Implementing Two-factor authentication with Windows 2008 r2 ?
Question
Answers
-
Hi,
> does Windows 2008 r2 DC supports that ?
Yes.
Windows 7 and Windows Server 2008 R2 support Extended Protection for Integrated Authentication. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).
Extended Protection for Authentication is a feature that helps to protect credentials for network connections that are being authenticated using Integrated Windows authentication. Integrated Windows authentication uses the Negotiate, Kerberos, and NTLM authentication methods. We strongly recommend that you use Extended Protection for Authentication if you're using Integrated Windows authentication.
To use this feature, both the client and the server must be running a Microsoft Windows operating system that includes the Extended Protection for Authentication security update.
Default installations of Windows 7 and Windows Server 2008 R2 operating systems include this security update. However, for client or server computers that are running other versions of Windows (for example Windows Vista or Windows Server 2008 SP2), you must install the update. For detailed information about the operating systems that are supported by default, see Microsoft Knowledge Base article 973811, Microsoft Security Advisory: Extended protection for authentication.
For more information please refer to following MS articles:
Understanding Extended Protection for Authentication
http://technet.microsoft.com/en-us/library/ff459225.aspx#requirements
Microsoft Security Advisory: Extended protection for authentication
http://support.microsoft.com/?kbid=973811
Authentication failure from non-Windows NTLM or Kerberos servers
http://support.microsoft.com/kb/976918Hope this helps!
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Lawrence
TechNet Community Support
- Marked as answer by Yan Li_ Thursday, August 9, 2012 5:06 AM
All replies
-
There are a number of 3rd party tools that provide this functionality, and most of them all support Active Directory, no matter which version. You've already found Battle, and some of the others out there are:
- RSA SecurID Two-Factor Authentication (very popular): http://www.rsa.com/products/securid/sb/10695_SIDTFA_SB_0210.pdf
- Quest Defender: http://www.quest.com/defender/
- AuthLite Two Factory Auth: https://ardvaark.net/authlite-two-factor-authentication-for-windows-and-active-directory & http://authlite.com/
- And numerous more. You can search Bing or Google for "Active Directory Tw
.
Maybe the SANS write-up and the buyer's guide in the following links will help you decide?
SANS: Two-Factor Authentication: Can You Choose the Right One?
http://www.sans.org/reading_room/whitepapers/authentication/two-factor-authentication-choose-one_33093Buyer's Guide: Two-Factor Authentication
http://www.windowsitpro.com/article/security/buyers-guide-two-factor-authentication.
I guess it comes down to budget?
.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
- Proposed as answer by Meinolf Weber Thursday, July 12, 2012 6:45 PM
-
Hi,
> does Windows 2008 r2 DC supports that ?
Yes.
Windows 7 and Windows Server 2008 R2 support Extended Protection for Integrated Authentication. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).
Extended Protection for Authentication is a feature that helps to protect credentials for network connections that are being authenticated using Integrated Windows authentication. Integrated Windows authentication uses the Negotiate, Kerberos, and NTLM authentication methods. We strongly recommend that you use Extended Protection for Authentication if you're using Integrated Windows authentication.
To use this feature, both the client and the server must be running a Microsoft Windows operating system that includes the Extended Protection for Authentication security update.
Default installations of Windows 7 and Windows Server 2008 R2 operating systems include this security update. However, for client or server computers that are running other versions of Windows (for example Windows Vista or Windows Server 2008 SP2), you must install the update. For detailed information about the operating systems that are supported by default, see Microsoft Knowledge Base article 973811, Microsoft Security Advisory: Extended protection for authentication.
For more information please refer to following MS articles:
Understanding Extended Protection for Authentication
http://technet.microsoft.com/en-us/library/ff459225.aspx#requirements
Microsoft Security Advisory: Extended protection for authentication
http://support.microsoft.com/?kbid=973811
Authentication failure from non-Windows NTLM or Kerberos servers
http://support.microsoft.com/kb/976918Hope this helps!
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Lawrence
TechNet Community Support
- Marked as answer by Yan Li_ Thursday, August 9, 2012 5:06 AM
-
Hi,
I would like to confirm what is the current situation? Have you resolved the problem?
If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.
Lawrence
TechNet Community Support
