11

I'm searching for information about how to integrate U2F (using YubiKey or similar devices) into an Active Directory Windows Domain (Will be a Windows 2016 Server). Especially I'm interested in securing the windows logon to workstations/servers to require a U2F token as a second factor (password only should not work at all).

In short the goal is that each authentication is either done via password+U2F token or using kerberos tokens.

Any hints where to find further information about this specific scenario or lessons learned would be great.

Fionn
  • 475
  • 5
  • 14
  • I am not sure if this is easily possible, since U2F was specifically designed for the web as a de-centralized login solution. In theory this might work, but you have to go a very long way. You have to make up an AppID for your domain. The challenge response will be performed locally on the desktop. As the U2F device does not store a smartcard logon certicate you will never be able to do a kerberos authentication. You will always end up with a client side solution like this one: http://www.turboirc.com/bluekeylogin/ – cornelinux Nov 26 '16 at 07:22
  • Well at least with a yubikey a smartcard based solution is possible if the U2F path is not - just in case do you know of good available information about smartcard based AD? – Fionn Nov 26 '16 at 13:34
  • "Smartcard based AD" ? – cornelinux Nov 27 '16 at 11:32
  • You mentioned "As the U2F device does not store a smartcard logon certicate you will never be able to do a kerberos authentication", as far as I know the yubikey at least can be used as a smartcard too. So when using the yubikey as a smartcard it should be possible to secure kerberos? The problem is even documentation about smartcard secured AD is sparse. – Fionn Nov 28 '16 at 15:45
  • You may start by downloading the PIV Manage from yubico. https://www.yubico.com/support/knowledge-base/categories/articles/piv-tools/ – cornelinux Nov 28 '16 at 21:11

1 Answers1

1

Short version

I started looking into using FreeRADIUS with Windows Network Policy Access Service (NPS) because we have a mixed Windows/Linux environment (and because YubiRADIUS is no longer supported). FreeRADUIS would be used to tie the YubiKey's to the AD Auth together.

In my searches I found a couple of non-free resources such as WiKID Systems and AuthLite for doing 2-factor with Yubikeys (links below). There -does- appear to be a way to get really close using built-in Windows services (using Network Policy and Access Services (NPS)) which I was using as a basis for my FreeRADIUS work.

Here is a tutorial for getting NPS working with WiKD

http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/

This URL describes how to get it to work with AuthLite

https://www.tachyondynamics.com/yubikey-and-windows-domain-2-factor-authentication/

Both implementations appear to want some form of RADIUS Server to pass along the second-factor auth. At least that is my understanding.

Additionally: if you search for "Windows Server 2016 2-factor yubikey", or similar, you may be able to find more.

Hope this helps!

BanjoFox
  • 119
  • 4