none
Use Credential Provider based on policy or something like it.

    Question

  • Hello,

    My company is deploying a solution to implement 2FA. We do this by using an authentication server that comes with a custom Crential Provider(CP) that has to be installed on the server (2012R2 and 2016).

    It works fine, but the only problem is that you always have to use this CP, so when the authentication server goes down, you cant login because the CP always sends the request to the authentication server.

    Now i am wondering if there maybe is a policy or something like that, that lets a specific user or computer use a other CP than the one that is enabled as default (the custom CP one), so we can login into the server even when the custom authentication server is down because that user uses the default windows CP.

    If there maybe is another way that doesnt invole polocies, i would still like to hear it.

    Thanks,

    Friday, March 10, 2017 8:31 AM

Answers

  • Hi,
    In my opinion, you could check whether Credential Security Support Provider (CredSSP) authentication is enabled or disabled: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.wsman.management/get-wsmancredsspthen according to the result, we then restrict  accounts logging in. Generally, we could use Deny log on locally policy under Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment, but as Martin said, logon configuration is a machine thing which only affects machine account. Just reference, you could consider if it works for you.
    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 13, 2017 8:03 AM
    Moderator

All replies

  • Edit, what also would be a nice option is if i restrict the usage of the default windows CP for certain users, lets say that only the admin is allowed to login with the default CP and that thus forces the other users to use the custom one.
    Friday, March 10, 2017 12:43 PM
  • > My company is deploying a solution to implement 2FA. We do this by using an authentication server that comes with a custom Crential Provider(CP) that has to be installed on the server (2012R2 and 2016).
     
    If I interpret this correctly, your CP intercepts authentication requests on the Domain Controller? Or is it installed where the user logs on? Anyway - you need to talk to the manufacturer. Afaik there's no builtin mechanism to switch auth providers based on user request. The CP should recognize that its AS is down, and then handle auth over to Windows CredSSP.
     
    Friday, March 10, 2017 12:46 PM
  • > Edit, what also would be a nice option is if i restrict the usage of the default windows CP for certain users,
     
    This too needs to be solved within the CP - Logon configuration is a machine thing, and the machine does not know who will logon later.
     
    Friday, March 10, 2017 12:46 PM
  • Oke, I have already contacted the manufacturer and its not possible.

    Do you know if i can restrict the login of certain accounts with the Windows CredSSP then?

    For instance only allow the Administrator to login with it, and when a regular user tries it, it doesnt let him login?

    Friday, March 10, 2017 1:17 PM
  • Hi,
    In my opinion, you could check whether Credential Security Support Provider (CredSSP) authentication is enabled or disabled: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.wsman.management/get-wsmancredsspthen according to the result, we then restrict  accounts logging in. Generally, we could use Deny log on locally policy under Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment, but as Martin said, logon configuration is a machine thing which only affects machine account. Just reference, you could consider if it works for you.
    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 13, 2017 8:03 AM
    Moderator