Is Two Factor Auth for RDP possible?

  • Is two factor authentication possible when using RDP with a Windows server, say by using a time dependent code?

    Google has many hits for "rdp two factor"

    I did that, the only stuff it comes up with is ads for third party products. I asked specifically if it can be done with Windows Server.

    You generally do need a third party product for the second factor - there's no "Microsoft 2nd Factor". RDP auth is the same server or desktop. You may like this: http://www.rohos.com/2013/02/google-authenticator-windows-login/

  • Yes, it is possible.

    If you want to have two factor authentication, which is naively supported by Windows, you could chose to use smart cards or virtual smart cards.

    As far as I know, to get one time passwords for RDP authentication you'll have to use third party solutions. For example, you could try Duo security Duo Authentication for Windows Logon and RDP. Alternatively, as paj28 pointed out, you could google another ready made solutions.

    Can you elaborate on the smart cards / virtual smart cards aspect?

    When you want to authenticate with a smartcard, you should setup a Microsoft CA. Then you should get a smartcard and enroll a "smartcard logon certificate" on this. Then your domain controllers need "Domain Controller" certificates or more modern templates. Now you can logon with the smartcard to the server. Depending on how many users you have, you should consider using a 3rd party solution, because Microsoft CA can only enroll certificates and not manage smartcards. Take a look at the SafeNet Authentication Manager.

  • If you are asking for a time dependent code, you probably mean one time passwords based on the TOTP algorithm like the Google Authenticator or some hardware OTP token.

    You can do so as alex pointed out with many different 3rd party solutions. Disclaimer: Mine in privacyIDEA which provides a backend system to manage the tokens and a privacyIDEA credential provider, which asks for the additional one time password which is verified against the backend.

    As you need the backend to verify the OTP value, this will only work on-line. But as you are asking for authentication at windows servers, these are probably online and not running on your offline notebook ;-)

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used