Multi Factor Authentication for Terminal Server

Who has successfully implemented multifactor authentication on there terminal servers?

What solution do you use? What do you like about it? hate about it? cost?


Has any found a way to use client certificates as two factor authentication?
In an ideal world I would love to build a certificate authority and just issue a self signed cert to my company owned machines. If you don't have the cert, you can't login!  I just wish it was that easy...
LVL 1
PerimeterITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CoralonCommented:
I've done 2-factor with Citrix (a while back).. We used RSA and it gets implemented at the Web Interface server.  It worked great; the only significant issue was the cost, but going with soft tokens cut the cost in half (~$30/token).

Management was pretty good, although as the hardware tokens began to expire it was some effort to get new ones rolled out to replace the expiring ones.  RSA did have the web facilities to make it easier to roll, but non-IT people had some trouble following directions (reading them back to the user made them 'magically' understand it.  This was a while back, and I know a lot of their stuff has changed since then.

I have not done the client certificates, but I have seen other Citrix implementations where it has been done.  It works pretty well, but the clients have to be managed very carefully to not break the Citrix/card software link.  It's supposed to be very easy to fix.. but can be fairly easily broken.

Coralon
kevinhsiehCommented:
I use Microsoft Azure Multifactor Authentication (phonefactor) . Used it before Microsoft bought it several years ago. It ties into the Remote Desktop Gateway as a RADIUS proxy. We pay per use, not per user, so we don't have to worry which fraction of our users actually use it. The hardest part is figuring out how to buy and consume Azure services. We don't need to provision any tokens (hard or soft), so it's really easy for our users.
AmitIT ArchitectCommented:
RSA is the answer for your query.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

PerimeterITAuthor Commented:
Amit can you be more specific? link?
AmitIT ArchitectCommented:
There is the product from EMC.
https://www.rsa.com/en-us
https://www.rsa.com/en-us/products-services/identity-access-management/securid/authentication-agents/authentication-agent-for-microsoft-windows

Which is normally used for 2 factor authentication. I am using it currently, however not deployed it. Check with vendor for more detail.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AmitIT ArchitectCommented:
Best answer given.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.