Quickconnect 2FA

[dslamguy]

We are using Quickconnect for remote access over the web to our file server. We have 2FA enabled on the NAS, but the web access allows read-only access without requiring the 2FA code. Then there is a link on the upper right where you can login again to get read-write access that asks for the 2FA code.

How do we disable this read-only access without 2FA? I want any access to require the 2FA code.

Thanks!
David

 

[Rusty]

You are targeting what exactly over that Quickconnect? Drive app, File Station or something else?

 

[dslamguy]

We use both the ds_file App and File Station. The ds_file app works properly, asking for 2FA upfront. File Station over the web browser does not, allowing read-only access without 2FA.

As far as I know, there is no ds_file app for Windows, otherwise I could turn off File Station access.

We are not syncing files to user's computers and therefore do not want to use drive for server access.

 

[Rusty]

How do you have sharing configured for files via File station?

 

[dslamguy]

I am not sure what you are specifically asking.

In control panel under Security and Quickconnect, I have File Sharing checked.
Under Security and protection, I have 2FA enforced for all users.

In File Station itself, all the settings pertain to sharing links. I am not asking about sharing links, I am asking about logging into the DSM over it's quickconnect web link. I don't actually see any other settings anywhere that seem to have anything to do with that.

 

[Rusty]

If it’s logging into dsm over qc then how come there is a mention that data is read only?

The only way you are not asked a 2fa for accessing dsm or any app using the web portal is if you have flagged that browser on that device to not ask you for 2fa each time. Could that be it?

 

[dslamguy]

Sorry, I was a bit confused as I wrote this because I had set it up some time ago.

Yes, I have a link set up. I enabled it for internal - DSM users.

2FA is forced for all users.

I AM using Synology Directory Server.

Login screen:

When I hit next, I get this screen:

I have read-only access without being prompted for the 2FA code.

This is what I want to change.

Thanks,
David

 

[Rusty]

Aha, that’s something different. I don’t think you will be able to configure that with AD package.

There is a way to configure win10 users to use AD proxy (for DUO 2fa) before hitting your Synology AD, but I don’t think you will be able to force 2fa for dsm login using AD package.

 

[dslamguy]

THis is through a web-browser though. It could be from a Mac, iPad or non-windows machine.

Also, ds_file and other Synology apps correctly require the 2FA when the SD-controlled logins are used.

 

[Rusty]

That’s what I meant, not sure a web challenge will do that. Haven’t tried it

 

[dslamguy]

That is exactly my complaint. Seems like broken functionality. If you want 2FA, it should work there.

 

[fredbert]

Is this through using the QC Relay service? Whereby the Relay service bridges two connections to facilitate what seems to be the Internet client connecting to the NAS.

Thoughts:

1. The read-only access is really unauthenticated access, such that anyone could gain this access if they tried to connect.
   1. Not sure how this would be possible as I don't have guest or similar access enabled. Nor do I use the Relay service.
2. The Relay service actually uses the two connection (client-Relay; NAS-Relay) to enable a third connection direct from the client to NAS that is secured even when passing through the Relay. This is more secure and 2FA happens on this.
   1. But makes no sense too.
   2. A web browser isn't expecting to make this tunnelled connection. Can a unmodified browser do this without extensions?
3. Is the Relay service providing a portal access?
4. Is there some legacy coding somewhere (Relay service; File Station) in the QC initial handshaking that hasn't been updated to support 2FA?
5. Did you say this was to access a File Station sharing link (only for authenticated DSM users)? Could be that the sharing code hasn't been updated to required 2FA and that read-only is the initial level of access offered to users of the sharing link. Then if they want full access they need to authenticate again (a bit like in SSH with and admin user but you have to 'sudo' some commands and re-enter you password).

No, this doesn't really make sense to me either: you either want to grant full access or not; users want to get that access after authenticating; you want that authentication to use the mechanims that the user should be using, not just some of them.

Best thing would be to open a Synology Support ticket and ask them what's going on.

 

[dslamguy]

Yes, it is through the QC relay service (we don't have ddns set up and no permanent ip address).

Yes, we only want to use this for authenticated DSM users, which is a setting on the link.

I am guessing this is not an issue with just the QC relay service, but I am not sure how to test that theory. The link is via gofile.me. When I tried a non qc sharing link, it seemed to do the same thing.

My experience with Synology support has not been that great, but I will try writing a support ticket.