locked
RSA SecureID as Primary Authentication for external users RRS feed

  • Question

  • This is a question regarding ADFS 3.0 on Server 2012 R2.

    We have a Relying Party configured to use Windows Authentication for intranet users and Forms Authentication with MFA (RSA SecureID) for external users through a proxy. Our only Claims provider is Active Directory. Currently when an external user goes to the RP website they are prompted for email address and AD password and then RSA token on separate page. Is it possible to suppress the AD password and only require email address and RSA token to authenticate external users? The intent is not to expose their domain password on non domain computers and allow them to access the RP website with just the RSA token. 

    Is this even possible in ADFS 3.0?

    Thanks

    Tuesday, July 12, 2016 4:51 PM

Answers

  • It is not possible with ADFS in Windows Server 2012 R2.

    There is a way to enable this kind of scenario with ADFS for Windows Server 2016 TP with Azure MFA and Microsoft Passport: https://technet.microsoft.com/en-us/library/mt695662.aspx.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, July 12, 2016 6:06 PM

All replies

  • It is not possible with ADFS in Windows Server 2012 R2.

    There is a way to enable this kind of scenario with ADFS for Windows Server 2016 TP with Azure MFA and Microsoft Passport: https://technet.microsoft.com/en-us/library/mt695662.aspx.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, July 12, 2016 6:06 PM
  • It is not possible with ADFS in Windows Server 2012 R2.

    There is a way to enable this kind of scenario with ADFS for Windows Server 2016 TP with Azure MFA and Microsoft Passport: https://technet.microsoft.com/en-us/library/mt695662.aspx.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Does this mean that only Microsoft's MfA solution can be used as the primary authentication method?  So in the original question, RSA would have to be replaced with Azure MFA?
    Tuesday, November 1, 2016 12:07 AM
  • please create a separate thread. thanks :)

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, November 3, 2016 4:24 AM
  • "There is a way to enable this kind of scenario with ADFS for Windows Server 2016 TP with Azure MFA and Microsoft Passport"

    Asking you to clarify the answer to the original question requires a separate thread?

    Thursday, November 3, 2016 4:28 AM
  • Just saying because the thread is marked as answered already, you are not the original poster and the thread was offline for more than 2 months. So I thought it would be better to bring up this interesting subject in another thread. But it is up to you :)

    Here are some more information:

    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa

    You can use Azure MFA as a primary authentication. In other words, you will not need to enter the password anymore for the user. This requires to use the Mobile app for MFA though (to avoid spam and other abuse with SMS and phone calls). Or an alternative is to configure Windows Hello for Business (formerly known as Microsoft Passport for Business). That one is slightly more complex because it requires Windows 10 and Windows Server 2016 DCs, see https://technet.microsoft.com/en-us/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport (note that this article is just about Windows Hello, not its integration on ADFS 2016, the documentation will be update at some point in few weeks).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, November 3, 2016 6:11 AM