Factor Authentication through CloudGuard SaaS policy; therefore, Microsoft applications need to support Modern Authentication and have it enabled to be compatible with the system.

Please note that some email clients do not support Modern Authentication and therefore will not work after the deployment of the CloudGuard SaaS MFA Adapter. Here is a Microsoft statement about their email clients support of Modern Authentication. Some known clients that do not support Modern Authentication are the Samsung native email app (Samsung Email) and the MacOS mail app .

In order to check whether this authentication is enabled for your Office 365 account, connect to Exchange Online using PowerShell (see Connect to Exchange Online PowerShell instructions) and check that the Modern authentication flag is enabled. If it is not enabled, follow the instructions to enable it (see Enable or disable modern authentication in Exchange Online instructions). Additionally, for Outlook 2013 clients running on Windows devices, specific registry keys need to be set as described here.

In addition, Microsoft instructs users to synchronize the state of Modern Authentication in Exchange Online with Skype for Business Online to prevent multiple login prompts in Skype for Business clients. See Skype for Business Online: Enable your tenant for modern authentication.

Please note that a workaround may be possible using App passwords. See Manage app passwords for two-step verification related Microsoft documentation.

Download

  1. Open the portal: https://portal.checkpoint.com

  2. Enter your credentials.

  3. Navigate to “Identity Protection” and then select “Downloads”.

  4. In the Identity Provider Plugin pane, click on the arrow next to the "Download" button.

  5. Select the Identity Provider Plugin according to your Microsoft Server version and download CheckPointMFAAdapterSetup.msi.

  6. In the Identity Provider Plugin pane, click on Authentication Token.

  7. A modal view will open and a token will be generated.

  8. Copy the token and paste it to the AD FS installation wizard, when requested

Installation

  1. Double-click CheckPointMFAAdapterSetup.msi file.

  2. Click "Next".
  3. Enter the authorization code you received in the download page, and click "Next". (Note: Use authorization token code you generated in the Check Point portal. See Download section.)

  4. Select destination folder and click "Next".

  5. Click "Next" to confirm installation, and wait for the installation to end.

  6. Click "Close" to finish.

Post Installation

Post Installation configuration (Windows Server 2012 r2 with AD FS 3.0 installed)

  1. Open AD FS administration tool.

  2. Right-click on the Authentication Policies folder, and select "Edit global multi-factor authentication...".
  3. Check the box "Check Point MFA Adapter" and click "Apply".

  4. Click "OK".
  5. For each relying party on which you want to use the Check Point MFA Adapter, right-click and select "Edit Custom Multi-factor Authentication..". Important Note: Do not configure "Check Point CloudGuard SSO" to use multi factor "Check Point MFA Adapter" authentication.

  6. Under Locations, select both Intranet and Extranet checkboxes.


  7. Click "OK" to finish.

Post Installation configuration (Windows Server 2016 with AD FS 4.0 installed)

  1. Open AD FS administration tool.

  2. Click on the Authentication Methods folder and select "Edit Primary Authentication Methods".

  3. Check the box "Check Point MFA Adapter" and click "Apply".

  4. Click "OK".
  5. In the Relying Party Trust folder. For each relying party on which you want to use the Check Point MFA Adapter, right-click and select "Edit Access Control Policy..".  Important Note: Do not configure "Check Point CloudGuard SSO" to use multi factor "Check Point MFA Adapter" authentication.

  6. Right-click and select "Edit Access Control Policy..".


  7. Select "Permit everyone and require MFA".

  8. Click "OK" to finish.

Uninstall

Uninstall (Windows Server 2012 r2)

  1. In the Edit Global Authentication Policy window, under the Multi-factor tab, uncheck "Check Point MFA Adapter". Click "OK".

  2. Click the "Uninstall a program" link from the Control Panel.
  3. Click on the "Check Point MFA Adapter" and choose "Uninstall".
  4. Click "Close" to finish.

Uninstall (Windows Server 2016)

  1. In the Edit Authentication Methods window, under the Multi-factor tab, uncheck "Check Point MFA Adapter". Click "OK".

  2. Click the "Uninstall a program" link from the Control Panel.
  3. Click on the "Check Point MFA Adapter" and choose "Uninstall".
  4. Click "Close" to finish.

Important notes

  • Make sure that "Check Point CloudGuard SSO" is not configured to use multi factor "Check Point MFA Adapter" authentication.
  • If you encounter an issue, you can disable the plugin by unchecking "Check Point MFA Adapter" from the Edit Global Authentication Policy window. Click "OK" to confirm. 
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment