2FA for AD?

[Charles F Sullivan]

I've been asked to look into this. I'm just wondering if anyone here is using some form of it and how it affects their users and environment.

Because AD is used by so many different services in so many different ways, it seems as if it would have a big impact, affecting more than just interactive logins I assume.

--

Charlie Sullivan

Principal Windows Systems Administrator

[Kurt Buff]

The closest I've come is using Duo auth for console access, so regardless of method of access (RDP, VMware console, Bomgar, etc.) we get a prompt on our phones.

If there's a more comprehensive solution which would protect WinRM/Remoting or other methods, I don't know of it, and wouldn't mind hearing about it.

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzny5L7_av%2B%2B%3D6MSGZ-C1_DgjBMERAF0RqqYK1TvAf7kvQ%40mail.gmail.com.

[James Iversen]

It’s always surprised me to note, if you have 2fa enabled at 1st login it’s not counted as mfa when accessing anything else. I mean when does it end? You mfa into your laptop, then mfa into your vpn, then mfa into your Oauth provider to access your mfa jumpstation and finally mfa into a console to manage AD. I’m so busy using two different RSA tokens a yubi key and a different account to manage AD but that’s not enough. Why don’t service accounts need to mfa each time they programmatically connect to AD to update a user or computer setting? I should just shut up now before some CISO gets a bright idea. 

Sent from my iPhone

On Jun 11, 2025, at 4:06 PM, Kurt Buff <kurt...@gmail.com> wrote:



To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5v5OSNW9hwYQ-HscTA_b%3DnKff9e4z4mZt6yZm5L_yPYQ%40mail.gmail.com.

[Michael B. Smith]

Depends on whether the IdPs are federated or not. Entra Id and ADFS are both really good at this, but the target systems have to support it.

Get Outlook for Android

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of James Iversen <jeiv...@gmail.com>
Sent: Wednesday, June 11, 2025 5:02:13 PM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] 2FA for AD?

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/82360C27-B398-4652-B740-344D11EF4873%40gmail.com.

[Charles F Sullivan]

Thanks, guys.

Right James! Those are the kinds of thoughts I had immediately when I was asked. It was a very vague directive. - Just "MFA".

A product was mentioned. A quick look tells me that about all we would be able to do is control RDP logins and privileged account logins. We could force all AD users to use it for logins but I can already say that it's unrealistic (and expensive no doubt). Basically it relies on a Yubi key. We already do that for our AnyConnect VPNs.

I'll come back when I know more.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/82360C27-B398-4652-B740-344D11EF4873%40gmail.com.

[Michael B. Smith]

Sounds extremely painful.

I've used Duo and Okta and Ping for console access. I've always been surprised that the relevant Microsoft solution for this (NPS) sucks so badly.

Get Outlook for Android

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Kurt Buff <kurt...@gmail.com>
Sent: Wednesday, June 11, 2025 4:06:03 PM

To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] 2FA for AD?

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5v5OSNW9hwYQ-HscTA_b%3DnKff9e4z4mZt6yZm5L_yPYQ%40mail.gmail.com.

[Michael B. Smith]

Impravata is a player in that space, well known in medical. With RFID badges or NFC capable Yubikeys, that unlock a station when you are about 18" away.

Get Outlook for Android

---

From: 'Charles F Sullivan' via ntsysadmin <ntsys...@googlegroups.com>
Sent: Wednesday, June 11, 2025 5:20:26 PM

To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] 2FA for AD?

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzz%3Drts4z8B-RfJvmbapWsb%3DNNL-cUbFV8hx2Pj%2BYrF9Yrw%40mail.gmail.com.

[Perisa, Nik]

Classification: Public

would silverfort work?

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Michael B. Smith <mic...@smithcons.com>
Sent: Thursday, 12 June 2025 7:26 AM

To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] 2FA for AD?

 

EXTERNAL SENDER: Do not click any links or open any attachments unless you trust the sender and know the content is safe. EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/PH0PR07MB8717E4E2B46A93C20D84B778AD75A%40PH0PR07MB8717.namprd07.prod.outlook.com.

[Kurt Buff]

I'm hoping for something that is certificate-based - we assign certs to both users and computers from ADCS. That should make things a lot less painful.

The only thing I've ever used NPS for is the RADIUS functionality, for WPA Enterprise. It's been so long since I implemented Direct Access that I can't remember if it uses it - I don't think it does.

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/PH0PR07MB8717384A691080A737E5DB1AAD75A%40PH0PR07MB8717.namprd07.prod.outlook.com.

[Severino Juan Miguel]

Hi

 

AD is based on Kerberos. You can log in with user+password or certificates. The only solutions I am aware of to log in using "password+something else" only protect specific workstations: You require a successfull AD login and then MFA to log in on console or via RDP.

 

So... if you want real MFA for your users, you will need to use certificate based authentication using smartcards or something with smartcard emulation (I have experience using some models of Yubikeys with PIV support) and dont tell the users the password.

 

Once you are logged into the workstation, if it is domain joined, Windows cares about SSO to other domain joined machines or any system using Kerberos like Omnissa (vmware) Horizon for VDI or ADFS.

 

Best regards

Seve

 

Von: 'Charles F Sullivan' via ntsysadmin <ntsys...@googlegroups.com>
Gesendet: Mittwoch, 11. Juni 2025 21:12
An: ntsys...@googlegroups.com
Betreff: [ntsysadmin] 2FA for AD?

 

-!-!-!- EXTERNAL EMAIL -!-!-!- This email originated from outside of SKAN. Do not click links or open attachments unless you recognize the sender and know the content is safe

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzny5L7_av%2B%2B%3D6MSGZ-C1_DgjBMERAF0RqqYK1TvAf7kvQ%40mail.gmail.com.

The content of this message is confidential and shall be used solely for the intended purpose and by the intended recipient. If you received this email by mistake, please inform us immediately and delete this message without disclosing its content to any other person. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. The integrity and security of this email cannot be guaranteed over the internet. The sender shall not be held liable for any damage caused by this message.

[Nathan Woodcock]

Looked into this recently and it's not simple and certainly not part of native windows, they think Windows hello PIN is a secure method.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/DBBP189MB1340E7870A4CBD32AF1D6862E974A%40DBBP189MB1340.EURP189.PROD.OUTLOOK.COM.

[John Anson]

anyone use or tried UserLock from isdecisions.com

IS Decisions | Access Management for Windows Active Directory Network

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADnfctzL2ZwebuL9m1R-4hAXR5FB0RhSq4VSVq2YiD0JiL6_xw%40mail.gmail.com.

[Philip Elder]

DUO.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--

[Charles F Sullivan]

We actually use DUO here for AnyConnect VPN second factor. It does authenticate against AD, but it's not "for AD". Another group is responsible for it and we mostly give them guidance for connecting it to AD.

Looking into it a bit, I see that it can be used for interactive logins. I'll mention this as a possibility.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/efd4673f3bf14e888841c76eb571459b%40MPECSInc.Ca.

[Philip Elder]

We have DUO set up to prompt on:

• Console Logon (physical or iKVM)
• RDP based logon
• UAC Prompt
  • Standard User Elevation BLOCKED
  • Admin User Elevation on the Secure Desktop

 

This last one can be a struggle for admins if not used to managing servers with UAC prompting on the Secure Desktop.

1. Log on DUO Prompt
2. Server Manager UAC elevation DUO Prompt
   1. SM: Start PowerShell (no prompt)
   2. PoSh: Start Services.MSC

 

We use a local password manager with auto-type for those prompts. It makes it easier to get through the first few with a couple of quick clicks.

 

For RDP sessions always Window the RDP session never full-screen as UAC on the Secure Desktop will refuse paste in for the auto-type credentials.

 

Group Policy and Privileged Access Workstation are also key in the security matrix.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: 'Charles F Sullivan' via ntsysadmin <ntsys...@googlegroups.com>
Sent: Monday, June 16, 2025 13:50
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] 2FA for AD?

 

We actually use DUO here for AnyConnect VPN second factor. It does authenticate against AD, but it's not "for AD". Another group is responsible for it and we mostly give them guidance for connecting it to AD.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzkLsZWo5jTRgCMFj98vDDNYatz86YVFjyTcJ7o54BeLFg%40mail.gmail.com.

[Henry Awad]

You can install the DUO agent on any server that you want to use it for authentication. Just make sure that anyone who logins to the servers (especially the domain controllers) creates an offline code so you don't get locked out in an emergency. 

Henry Awad

Principal Engineer

Technology Services

The Catholic University of America

(D) 202-319-5404 | (M) 571-233-4479

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzkLsZWo5jTRgCMFj98vDDNYatz86YVFjyTcJ7o54BeLFg%40mail.gmail.com.

[Kurt Buff]

Nice - I was completely unaware of the ability of Duo to prompt standard users for elevation..

I'm going to see if I can make the sysadmins and helpdesk scream a little bit more. If they won't accept having separate admin and user machines, this might help. Of course, I suspect this means that they'll just log into their workstation with their privileged account and use "runas" to start Office apps, and probably web browsers as well, so I'll have to think about how to introduce it.

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/7b287aba39cd416c9ac2d942a1b4e61b%40MPECSInc.Ca.

[Shawn K. Hall]

Maybe, but some apps are now fighting back against this.
https://news.risky.biz/risky-bulletin-chrome-will-de-elevate-itself-when-run-with-admin-privileges/

-S

> -----Original Message-----
> From: ntsys...@googlegroups.com
> [mailto:ntsys...@googlegroups.com] On Behalf Of Kurt Buff
> Sent: Monday, June 16, 2025 13:40
> To: ntsys...@googlegroups.com
> Subject: Re: [ntsysadmin] 2FA for AD?
>

> Nice - I was completely unaware of the ability of Duo to
> prompt standard users for elevation..
>
>
> I'm going to see if I can make the sysadmins and helpdesk
> scream a little bit more. If they won't accept having
> separate admin and user machines, this might help. Of course,
> I suspect this means that they'll just log into their
> workstation with their privileged account and use "runas" to
> start Office apps, and probably web browsers as well, so I'll
> have to think about how to introduce it.
>
> Kurt
>
> On Mon, Jun 16, 2025 at 2:18 PM Philip Elder
> <Phili...@mpecsinc.ca> wrote:
>
>
> We have DUO set up to prompt on:
>

> * Console Logon (physical or iKVM)
> * RDP based logon
> * UAC Prompt
>
> * Standard User Elevation BLOCKED
> * Admin User Elevation on the Secure Desktop

>
>
>
> This last one can be a struggle for admins if not used
> to managing servers with UAC prompting on the Secure Desktop.
>

> 1. Log on DUO Prompt
> 2. Server Manager UAC elevation DUO Prompt
>
> a. SM: Start PowerShell (no prompt)
> b. PoSh: Start Services.MSC

>
>
>
> We use a local password manager with auto-type for
> those prompts. It makes it easier to get through the first
> few with a couple of quick clicks.
>
>
>
> For RDP sessions always Window the RDP session never
> full-screen as UAC on the Secure Desktop will refuse paste in
> for the auto-type credentials.
>
>
>
> Group Policy and Privileged Access Workstation are also
> key in the security matrix.
>
>
>
> Philip Elder MCTS
>
> Senior Technical Architect
>
> Microsoft High Availability MVP

> <https://mvp.microsoft.com/en-us/PublicProfile/4024277>
>
> MPECS Inc.
>
> E-mail: Phili...@mpecsinc.ca
> <mailto:Phili...@mpecsinc.ca>
>
> Phone: +1 (780) 458-2028
>
> Web: www.mpecsinc.com <http://www.mpecsinc.com/>
>
> Blog: blog.mpecsinc.com <http://blog.mpecsinc.com/>
>
> Twitter: Twitter.com/MPECSInc <https://twitter.com/MPECSInc>

>
> Skype: MPECSInc.
>
>
>
> Please note: Although we may sometimes respond to
> email, text and phone calls instantly at all hours of the
> day, our regular business hours are 8:00 AM - 5:00 PM, Monday
> thru Friday.
>
>
>
> From: 'Charles F Sullivan' via ntsysadmin
> <ntsys...@googlegroups.com>
> Sent: Monday, June 16, 2025 13:50
> To: ntsys...@googlegroups.com
> Subject: Re: [ntsysadmin] 2FA for AD?
>
>
>
> We actually use DUO here for AnyConnect VPN second
> factor. It does authenticate against AD, but it's not "for
> AD". Another group is responsible for it and we mostly give
> them guidance for connecting it to AD.
>
>
>
> Looking into it a bit, I see that it can be used for
> interactive logins. I'll mention this as a possibility.
>
>
>
> On Fri, Jun 13, 2025 at 5:16 PM Philip Elder
> <Phili...@mpecsinc.ca> wrote:
>
> DUO.
>
>
>
> Philip Elder MCTS
>
> Senior Technical Architect
>
> Microsoft High Availability MVP

> <https://mvp.microsoft.com/en-us/PublicProfile/4024277>
>
> MPECS Inc.
>
> E-mail: Phili...@mpecsinc.ca
> <mailto:Phili...@mpecsinc.ca>
>
> Phone: +1 (780) 458-2028
>
> Web: www.mpecsinc.com <http://www.mpecsinc.com/>
>
> Blog: blog.mpecsinc.com <http://blog.mpecsinc.com/>
>
> Twitter: Twitter.com/MPECSInc
> <https://twitter.com/MPECSInc>

> <https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzny5L7_av%
> 2B%2B%3D6MSGZ-C1_DgjBMERAF0RqqYK1TvAf7kvQ%40mail.gmail.com?utm
_medium=email&utm_source=footer> .

>
> --
> You received this message because you are
> subscribed to the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop
> receiving emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion visit

> https://groups.google.com/d/msgid/ntsysadmin/efd4673f3bf14e888
> 841c76eb571459b%40MPECSInc.Ca
> <https://groups.google.com/d/msgid/ntsysadmin/efd4673f3bf14e88
> 8841c76eb571459b%40MPECSInc.Ca?utm_medium=email&utm_source=footer> .

>
>
>
>
>
>
> --
>
> Charlie Sullivan
>
> Principal Windows Systems Administrator
>
> --
> You received this message because you are subscribed to
> the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion visit

> https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzkLsZWo5jTR
> gCMFj98vDDNYatz86YVFjyTcJ7o54BeLFg%40mail.gmail.com
> <https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzkLsZWo5jT
> RgCMFj98vDDNYatz86YVFjyTcJ7o54BeLFg%40mail.gmail.com?utm_mediu
m=email&utm_source=footer> .

>
>
>
> --
> You received this message because you are subscribed to
> the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion visit

> https://groups.google.com/d/msgid/ntsysadmin/7b287aba39cd416c9
> ac2d942a1b4e61b%40MPECSInc.Ca
> <https://groups.google.com/d/msgid/ntsysadmin/7b287aba39cd416c
> 9ac2d942a1b4e61b%40MPECSInc.Ca?utm_medium=email&utm_source=footer> .

>
>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion visit

> https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6-KVshvnmJ
> HksY0fys-KnpXnhGK7%3DSy0tAgAUfNnkGCQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6-KVshvnm
> JHksY0fys-KnpXnhGK7%3DSy0tAgAUfNnkGCQ%40mail.gmail.com?utm_med
ium=email&utm_source=footer> .
>
>

[Philip Elder]

This is the biggest black-eye against both Microsoft and the G00g for destroying the Trustworthy Computing (TwC) initiative by installing into %AppData% where no elevation, or restrictions out of the box, is required.

 

Group Policy Software Restrictions are needed to block this behaviour.

 

It really p*ssed me off when they did that.

 

How did I find out?

 

User: My desktop is really slow this morning.

Me: I'll check.

* After logging on to the Session Host (RDS) I saw one user with a crap load of Chrome instances opened.

 

A bit of investigation brought about the realization that the buggers were slipping it into a location that was never meant to host .EXEs! 😝

 

Da'Bums

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/69C4763312FB4BAC90E62B200189106E%40Firefly.