This section explains how to integrate TOTP MFA providers with Parallels RAS.
To configure TOTP settings:
Specify the following:
Display Name: The default name here is TOTP. The name will appear on the registration dialog in Parallels Client in the following sentence, "Install TOTP app on your iOS or Android device". If you change the name, the sentence will contain the name you specify, such as "Install <new-name> app on your iOS or Android device".
User Prompt: Specify the text that the user will see when prompted with an OTP dialog.
The User enrollment section allows you to limit user enrollment if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.
Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:
Never (most secure): Unenrolled users see a TOTP prompt instead of the error.
If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.
Always: Unenrolled users always see the error.
The Authentication section allows you to configure TOTP tolerance. When using Time-based One-Time Password (TOTP), it is required to have the time synchronized between the RAS Connection Broker and client devices. The synchronization must be performed against a global NTP server (e.g. time.goole.com). Using the TOTP tolerance drop-down list, you can select a time difference that should be tolerated while performing authentication. Expand the drop-down list and select one of the predefined values (number of seconds). Note that changing time tolerance should be used with caution as it has security implications since the time validity of a security token can be increased, thus a wider time window for potential misuse. Note: When using TOTP providers, it is required to have both Connection Brokers and client devices time synchronized with a global NTP server (e.g. time.google.com). Adding TOTP tolerance increases the one-time password validity, which might have security implications.
The Reset User(s) field in the User management section is used to reset the token that a user receives when they log in to Parallels RAS for the first time using the TOTP provider. If you reset a user, they'll have to go through the registration procedure again (for instruction on doing this for Google Authenticator, see Using Google Authenticator in Parallels Client). You can search for specific users, reset all users, or import the list of users from a CSV file.
Click Finish.
Please also note that the TOTP available time is calculated as the default 30 seconds + x amount of seconds in the past + x amount of seconds in the future.
See
To configure Google Authenticator settings:
Specify the following:
Display Name: The default name here is Google Authenticator. The name will appear on the registration dialog in Parallels Client in the following sentence, "Install Google Authenticator app on your iOS or Android device". If you change the name, the sentence will contain the name you specify, such as "Install <new-name> app on your iOS or Android device". Technically, you can use any authenticator app (hence the ability to change the name), but at the time of this writing only the Google Authenticator app is officially supported.
User Prompt: Specify the text that the user will see when prompted with an OTP dialog.
The User enrollment section allows you to limit user enrollment via Google Authenticator if needed. You can allow all users to enroll without limitations (the Allow option), allow enrollment until the specified date and time (Allow until), or completely disable enrollment (the Do not allow option). If enrollment is disabled due to expired time frame or because the Do not allow option is selected, a user trying to log in will see an error message saying that enrollment is disabled and advising the user to contact the system administrator. When you restrict or disable enrollment, Google authenticator or other TOTP provider can still be used, but with added security which would not allow further user enrollment. This is a security measure to mitigate users with compromised credentials to enroll in MFA.
Show information to unenrolled users: Select whether unenrolled users can see the The user name or password is incorrect error when they enter incorrect credentials:
Never (most secure): Unenrolled users see a TOTP prompt instead of the error.
If enrollment is allowed: Unenrolled users see the error if user enrollment is allowed. Otherwise, they see a TOTP prompt.
Always: Unenrolled users always see the error.
The Authentication section allows you to configure TOTP tolerance. When using Time-based One-Time Password (TOTP), it is required to have the time synchronized between the RAS Connection Broker and client devices. The synchronization must be performed against a global NTP server (e.g. time.goole.com). Using the TOTP tolerance drop-down list, you can select a time difference that should be tolerated while performing authentication. Expand the drop-down list and select one of the predefined values (number of seconds). Note that changing time tolerance should be used with caution as it has security implications since the time validity of a security token can be increased, thus a wider time window for potential misuse.
Note: When using Time-based One-time Passwords (TOTP) providers, it is required to have both Connection Brokers and client devices time synchronized with a global NTP server (e.g. time.google.com). Adding TOTP tolerance increases the one-time password validity, which might have security implications.
The Reset User(s) field in the User management section is used to reset the token that a user receives when they log in to Parallels RAS for the first time using Google Authenticator. If you reset a user, they'll have to go through the registration procedure again (see Using Google Authenticator in Parallels Client below). You can search for specific users, reset all users, or import the list of users from a CSV file.
Click Finish.
Please also note that the TOTP available time is calculated as the default 30 seconds + x amount of seconds in the past + x amount of second in the future.
Important: To use Google Authenticator or other TOTP provider, the time on a user device must be in sync with the time set on the RAS Connection Broker server. Otherwise, Google authentication will fail.
Google Authenticator is supported in Parallels Client running on all supported platforms, including mobile, desktop, and Web.
To use Google Authenticator, a user needs to install the Authenticator app on their iOS or Android device. Simply visit Google Play or App Store and install the app. Once the Authenticator app is installed, the user is ready to connect to Parallels RAS using two-factor authentication.
To connect to Parallels RAS:
The user opens Parallels Client or Web Client and logs in using his/her credentials.
The multi-factor authentication dialog opens displaying a barcode (also known as QR code) and a secret key.
The user opens the Google Authenticator app on their mobile device:
If this is the first time they use it, they tap Begin and then tap Scan a barcode.
If a user already has another account in Google Authenticator, they tap the plus-sign icon and choose Scan a barcode.
The user then scans the barcode displayed in the Parallels Client login dialog.
If scanning doesn't work for any reason, the user goes back in the app, chooses Enter a provided key and then enters the account name and the key displayed in the Parallels Client login dialog.
The user then taps Add account in the app, which will create an account and display a one time password.
The user goes back to Parallels Client, clicks Next and enters the one time password in the OTP field.
On every subsequent logon, the user will only have to type their credentials (or nothing at all if the Save password options was selected) and enter a one time password obtained from the Google Authenticator app (the app will continually generate a new password). If the RAS administrator resets a user (see the Reset Users(s) field description at the beginning of this section), the user will have to repeat the registration procedure described above.