This document is intended to provide technical guidance on how to deploy Multi-Factor Authentication (MFA) with Google reCAPTCHA v2 and LDAP using Kemp LoadMaster to a Microsoft Exchange backend application server(s). This will leverage the Kemp Edge Security Pack (ESP) standard functionality.
This blog focuses on integration with Google Authenticator (reCAPTCHA v2) and access credentials (username / password) to LDAP server using LDAP protocol.
More information on Google CAPTCHA v2 account, available hereHigh Level Overview
In the architecture above you can see a diagram of the components involved in this flow. These are described as follows:
- Client connects to their Exchange server. This is terminated on the Kemp LoadMaster. The Kemp LoadMaster Edge Security Pack (ESP) is configured to redirect the client to the Kemp authentication form.
- The Kemp LoadMaster presents an authentication form asking the user to confirm the reCAPTCHA.
- The user confirms the reCAPTCHA and the Kemp LoadMaster proxies the input challenge to Google for verification.
- Once successful, the user is directed to input their access credentials (username / password). Note: The Log On button is only available now and was not available in step 2.
- The Kemp LoadMaster proxies the access credentials to the LDAP server. The LDAP server validates the users access credentials (username / password).
- In the successful case, the LDAP server responds with an “Bind Success” response.
- The Kemp LoadMaster forwards the request to the Exchange Server by POSTing the clients credentials.
Note: The reCAPTCHA times out and the verification will have to be confirmed again.
Configuration RequirementsThis section outlines the configuration requirements to enable this functionality:
- LDAP server (with LDAP connectivity to Kemp Technologies LoadMaster)
- Google Captcha account, available here
- Microsoft Exchange backend with OWA configured for “Forms Based”
- Kemp LoadMaster with Enterprise / Enterprise Plus subscription (or Trial license)
- Kemp firmware release v7.2.49 (or greater)
Kemp LoadMaster Configuration
Kemp LoadMaster ConfigurationThis section outlines the Kemp LoadMaster configuration that is required to support this:
- To configure the LDAP endpoint, go to Virtual Services > Manage SSO > New SSO
- Enter the details of the LDAP server
- To configure the Virtual Service, go to Virtual Service > ESP Options
- Enter the details of the reCAPTCHA and the SSO Image Set configured to ‘Exchange’. Note: the ‘Enable Captcha’ tickbox is selected.