Kaseya Community

Alternative Multi-Factor Authentication for VSA access

This question has suggested answer(s)

Has anybody had any luck using an alternative vendor (such as the Azure MFA) to gain access to the Kaseya VSA?

My current organisation relies on the MFA token elsewhere and we'd like to use it for the VSA but it seems that it doesn't want to play ball.

I've used AuthAnvil previously and it certainly does what it is supposed to but the new pricing structure is out of reach for us as we only need MFA for a half dozen or so engineers. We don't need, nor do we want to pay for access to, the full-blown add-in interface with windows client authentication for logging onto the OS etc.

Cheers.

Phil.



Clarification
[edited by: Phil G at 5:57 AM (GMT -7) on Aug 19, 2015]
All Replies
  • Hi Phil,

    I'm sorry that you feel like our new pricing model is out of reach for you. I'll certainly bring your point up with the leadership team. And, while I can't comment on third-party solutions, if there's anything else on your mind that's AuthAnvil-related, I'd be happy to listen.

    -Mike

  • As fas as I know Kaseya really doesnt support any standard external authentication methods so there is little luck to get any 3rd party MFA work.

  • That is true. I got a quote for AuthAnvil from kaseya and it is way expensive if want to use it for 10 users. With extreme pressure from my team we have started laying off add-on like KAV, KES, BUDR etc and rather switch to vendors directly which is way less expensive. Though there is an addition console we need to manage but that is what we system admins are here for. Wish Kaseya listen to all above remarks and try to bring down there price.

  • I'm in the same boat at Rajeev, we only have 10 users but we want our VSA secured. Please could you make Auth Anvil price effective for companies our size who want to protect their VSA from all the security hacks around at the moment????

  • I am using AuthAnvil to secure access to VSA for Admins and am pretty much ignoring all the other options that come with it.

    Shame there does not appear to be any integration options with the likes of MS Authenticator.

    or MS Azure.

  • Just as a heads up, I am currently using Kaseya VSA integrated with our AzureAD tenant which includes MFA. There are a couple of tricks to it, basically you have to put in some dummy data into VSA to make it think it has AuthAnvil. The same applies to BMS as well, that ultimately you have to tell it you have AuthAnvil so that it breaks authentication directly, and you must always auth to AzureAD first then you can pass through to VSA/BMS. But once you add the shortcuts to your 365 tenant, it just works. I login to my Office 365 portal, go through my 2FA/MFA check, click VSA or BMS and am passed through. If I use try accessing either BMS or VSA directly it will refuse to log me in.

    So it is possible to do, and in theory should be compatible with just about any 3rd party authentication system using SAML. BUT the problem is that their support, and their documentation are heavily geared towards AuthAnvil. Which is a shame, because there are so many people out there using Office 365 or other SAML style platforms, why not document it clearly about what settings you accept? I had tickets open with their support team and they would constantly point me back to Microsoft, oh it's a Microsoft problem go talk to them. No it's a Kaseya issue, because your documentation is incomplete. I've heard rumors that there was once upon a time better documentation, but it has been removed because of AuthAnvil and the push to sell that. But who knows.

    Ultimately, it's possible to do, at some point I was thinking about putting together a blog post on how to exactly get it working but just haven't had the time. If there is interest I could knock something out from my personal blog.

  • We're currently in the middle of a project rolling out an OKTA integration for SSO and MFA to all of our primary internal applications including Kaseya. Options are there.

  • We currently use SAASPASS but it sounds like there are “tricks” to get this working with any 3rd party. Official documentation from Kaseya would be great so it can encourage EVERYONE to enable 2fa for everyone’s security. Alas, at this point. I’d welcome any suggestions to getting MFA setup via unofficial methods.
  • Ross,

    I would be very keen to learn how you did this being a AzureAD tenant as well.

    I am only using AuthAnvil to protect VSA logins so a blog post would be brilliant!

  • Ross,

    Could you elaborate on this? "There are a couple of tricks to it, basically you have to put in some dummy data into VSA to make it think it has AuthAnvil."

  • It doesn't appear you need to do anything more on the Kaseya side than upload the correct certificate and check "Enable Single Sign On to Kaseya". If you're stuck with your particular IdP it can be helpful to try Okta first and then examine the SAML using a browser to see what format Kaseya expects it in. Okta is officially supported and Kaseya has a KB on how to set it up. They also offer a 30 day trial. It was really easy set up in Okta.

  • The dummy data is mainly so that Kaseya VSA will accept that there is AuthAnvil and disable user login directly. Otherwise technically users can still hit the normal login page and bypass your external auth service, which for our setup would mean bypassing MFA

    In your AuthAnvil -> Two Factor Auth -> Configure Kaseya Login, set your AuthAnvil SAS URL to demo.my.authanvil.com/.../sas.asmx, set your site ID to a random number, and then ideally whitelist at least one user just in case. Set your config to require two factor auth for all users except those whitelisted which should prevent direct user logons for everything except your backup account, which make sure has a very good password and is not used for anything else.

    Outside of that, you need to upload your certificate you got from AzureAD and enable SSO as per normal and set your reply to URL to the following xxxxxxxx.kaseya.net/.../ssologin.aspx replacing the xxxx with your tenant.

    On the AzureAD side, you create an Enterprise Application. In your Basic SAML configuration both the identifier (Identity ID) and Reply URL (Assertion Consumer Service URL) will be

    xxxxxxxx.kaseya.net/.../ssologin.aspx with your tenant replaced in there.

    Your user attributes and claims will vary depending on what you use as your identifier, you need some identifier that will match the username you are using in VSA. For us it is simply the unique user identifier is user.userprincipalname.

    For your SAML Signing Certificate you need to set your signing option to Sign SAML Response, and your Signing Algorithm to SHA-1.

    And after you have this setup you can download your cert and load it into VSA.

    That's really it, this should prevent direct user login as VSA thinks AuthAnvil is functional when it's not going to work. The demo URL allows the form to accept the URL as if you enter in something broken it checks and fails to save. And ideally you'd get users to use the AzureAD URL which does SSO, or add it to your main portal page.

  • Upon seeing this article, I did a search and I was able to successfully set up SSO from Azure AD (myapps.microsoft.com) to Kaseya VSA by following this article:

    arweth.com/.../implementing-azuread-sso-for-the-kaseya-vsa

    However, I only was able to get it working with the local VSA users, not the domain user account.  Anyone know how to have Azure AD sign in with the Kaseya domain user account?  Or maybe I have to remove the local accounts and then it will default to the domain?

    Also note that I do have an active subscription to AuthAnvil.  Now that I have this working, can I safely stop using AuthAnvil or do I have to keep paying for it?

  • MFA should simply be part of the VSA. Not extra!

  • If anyone needs AuthAnvil for a small number, just reach out to me...  We can add you on ours.   Just PM me for details.