Getting Started with MFA for Windows Server/Desktop
1. Pre-Requisites
Before deploying the RCDevs platform (WebADM) with Active Directory integration, a Domain Administrator must complete the following steps:
1.1 Create a Service Account for WebADM
- This should be a dedicated AD user account used only by WebADM.
- Assign the minimum required ACLs as described in the RCDevs documentation:
1.2 Create a Dedicated AD Container
- Create a container or Organizational Unit (e.g.,
CN=WebADM) in AD. - This container/OU will hold objects managed by WebADM such as apps, service configs, policies, and related data.
1.3 Designate a WebADM Administrator
- Create or assign a user or group to act as the WebADM admin (distinct from the service account).
- Grant this user/group full control over the AD container created in step 1.2.
- Optional: To allow this user/group to manage authenticators (e.g., register tokens, reset OTPs) via WebADM GUI, apply the same ACLs as the service account.
2. Deploy & Setup
2.1 Deploy the WebADM Platform
- Choose your preferred deployment method: RPM, Docker, VM image, Debian package, or generic Linux installer.
- Download options: RCDevs Downloads
2.2 Run the Setup Wizard
- Launch interactive setup:
/opt/webadm/bin/setup - A Freeware/Trial license will be generated automatically
- Select the "Active Directory without schema extension" template (option 4).
- Enter the service account credentials created in the pre-requisites.
- Accept default settings unless customization is required.
2.3 Access the Admin GUI
- Log in as the WebADM administrator (AD administrator):
- URL:
https://<webadm-host> - Login format (first login):
CN=Administrator,CN=Users,DC=rcdevsdocs,DC=com
- URL:
- Finalize the setup if prompted.
3. Enable & Configure MFA
3.1 Enable MFA Service (OpenOTP)
- Go to:
Applications > Add New Application > MFA Authentication Server (OpenOTP) - Click Install & Register
- Configure:
- Navigate to the "OTP Token Features" section
- Enable Self Registration Links
3.2 Enable MFA Self-Enrolment (User Self-Registration)
- Go to:
Applications > Add New Application > User Self-Registration - Click Install & Register
Note that MFA Self-Enrolment app may already be enabled on you WebADM. Some of the WebADM packages ship it pre-installed.
3.3 License Attribution
- Click on your test user account in the left LDAP tree, then click Activate User, followed by Proceed, and finally Extend Object. Note that the Extend Object does not mean extending schema, but that that user account is added with standard schema attributes to which WebADM will store information about the user's licensed state and MFA tokens.
The platform and MFA services are now ready.
4. Enable MFA on Windows
4.1 Connect Windows System to OpenOTP
- Deploy the RCDevs RDP MFA plugin (Credential Provider) on your Windows desktops/servers.
- Follow the plugin installation guide.
- At the first step of the installation, do not install the Credential Provider Filter, which enforces the OpenOTP Credential Provider as the default provider. This will allow you to select the Microsoft Credential Provider in case of any issues, enabling you to log back into your Windows machine even in MFA setup fails. Note that the OpenOTP Credential Provider is not involved in RDP authentication when the Credential Provider Filter is not installed.
4.2 Test Login
To trigger MFA gating, Lock your open Windows session, then try Unlocking it. You'll see Sign-in options. Click that, then RCDevs icon and you'll be on MFA gated path protected by the OpenOTP Credential Provider.
On first login you'll be prompted to enroll a token to your account
Clicking the enroll token will by default open a choice of token methods to enrol and for prod, you'll probably want better UX with less choices, and in User Self-Registration app settings you can narrow down the choices to just a QRCode or FIDO2 prompt if needed.
If you encounter an error during the enrolment or login, check the logs from the WebADM GUI: Go to LogFile > WebADM Server log and refer to our troubleshooting documentation to resolve the issue.
5. Additional Resources
Refer to the following resources for more information about RCDevs solutions: