Two Factor Authentication with ADFS

Multi Factor authentication is way of ensuring that your users are who they say they are.  It can be highly effective at mitigating phishing attacks, password guessing and an insecure password policy.  In Windows 2012 R2 the capabilities for two factor authentication are available out of the box.

Note:  Users don’t always love two factor authentication because of the extra steps involved.  However, individual users can be selected for MFA or you can specify individual services so every login does not require waiting for notification. Contact Us

If you are using devices for the second factor, and that is normal approach, you need to prepare the Active Directory implementation first.  Run this command to update the forest to support device authentication.

Initialize-ADDeviceRegistration

The ADFS server is the provider of MFA.  Consider how people will access the the system internally and externally.  The recommended solution is to install ADFS proxy servers (Web Applicaiton Proxy) in the farm.  ADFS will function with other firewalls and load balancers as well.  Do not install an ADFS server outside your network.

 

Note: External Users need externally resolvable names so DNS and port planning is important.  You will also need a certificate trusted by a 3rd party authority for configuration. See our blog post about correctly configuring a certificate.

Requesting a certificate for ADFS

Differences in version 3.0 SSL certificate request

Configure ADFS to allow Multi-Factor Authentication after you have configured the basic server farm.

Select Authentication Policies and configure the options.  The Global Settings under Multi-factor Authentication is where the changes are made.

image004.png

If you are using Device Registration (allowing you to take advantage of Workplace Join) you need a custom DNS Alias

Enterpriseregistration --> the Host Name of your ADFS Server

image005.png

If your users will be using MFA outside the internal network, the DNS entry above and the server host names need to be accessible from the public internet.  Publish the changes to your external servers as well.

Note: make sure that your certificate request takes into account any external names.