11

Is two factor authentication possible when using RDP with a Windows server, say by using a time dependent code?

user25221
  • 291
  • 1
  • 2
  • 7
  • Google has many hits for "rdp two factor" – paj28 Aug 12 '16 at 10:30
  • I did that, the only stuff it comes up with is ads for third party products. I asked specifically if it can be done with Windows Server. – user25221 Aug 12 '16 at 17:24
  • 1
    You generally do need a third party product for the second factor - there's no "Microsoft 2nd Factor". RDP auth is the same server or desktop. You may like this: http://www.rohos.com/2013/02/google-authenticator-windows-login/ – paj28 Aug 12 '16 at 17:43

2 Answers2

8

Yes, it is possible.

If you want to have two factor authentication, which is naively supported by Windows, you could chose to use smart cards or virtual smart cards.

As far as I know, to get one time passwords for RDP authentication you'll have to use third party solutions. For example, you could try Duo security Duo Authentication for Windows Logon and RDP. Alternatively, as paj28 pointed out, you could google another ready made solutions.

youcantexplainthat
  • 159
  • 3
alexeypetrenko
  • 81
  • 4
  • Can you elaborate on the smart cards / virtual smart cards aspect? – user25221 Aug 12 '16 at 17:29
  • When you want to authenticate with a smartcard, you should setup a Microsoft CA. Then you should get a smartcard and enroll a "smartcard logon certificate" on this. Then your domain controllers need "Domain Controller" certificates or more modern templates. Now you can logon with the smartcard to the server. Depending on how many users you have, you should consider using a 3rd party solution, because Microsoft CA can only enroll certificates and not manage smartcards. Take a look at the SafeNet Authentication Manager. – cornelinux Aug 13 '16 at 21:37
3

If you are asking for a time dependent code, you probably mean one time passwords based on the TOTP algorithm like the Google Authenticator or some hardware OTP token.

You can do so as alex pointed out with many different 3rd party solutions. Disclaimer: Mine in privacyIDEA which provides a backend system to manage the tokens and a privacyIDEA credential provider, which asks for the additional one time password which is verified against the backend.

As you need the backend to verify the OTP value, this will only work on-line. But as you are asking for authentication at windows servers, these are probably online and not running on your offline notebook ;-)

cornelinux
  • 1,993
  • 8
  • 11