locked
Multifactor authentication for AD logins RRS feed

  • Question

  • Hello IT Folk,

    This question has been asked multiple times with no answers yet. It's a bit frustrating since it is quite an important topic. We have a Windows 2012R2 environment and would like to use multifactor authentication for domain admin accounts. Is this possible? Say for example you have to enter a security code that is sent to your cellphone or something similar.

    Here are the links to similar questions being asked.

    https://social.technet.microsoft.com/Forums/en-US/07f54749-66db-4d11-8fc6-520936c00caa/multi-factor-authentication?forum=MBSA

    https://social.technet.microsoft.com/Forums/en-US/2f4db4b3-84d4-408b-8524-86cfe9869a03/multifactor-authentication-creating-a-plan?forum=whatforum

    https://social.technet.microsoft.com/Forums/en-US/2a66c2e5-f726-4e8e-8786-3d8800f19bad/multi-factor-authentication?forum=itmanager

    Thanks!

    Friday, September 4, 2015 4:32 AM

Answers

  • Hi Mr.Hod,

    As far as I know, we may use smart card to enable multifactor authentication. The smart card contains a chip that stores the user’s private key, logon information, and public key certificate for various purposes. Users inserts the card into a smart card reader attached to the computer. The user then types in a PIN when requested. But it seems that the smart card logon is computer setting, we may use the method to secure computer resources.

    We may use group policy to enable “require smart card” logon on the computer. Run mmc, add local group policy snap-in, click computer configuration>Windows settings>security settings>local policies>security options>interactive logon: require smart card.

    Best regards,

    Anne He


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, September 8, 2015 6:58 AM
  • We have this working with User and Machine combination.
    AD Machine account needs to be a member of a security group.

    By starting the NAP-client on the client machine, you will receive Machine account information with a user logon.
    This way you are able to identify a user on a certain machine.

    No tokens, smartcards or whatever needed.
    1st factor is knowing username and password
    2nd factor is owning the Machine that is member of a AD security group.

    I need to add a little Side note:
    Unfortunaly Microsoft decided to stop NAP with Windows 10 and Windows Server 2016.
    So, this is not a future proof solution, but until now it works like a charm.

    • Marked as answer by Mr. Hod Thursday, October 15, 2015 3:45 AM
    Tuesday, September 29, 2015 1:28 PM

All replies

  • You can use Azure Multi factor authentication.

    http://azure.microsoft.com/en-us/services/multi-factor-authentication/

    There's free trial.

    Friday, September 4, 2015 9:45 AM
  • No you can't, can you?

    Azure multifactor authentication is only for web Apps and Azure/cloud related processes. I didn't see how you could use this for AD authentications.

    Monday, September 7, 2015 5:55 AM
  • Hi Mr.Hod,

    As far as I know, we may use smart card to enable multifactor authentication. The smart card contains a chip that stores the user’s private key, logon information, and public key certificate for various purposes. Users inserts the card into a smart card reader attached to the computer. The user then types in a PIN when requested. But it seems that the smart card logon is computer setting, we may use the method to secure computer resources.

    We may use group policy to enable “require smart card” logon on the computer. Run mmc, add local group policy snap-in, click computer configuration>Windows settings>security settings>local policies>security options>interactive logon: require smart card.

    Best regards,

    Anne He


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, September 8, 2015 6:58 AM
  • We have this working with User and Machine combination.
    AD Machine account needs to be a member of a security group.

    By starting the NAP-client on the client machine, you will receive Machine account information with a user logon.
    This way you are able to identify a user on a certain machine.

    No tokens, smartcards or whatever needed.
    1st factor is knowing username and password
    2nd factor is owning the Machine that is member of a AD security group.

    I need to add a little Side note:
    Unfortunaly Microsoft decided to stop NAP with Windows 10 and Windows Server 2016.
    So, this is not a future proof solution, but until now it works like a charm.

    • Marked as answer by Mr. Hod Thursday, October 15, 2015 3:45 AM
    Tuesday, September 29, 2015 1:28 PM