Getting Started with MFA for Windows Server/Desktop

1. Pre-Requisites

Before deploying the RCDevs platform (WebADM) with Active Directory integration, a Domain Administrator must complete the following steps:

1.1 Create a Service Account for WebADM

• This should be a dedicated AD user account used only by WebADM.
• Assign the minimum required ACLs as described in the RCDevs documentation:
  • AD ACLs for non-extended schema
  • User activation & licensing ACLs

1.2 Create a Dedicated AD Container

• Create an Organizational Unit (e.g., OU=WebADM) in AD.
• This container will hold objects managed by WebADM such as apps, service configs, policies, and related data.

1.3 Designate a WebADM Administrator

• Create or assign a user or group to act as the WebADM admin (distinct from the service account).
• Grant this user/group full control over the AD container created in step 1.2.
• Optional: To allow this user/group to manage authenticators (e.g., register tokens, reset OTPs) via WebADM GUI, apply the same ACLs as the service account.

2. Deploy & Setup

2.1 Deploy the WebADM Platform

• Choose your preferred deployment method: RPM, Docker, VM image, Debian package, or generic Linux installer.
• Download options: RCDevs Downloads

2.2 Run the Setup Wizard

• Launch setup: /opt/webadm/bin/setup
• A Freeware/Trial license will be generated automatically.
• Select the "Active Directory without schema extension" template (option 4).
• Enter the service account credentials created in the pre-requisites.
• Accept default settings unless customization is required.

2.3 Access the Admin GUI

• Log in as the WebADM administrator:
  • URL: https://<webadm-host>
  • Login format (first login): CN=Administrator,CN=Users,DC=rcdevsdocs,DC=com
• Finalize the setup if prompted.

3. Enable & Configure MFA

3.1 Enable MFA Service (OpenOTP)

• Go to: Applications > Add New Application > MFA Authentication Server (OpenOTP)
• Click Install & Register
• Configure:
  • Navigate to the "OTP Token Features" section
  • Enable Self Registration Links

3.2 License Attribution

• Click on your user account in the left LDAP tree, then click Activate User, followed by Proceed, and finally Extend Object. The user is now activated and ready to be used with RCDevs solutions.

3.3 Token Enrollment

3.3.1 Enrollment through Administrator Interface (for testing)

From the user account you just activated, in the Application Actions box, click on MFA Authentication Server > Register/Unregister OTP Tokens.
The first method allows you to register a Software Token using your preferred authenticator application (OpenOTP Token, Google Authenticator, or MS Authenticator).
Scan the QR code with your preferred app, then click the Register button.

3.3.2 Enable Self-Registration MFA Enrollment Service (recommended for production)

• If the platform cannot send emails:
  • Add a MailServer configuration in /opt/webadm/conf/servers.xml
  • Restart the platform:

/opt/webadm/bin/webadm restart

Or, if WebADM has been started with systemd, use:

systemctl restart webadm

Login to the WebADM Administrator portal, then go to: Applications > Add New Application > User Self Registration (SelfReg)

• Click Install & Register
• Configure:
  • Under "Allowed Features," enable Self Registration
  • Choose at least Token 1

✅ The platform and MFA services are now ready.

4. Enable MFA on Windows

4.1 Connect Windows System to OpenOTP

• Deploy the RCDevs RDP MFA plugin (Credential Provider) on your Windows desktops/servers.
• Follow the plugin installation guide.
• At the first step of the installation, do not install the Credential Provider Filter, which enforces the OpenOTP Credential Provider as the default provider. This will allow you to select the Microsoft Credential Provider in case of any issues, enabling you to log back into your Windows machine. Note that the OpenOTP Credential Provider is not involved in RDP authentication when the Credential Provider Filter is not installed.

4.2 Test Login

On your first login, an email link will be sent to self-enroll an MFA authenticator.
Enroll the authenticator, then try logging in to your Windows machine.

You should be prompted to provide your OTP.

If you encounter an authentication error, check the logs from the WebADM GUI: Go to LogFile > WebADM Server log and refer to our troubleshooting documentation to resolve the issue.

5. Additional Resources

Refer to the following resources for more information about RCDevs solutions:

• WebADM Installation Guide
• WebADM Administrator Guide
• OpenOTP Credential Provider for Windows Guide
• Policies & Conditional Access Guide
• Self-Services