MFA is available in AADS for Windows Vista / Server 2008 and newer. |
MFA (multi factor authentication) can be enabled by enabling either or both 2FA Mobile or 2FA Email:
2FA mobile requires that the user has installed an App on their Mobile Device that can generate so called TOTP (Time-based One Time Passwords), which are based on the Open Standard RFC 6238 .
Some examples of these mobile Apps:
Apps using TOTP , based on the Open Standard RFC 6238 :
The (Mobile) Device with the OTP App can be, and should be ( ), completely Offline. This is a relevant aspect of the solution, because it implies that the OTP is not somehow transmitted between the Server and the (Mobile) Device, and because nothing is transmitted, and because the (Mobile) Device is Offline, nothing can "capture" or "listen on the line" and steal the OTP code and send it to some hacker/crimimal.
Suggestion : when using the (Mobile) Device for a Logon, put the (Mobile) Device into "Flight Mode" prior to doing the Logon and the 2FA procedure.
The Open Standard RFC 6238 does require that the Server and the (Mobile) Device both have accurate clock settings, including accurate TimeZone settings.
It is not required that the Server and the (Mobile) Device are in the same TimeZone on this planet, but it is required that the clock is properly set.
2FA Email requires that the Administrator does "enter" the email address of the users into the Windows User Administration:
The Nr. of Digits determines the number of digits of the OTP code as it has to be entered by the user:
In case 2FA Mobile is not used; in case only 2FA Email is used, then it is OK to choose any number of digits, because the recommendation for 6 or 8 digits does only apply to use of OTP Apps on Mobile Devices.
When asked to enter the OTP, the user has to do this within the TimeOut. If the TimeOut is exceeded, the session will be disconnected.
This implies that the email with the OTP as received by the user, needs to be received within this Time Limit. |
The Nr. of Tries sets how many tries the user has for correctly entering the OTP.
The Nr. of Tries "is synchronized" / "is the same setting" as the Nr of Failed Login Attempts in the Firewall.
If the user has tried to enter the OTP incorrectly to often, the RDP Firewall will block the user.
Default it is not required to enter an OTP code when logging in onto the Console.
One should carefully consider the necessity before enabling "Apply to the Console", because the Console is often used / necessary in case of problems. And if there are problems, it would be "unfortunate" if it is not possible to login while using the Console because of 2FA reasons...See Trouble: 2FA ...
Note : when the Server is rebooted in "Windows Safe Mode", 2FA is disabled.
Using Multi Factor Authentication for Public IP Address is required. This setting can not be disabled.
Using MFA for Private IP Addresses is optional. For example, it could be that the users within the office building are the only users / employees who are able to enter the office building, and therefore it does never happen that "others" are working on PCs / Clients within the office building. In such a case the Administrator can choose not to require 2FA for Private/Local IP Addresses.
The SSL Gateway as done by AADServer implies identification of both the client and the server. It is not possible for a random Client to do a SSL connection with an AADServer.
Therefore one can state that if the SSL Gateway is used, MFA is already done:
If "Apply in case Client uses SSL Gateway" is enabled, one can state that the user is identified in 3 different ways:
Optional the user can have an 2FA-OTP Program Item in the Windows Start Menu. The 2FA-OTP program enables the user to "delete" the current Token, and generate a new Token with the next logon.
This can be compared to the functionality for the user to be able to change his/her Windows password.
2FA can be applied to all users, or can be applied based on membership of a Windows Group.
This can be a local Group defined on the local AADServer, or a Group defined in the Domain.
© 2012-2023 AADS WorldWide. Terminal Server | Application Server | Remote Desktop solutions | Firewall |