Two factor authentication for within Windows Active Directory Environment

I'm looking for a two factor authentication solution to use within a Windows Active Directory environment.  I prefer the solution to be hosted.  Worst case is that I have to run the solution as a VM that I can also run at a DR site.  No appliance.

I envision my users coming into the office and sitting at their computer.  They enter their work password and then their two factor token. This would be the same for OWA or RRAS.

What options are out there?
Who is Participating?
Cris HannaConnect With a Mentor Commented:
Check out Auth-Anvil from Scorpion Software
btanConnect With a Mentor Exec ConsultantCommented:
You can consider RSA SecurID, aka keychain device or token generating the one time cipher password (OTP) using time based on counter based (either is possible), catch the table in this pdf on the comparison on various other factor and supported. It should not be an issue for Win2008R2. Typical setup include an RSA ACE/Agent client on the user’s laptop, RSA ACE/Agent software on the domain controller, and RSA ACE/Server software in the back end. This has an additional RSA server (s/w or appliance) as the authentication manager work together with the AD to verify the user identity via the token.

Likewise standard Smart card is commonly used in Enterprise but typically the PKI can be operationally intensive with key management and administration. You need the helpdesk to be ready to help user recover card , forgotten PIN etc. This also applies to OTP token but probably not using certificate (x509v3) which Smart card is based on. Regardless, a simple OS smartcard login via the GPO can be enforced as stated in this pdf can be extended across to the application services since they also leverage on AD for authentication.

Primarily, Active Directory itself is based on a security protocol (Kerberos) that 2FA can build on. I recalled there is a Windows CardSpace of .NET Framework based that Windows can leverage and work with Smart card or supproted form factor as well for common federated user identities. But there may not be that extensive tried out so far..

Another I am thinking Authlite which is supposed to be tightly integrated with Active Directory, and only a small AuthLite component is installed on domain controllers, no hardware beside the second factor e.g. yubikey. Ref to this sharing, you may be interested to know if you have ISA or equivalent
When you pair AuthLite with ISA (or TMG) Server Web Publishing, you can enable the use of strong, two-factor authentication to connect to key Web services, such as Microsoft® Outlook Web Access (OWA), Microsoft SharePoint® Server services, and Microsoft Dynamics CRM.
If cloud is something you be planning later, Azure MFA is also available for such req
Rich RumbleConnect With a Mentor Security SamuraiCommented:
2FA only works for interactive logins, like those of a the initial VPN sign in, Citrix, OWA or the user's logon screen. Once the user has completed 2FA, then if they got infected or were backdoored, the attacker will not be hindered by 2FA, they can use \\ip.ip.ip.ip\c$ to connect to computers within your network. 2FA is only protecting you at an interactive level.
Is that use case you wish to address?
btanExec ConsultantCommented:
This Microsoft article also covers the architecture for the deployment of the various MS services including the fronting proxies required and recommended for secure access (see "Enhance Access Control Risk Management" section). Preferably the multi-factor authentication (it stated the Microsoft Azure MFA) integrated into the Web Application Proxy (which can be Microsoft TMG/ISA or UAG or application delivery controller like Citrix or F5 that also does load balancing ).

Most deployment is using various RSA SecurID agent as stated e.g.
Remote Authentication Server – A plug-in into Microsoft IAS RADIUS Server or RRAS. This server-side component enables RSA SecurID authentication using a native Microsoft RADIUS environment. The component is supported on the server-class systems.

To add for a long term, do consider a (or equipping the existing) gateway product that supports SSL VPN and/or L2TP over IPSEC which will support the 2FA decided too, most does and Google Authenticator (token is generated on the users smartphone) or AuthAnvil. The latter has integration with Microsoft.
Office 365 subsite
Windows Logon integration docs
Remote Web Access integration docs
Remote Desktop (RDWeb) Web Access integration docs
Threat Management Gateway integration docs for Outlook Web Access
Network Policy Server (NPS) integration docs
RRAS integration docs
Outlook Web Access single sign-on integration docs
Windows Password Sync matrix
drunkennoodleAuthor Commented:
Thanks for all the input.

Additonally, I'm going to look into SafeNet Authentication Service ( and Symantec VIP (
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.