Two factor authentication for within Windows Active Directory Environment

Posted on 2015-01-14
Medium Priority
Last Modified: 2015-01-19
I'm looking for a two factor authentication solution to use within a Windows Active Directory environment.  I prefer the solution to be hosted.  Worst case is that I have to run the solution as a VM that I can also run at a DR site.  No appliance.

I envision my users coming into the office and sitting at their computer.  They enter their work password and then their two factor token. This would be the same for OWA or RRAS.

What options are out there?
Question by:drunkennoodle
LVL 35

Accepted Solution

Cris Hanna earned 668 total points
ID: 40550950
Check out Auth-Anvil from Scorpion Software
LVL 65

Assisted Solution

btan earned 668 total points
ID: 40550973
You can consider RSA SecurID, aka keychain device or token generating the one time cipher password (OTP) using time based on counter based (either is possible), catch the table in this pdf on the comparison on various other factor and supported. It should not be an issue for Win2008R2. Typical setup include an RSA ACE/Agent client on the user’s laptop, RSA ACE/Agent software on the domain controller, and RSA ACE/Server software in the back end. This has an additional RSA server (s/w or appliance) as the authentication manager work together with the AD to verify the user identity via the token.

Likewise standard Smart card is commonly used in Enterprise but typically the PKI can be operationally intensive with key management and administration. You need the helpdesk to be ready to help user recover card , forgotten PIN etc. This also applies to OTP token but probably not using certificate (x509v3) which Smart card is based on. Regardless, a simple OS smartcard login via the GPO can be enforced as stated in this pdf can be extended across to the application services since they also leverage on AD for authentication.

Primarily, Active Directory itself is based on a security protocol (Kerberos) that 2FA can build on. I recalled there is a Windows CardSpace of .NET Framework based that Windows can leverage and work with Smart card or supproted form factor as well for common federated user identities. But there may not be that extensive tried out so far..

Another I am thinking Authlite which is supposed to be tightly integrated with Active Directory, and only a small AuthLite component is installed on domain controllers, no hardware beside the second factor e.g. yubikey. Ref to this sharing, you may be interested to know if you have ISA or equivalent
When you pair AuthLite with ISA (or TMG) Server Web Publishing, you can enable the use of strong, two-factor authentication to connect to key Web services, such as Microsoft® Outlook Web Access (OWA), Microsoft SharePoint® Server services, and Microsoft Dynamics CRM.
If cloud is something you be planning later, Azure MFA is also available for such req
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 664 total points
ID: 40555576
2FA only works for interactive logins, like those of a the initial VPN sign in, Citrix, OWA or the user's logon screen. Once the user has completed 2FA, then if they got infected or were backdoored, the attacker will not be hindered by 2FA, they can use \\ip.ip.ip.ip\c$ to connect to computers within your network. 2FA is only protecting you at an interactive level.
Is that use case you wish to address?
LVL 65

Expert Comment

ID: 40555714
This Microsoft article also covers the architecture for the deployment of the various MS services including the fronting proxies required and recommended for secure access (see "Enhance Access Control Risk Management" section). Preferably the multi-factor authentication (it stated the Microsoft Azure MFA) integrated into the Web Application Proxy (which can be Microsoft TMG/ISA or UAG or application delivery controller like Citrix or F5 that also does load balancing ).

Most deployment is using various RSA SecurID agent as stated e.g.
Remote Authentication Server – A plug-in into Microsoft IAS RADIUS Server or RRAS. This server-side component enables RSA SecurID authentication using a native Microsoft RADIUS environment. The component is supported on the server-class systems.

To add for a long term, do consider a (or equipping the existing) gateway product that supports SSL VPN and/or L2TP over IPSEC which will support the 2FA decided too, most does and Google Authenticator (token is generated on the users smartphone) or AuthAnvil. The latter has integration with Microsoft.
Office 365 subsite
Windows Logon integration docs
Remote Web Access integration docs
Remote Desktop (RDWeb) Web Access integration docs
Threat Management Gateway integration docs for Outlook Web Access
Network Policy Server (NPS) integration docs
RRAS integration docs
Outlook Web Access single sign-on integration docs
Windows Password Sync matrix

Author Closing Comment

ID: 40557917
Thanks for all the input.

Additonally, I'm going to look into SafeNet Authentication Service (http://www2.safenet-inc.com/sas/index.html) and Symantec VIP (http://www.symantec.com/vip-authentication-service/).

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question