Solved

Multi Factor Authentication for Terminal Server

Posted on 2016-10-05
6
27 Views
Last Modified: 2016-10-26
Who has successfully implemented multifactor authentication on there terminal servers?

What solution do you use? What do you like about it? hate about it? cost?


Has any found a way to use client certificates as two factor authentication?
In an ideal world I would love to build a certificate authority and just issue a self signed cert to my company owned machines. If you don't have the cert, you can't login!  I just wish it was that easy...
0
Comment
Question by:PerimeterIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 250 total points (awarded by participants)
ID: 41832513
I've done 2-factor with Citrix (a while back).. We used RSA and it gets implemented at the Web Interface server.  It worked great; the only significant issue was the cost, but going with soft tokens cut the cost in half (~$30/token).

Management was pretty good, although as the hardware tokens began to expire it was some effort to get new ones rolled out to replace the expiring ones.  RSA did have the web facilities to make it easier to roll, but non-IT people had some trouble following directions (reading them back to the user made them 'magically' understand it.  This was a while back, and I know a lot of their stuff has changed since then.

I have not done the client certificates, but I have seen other Citrix implementations where it has been done.  It works pretty well, but the clients have to be managed very carefully to not break the Citrix/card software link.  It's supposed to be very easy to fix.. but can be fairly easily broken.

Coralon
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41832573
I use Microsoft Azure Multifactor Authentication (phonefactor) . Used it before Microsoft bought it several years ago. It ties into the Remote Desktop Gateway as a RADIUS proxy. We pay per use, not per user, so we don't have to worry which fraction of our users actually use it. The hardest part is figuring out how to buy and consume Azure services. We don't need to provision any tokens (hard or soft), so it's really easy for our users.
0
 
LVL 43

Expert Comment

by:Amit
ID: 41832587
RSA is the answer for your query.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Author Comment

by:PerimeterIT
ID: 41832739
Amit can you be more specific? link?
0
 
LVL 43

Accepted Solution

by:
Amit earned 250 total points (awarded by participants)
ID: 41833583
There is the product from EMC.
https://www.rsa.com/en-us
https://www.rsa.com/en-us/products-services/identity-access-management/securid/authentication-agents/authentication-agent-for-microsoft-windows

Which is normally used for 2 factor authentication. I am using it currently, however not deployed it. Check with vendor for more detail.
0
 
LVL 43

Expert Comment

by:Amit
ID: 41859960
Best answer given.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question