Solved

Two factor authentication for within Windows Active Directory Environment

Posted on 2015-01-14
5
644 Views
Last Modified: 2015-01-19
I'm looking for a two factor authentication solution to use within a Windows Active Directory environment.  I prefer the solution to be hosted.  Worst case is that I have to run the solution as a VM that I can also run at a DR site.  No appliance.

I envision my users coming into the office and sitting at their computer.  They enter their work password and then their two factor token. This would be the same for OWA or RRAS.

What options are out there?
0
Comment
Question by:drunkennoodle
5 Comments
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 167 total points
Comment Utility
Check out Auth-Anvil from Scorpion Software
0
 
LVL 61

Assisted Solution

by:btan
btan earned 167 total points
Comment Utility
You can consider RSA SecurID, aka keychain device or token generating the one time cipher password (OTP) using time based on counter based (either is possible), catch the table in this pdf on the comparison on various other factor and supported. It should not be an issue for Win2008R2. Typical setup include an RSA ACE/Agent client on the user’s laptop, RSA ACE/Agent software on the domain controller, and RSA ACE/Server software in the back end. This has an additional RSA server (s/w or appliance) as the authentication manager work together with the AD to verify the user identity via the token.

Likewise standard Smart card is commonly used in Enterprise but typically the PKI can be operationally intensive with key management and administration. You need the helpdesk to be ready to help user recover card , forgotten PIN etc. This also applies to OTP token but probably not using certificate (x509v3) which Smart card is based on. Regardless, a simple OS smartcard login via the GPO can be enforced as stated in this pdf can be extended across to the application services since they also leverage on AD for authentication.

Primarily, Active Directory itself is based on a security protocol (Kerberos) that 2FA can build on. I recalled there is a Windows CardSpace of .NET Framework based that Windows can leverage and work with Smart card or supproted form factor as well for common federated user identities. But there may not be that extensive tried out so far..

Another I am thinking Authlite which is supposed to be tightly integrated with Active Directory, and only a small AuthLite component is installed on domain controllers, no hardware beside the second factor e.g. yubikey. Ref to this sharing, you may be interested to know if you have ISA or equivalent
When you pair AuthLite with ISA (or TMG) Server Web Publishing, you can enable the use of strong, two-factor authentication to connect to key Web services, such as Microsoft® Outlook Web Access (OWA), Microsoft SharePoint® Server services, and Microsoft Dynamics CRM.
If cloud is something you be planning later, Azure MFA is also available for such req
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 166 total points
Comment Utility
2FA only works for interactive logins, like those of a the initial VPN sign in, Citrix, OWA or the user's logon screen. Once the user has completed 2FA, then if they got infected or were backdoored, the attacker will not be hindered by 2FA, they can use \\ip.ip.ip.ip\c$ to connect to computers within your network. 2FA is only protecting you at an interactive level.
http://www.experts-exchange.com/Security/Misc/A_12368-Two-Factor-Authentication-Added-layers-are-not-always-added-security.html
Is that use case you wish to address?
-rich
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
This Microsoft article also covers the architecture for the deployment of the various MS services including the fronting proxies required and recommended for secure access (see "Enhance Access Control Risk Management" section). Preferably the multi-factor authentication (it stated the Microsoft Azure MFA) integrated into the Web Application Proxy (which can be Microsoft TMG/ISA or UAG or application delivery controller like Citrix or F5 that also does load balancing ).
http://technet.microsoft.com/en-us/library/dn550982.aspx

Most deployment is using various RSA SecurID agent as stated e.g.
Remote Authentication Server – A plug-in into Microsoft IAS RADIUS Server or RRAS. This server-side component enables RSA SecurID authentication using a native Microsoft RADIUS environment. The component is supported on the server-class systems.
http://www.emc.com/security/rsa-securid/rsa-authentication-agents/windows.htm

To add for a long term, do consider a (or equipping the existing) gateway product that supports SSL VPN and/or L2TP over IPSEC which will support the 2FA decided too, most does and Google Authenticator (token is generated on the users smartphone) or AuthAnvil. The latter has integration with Microsoft.
Office 365 subsite
Windows Logon integration docs
Remote Web Access integration docs
Remote Desktop (RDWeb) Web Access integration docs
Threat Management Gateway integration docs for Outlook Web Access
Network Policy Server (NPS) integration docs
RRAS integration docs
Outlook Web Access single sign-on integration docs
Windows Password Sync matrix
http://www.scorpionsoft.com/integration
0
 

Author Closing Comment

by:drunkennoodle
Comment Utility
Thanks for all the input.

Additonally, I'm going to look into SafeNet Authentication Service (http://www2.safenet-inc.com/sas/index.html) and Symantec VIP (http://www.symantec.com/vip-authentication-service/).
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now