Two factor authentication for within Windows Active Directory Environment

Posted on 2015-01-14
Medium Priority
Last Modified: 2015-01-19
I'm looking for a two factor authentication solution to use within a Windows Active Directory environment.  I prefer the solution to be hosted.  Worst case is that I have to run the solution as a VM that I can also run at a DR site.  No appliance.

I envision my users coming into the office and sitting at their computer.  They enter their work password and then their two factor token. This would be the same for OWA or RRAS.

What options are out there?
Question by:drunkennoodle
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 35

Accepted Solution

Cris Hanna earned 668 total points
ID: 40550950
Check out Auth-Anvil from Scorpion Software
LVL 64

Assisted Solution

btan earned 668 total points
ID: 40550973
You can consider RSA SecurID, aka keychain device or token generating the one time cipher password (OTP) using time based on counter based (either is possible), catch the table in this pdf on the comparison on various other factor and supported. It should not be an issue for Win2008R2. Typical setup include an RSA ACE/Agent client on the user’s laptop, RSA ACE/Agent software on the domain controller, and RSA ACE/Server software in the back end. This has an additional RSA server (s/w or appliance) as the authentication manager work together with the AD to verify the user identity via the token.

Likewise standard Smart card is commonly used in Enterprise but typically the PKI can be operationally intensive with key management and administration. You need the helpdesk to be ready to help user recover card , forgotten PIN etc. This also applies to OTP token but probably not using certificate (x509v3) which Smart card is based on. Regardless, a simple OS smartcard login via the GPO can be enforced as stated in this pdf can be extended across to the application services since they also leverage on AD for authentication.

Primarily, Active Directory itself is based on a security protocol (Kerberos) that 2FA can build on. I recalled there is a Windows CardSpace of .NET Framework based that Windows can leverage and work with Smart card or supproted form factor as well for common federated user identities. But there may not be that extensive tried out so far..

Another I am thinking Authlite which is supposed to be tightly integrated with Active Directory, and only a small AuthLite component is installed on domain controllers, no hardware beside the second factor e.g. yubikey. Ref to this sharing, you may be interested to know if you have ISA or equivalent
When you pair AuthLite with ISA (or TMG) Server Web Publishing, you can enable the use of strong, two-factor authentication to connect to key Web services, such as Microsoft® Outlook Web Access (OWA), Microsoft SharePoint® Server services, and Microsoft Dynamics CRM.
If cloud is something you be planning later, Azure MFA is also available for such req
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 664 total points
ID: 40555576
2FA only works for interactive logins, like those of a the initial VPN sign in, Citrix, OWA or the user's logon screen. Once the user has completed 2FA, then if they got infected or were backdoored, the attacker will not be hindered by 2FA, they can use \\ip.ip.ip.ip\c$ to connect to computers within your network. 2FA is only protecting you at an interactive level.
Is that use case you wish to address?
LVL 64

Expert Comment

ID: 40555714
This Microsoft article also covers the architecture for the deployment of the various MS services including the fronting proxies required and recommended for secure access (see "Enhance Access Control Risk Management" section). Preferably the multi-factor authentication (it stated the Microsoft Azure MFA) integrated into the Web Application Proxy (which can be Microsoft TMG/ISA or UAG or application delivery controller like Citrix or F5 that also does load balancing ).

Most deployment is using various RSA SecurID agent as stated e.g.
Remote Authentication Server – A plug-in into Microsoft IAS RADIUS Server or RRAS. This server-side component enables RSA SecurID authentication using a native Microsoft RADIUS environment. The component is supported on the server-class systems.

To add for a long term, do consider a (or equipping the existing) gateway product that supports SSL VPN and/or L2TP over IPSEC which will support the 2FA decided too, most does and Google Authenticator (token is generated on the users smartphone) or AuthAnvil. The latter has integration with Microsoft.
Office 365 subsite
Windows Logon integration docs
Remote Web Access integration docs
Remote Desktop (RDWeb) Web Access integration docs
Threat Management Gateway integration docs for Outlook Web Access
Network Policy Server (NPS) integration docs
RRAS integration docs
Outlook Web Access single sign-on integration docs
Windows Password Sync matrix

Author Closing Comment

ID: 40557917
Thanks for all the input.

Additonally, I'm going to look into SafeNet Authentication Service (http://www2.safenet-inc.com/sas/index.html) and Symantec VIP (http://www.symantec.com/vip-authentication-service/).

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question