Two factor authentication for within Windows Active Directory Environment

Posted on 2015-01-14
Medium Priority
Last Modified: 2015-01-19
I'm looking for a two factor authentication solution to use within a Windows Active Directory environment.  I prefer the solution to be hosted.  Worst case is that I have to run the solution as a VM that I can also run at a DR site.  No appliance.

I envision my users coming into the office and sitting at their computer.  They enter their work password and then their two factor token. This would be the same for OWA or RRAS.

What options are out there?
Question by:drunkennoodle
LVL 35

Accepted Solution

Cris Hanna earned 668 total points
ID: 40550950
Check out Auth-Anvil from Scorpion Software
LVL 66

Assisted Solution

btan earned 668 total points
ID: 40550973
You can consider RSA SecurID, aka keychain device or token generating the one time cipher password (OTP) using time based on counter based (either is possible), catch the table in this pdf on the comparison on various other factor and supported. It should not be an issue for Win2008R2. Typical setup include an RSA ACE/Agent client on the user’s laptop, RSA ACE/Agent software on the domain controller, and RSA ACE/Server software in the back end. This has an additional RSA server (s/w or appliance) as the authentication manager work together with the AD to verify the user identity via the token.

Likewise standard Smart card is commonly used in Enterprise but typically the PKI can be operationally intensive with key management and administration. You need the helpdesk to be ready to help user recover card , forgotten PIN etc. This also applies to OTP token but probably not using certificate (x509v3) which Smart card is based on. Regardless, a simple OS smartcard login via the GPO can be enforced as stated in this pdf can be extended across to the application services since they also leverage on AD for authentication.

Primarily, Active Directory itself is based on a security protocol (Kerberos) that 2FA can build on. I recalled there is a Windows CardSpace of .NET Framework based that Windows can leverage and work with Smart card or supproted form factor as well for common federated user identities. But there may not be that extensive tried out so far..

Another I am thinking Authlite which is supposed to be tightly integrated with Active Directory, and only a small AuthLite component is installed on domain controllers, no hardware beside the second factor e.g. yubikey. Ref to this sharing, you may be interested to know if you have ISA or equivalent
When you pair AuthLite with ISA (or TMG) Server Web Publishing, you can enable the use of strong, two-factor authentication to connect to key Web services, such as Microsoft® Outlook Web Access (OWA), Microsoft SharePoint® Server services, and Microsoft Dynamics CRM.
If cloud is something you be planning later, Azure MFA is also available for such req
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 664 total points
ID: 40555576
2FA only works for interactive logins, like those of a the initial VPN sign in, Citrix, OWA or the user's logon screen. Once the user has completed 2FA, then if they got infected or were backdoored, the attacker will not be hindered by 2FA, they can use \\ip.ip.ip.ip\c$ to connect to computers within your network. 2FA is only protecting you at an interactive level.
Is that use case you wish to address?
LVL 66

Expert Comment

ID: 40555714
This Microsoft article also covers the architecture for the deployment of the various MS services including the fronting proxies required and recommended for secure access (see "Enhance Access Control Risk Management" section). Preferably the multi-factor authentication (it stated the Microsoft Azure MFA) integrated into the Web Application Proxy (which can be Microsoft TMG/ISA or UAG or application delivery controller like Citrix or F5 that also does load balancing ).

Most deployment is using various RSA SecurID agent as stated e.g.
Remote Authentication Server – A plug-in into Microsoft IAS RADIUS Server or RRAS. This server-side component enables RSA SecurID authentication using a native Microsoft RADIUS environment. The component is supported on the server-class systems.

To add for a long term, do consider a (or equipping the existing) gateway product that supports SSL VPN and/or L2TP over IPSEC which will support the 2FA decided too, most does and Google Authenticator (token is generated on the users smartphone) or AuthAnvil. The latter has integration with Microsoft.
Office 365 subsite
Windows Logon integration docs
Remote Web Access integration docs
Remote Desktop (RDWeb) Web Access integration docs
Threat Management Gateway integration docs for Outlook Web Access
Network Policy Server (NPS) integration docs
RRAS integration docs
Outlook Web Access single sign-on integration docs
Windows Password Sync matrix

Author Closing Comment

ID: 40557917
Thanks for all the input.

Additonally, I'm going to look into SafeNet Authentication Service (http://www2.safenet-inc.com/sas/index.html) and Symantec VIP (http://www.symantec.com/vip-authentication-service/).

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

To share tips on how to stay ALERT and avoid being the next victim - at least not due to your own poor cyber habits and hygiene!
Cloud computing is a model of provisioning IT services. By combining many servers into one large pool and providing virtual machines from that resource pool, it provides IT services that let customers acquire resources at any time and get rid of the…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question