This document is intended to provide technical guidance on how to deploy Multi-Factor Authentication (MFA) with Google reCAPTCHA v2 and LDAP using Kemp LoadMaster to a Microsoft Exchange backend application server(s). This will leverage the Kemp Edge Security Pack (ESP) standard functionality.
This blog focuses on integration with Google Authenticator
(reCAPTCHA v2) and access credentials (username / password) to LDAP server
using LDAP protocol.
More information on Google CAPTCHA v2 account, available hereHigh Level Overview
In the architecture above you can see a diagram
of the components involved in this flow. These are described as follows:
Client connects to their Exchange server. This is terminated on the Kemp LoadMaster. The Kemp LoadMaster Edge Security Pack (ESP) is configured to redirect the client to the Kemp authentication form.
The Kemp LoadMaster presents an authentication form asking the user to confirm the reCAPTCHA.
The user confirms the reCAPTCHA and the Kemp LoadMaster proxies the input challenge to Google for verification.
Once successful, the user is directed to input their access credentials (username / password). Note: The Log On button is only available now and was not available in step 2.
The Kemp LoadMaster proxies the access credentials to the LDAP server. The LDAP server validates the users access credentials (username / password).
In the successful case, the LDAP server responds with an “Bind Success” response.
The Kemp LoadMaster forwards the request to the Exchange Server by POSTing the clients credentials.
Note: The reCAPTCHA times out and the verification will have to be confirmed again.
Configuration RequirementsThis section outlines the configuration requirements to enable this functionality:
LDAP server (with LDAP connectivity to Kemp Technologies LoadMaster)