DirectAccess in Windows Server 2012 R2 provides significantly improved authentication over traditional client-based VPN solutions. When configured to use certificate authentication (a recommended best practice) the DirectAccess client is authenticated using its machine certificate and its Active Directory computer account. Once the client machine has been authenticated, the user is also authenticated via Kerberos against a live domain controller over the existing DirectAccess connection. These multiple authentication steps provide a high level of assurance for DirectAccess-connected clients. If that’s not enough to meet your needs, additional strong user authentication is supported using dynamic One-Time Passwords (OTP).
Drawbacks for DirectAccess with OTP
While OTP does provide an additional level of assurance, it does come with a few drawbacks. OTP adds additional complexity and makes troubleshooting more difficult. OTP cannot be configured with force tunneling; the two security features are mutually exclusive. DirectAccess OTP does not support RADIUS challenge-response. For Windows 7 clients, the DirectAccess Connectivity Assistant (DCA) v2.0 must be deployed. In addition, enabling OTP with DirectAccess disables the use of null cipher suites for IP-HTTPS. This can potentially have a negative effect on performance and scalability (more details here). Also, OTP fundamentally breaks the seamless and transparent nature of DirectAccess.
Configuring DirectAccess OTP
OTP for DirectAccess makes use of short-lived certificates for user authentication. Thus, enabling OTP for DirectAccess requires making changes to the internal Public Key Infrastructure (PKI). DirectAccess in Windows Server 2012 R2 can be configured to use the same Certificate Authority (CA) that is used to issue computer certificates to the DirectAccess clients and servers. This differs from DirectAccess with Forefront Unified Access Gateway (UAG) 2010, where a separate, dedicated CA was required.
To configure DirectAccess OTP, follow the instructions below.
OTP Certificate Request Signing Template
Open the Certification Authority management console, right-click Certificate Templates, and then choose Manage. Alternatively you can enter certtmpl.msc in the Start/Run box or search from the Windows Start menu. Right-click the Computer template and choose Duplicate Template. On the Compatibility tab, select Windows Server 2012 R2 for the Certification Authority and Windows 8.1/Windows Server 2012 R2 for the Certificate recipient.
Select the General tab and provide a descriptive name for the Template Display Name. Specify a validity period of 2 days and a renewal period of 1 day.
Select the Security tab and click Add. Click Object Types and then select Computers and click Ok. Enter the names of each DirectAccess server separated by semicolons and click Check Names. Click Ok when finished. For each DirectAccess server, grant Read, Enroll, and Autoenroll permissions. Select Authenticated Users and remove any permissions other than Read. Select Domain Computers and remove the Enroll permission. Select Domain Admins and grant Full Control permission. Do the same for Enterprise Admins.
Select the Subject Name tab and choose the option to Build from this Active Directory information. Select DNS name in the Subject name format drop-down list and confirm that DNS name is checked under Include this information in alternate subject name.
Select the Extensions tab, highlight Application Policies and click Edit.
Remove all existing application policies and then click Add and then New. Provide a descriptive name for the new application policy and enter 22.214.171.124.4.1.3126.96.36.199 for the Object Identifier. Click Ok for all remaining dialog boxes.
OTP Certificate Template
In the Certificate Templates Console, right-click the Smartcard Logon certificate template and choose Duplicate Template. On the Compatibility tab, select Windows Server 2012 R2 for the Certification Authority and Windows 8.1/Windows Server 2012 R2 for the Certificate recipient.
Select the General tab and provide a descriptive name for the Template Display Name. Specify a validity period of 1 hour and a renewal period of 0 hours.
Note: It is not possible to set the validity period to hours on a Windows Server 2003 Certificate Authority (CA). As a workaround, use the Certificate Templates snap-in on another system running Windows 7/Windows Server 2008 R2 or later. Also, if the CA is running Windows Server 2008 R2, the template must be configured to use a Renewal Period of 1 or 2 hours and a Validity Period that is longer but no more than 4 hours.
Select the Security tab, then highlight Authenticated Users and grant Read and Enroll permissions. Select Domain Admins and grant Full Control permission. Do the same for Enterprise Admins.
Select the Subject Name tab and choose the option to Build from this Active Directory information. Select Fully distinguished name in the Subject name format drop-down list and confirm that User principal name (UPN) is checked under Include this information in alternate subject name.
Select the Server tab and choose the option Do not store certificates and requests in the CA database. Clear the checkbox next to Do not include revocation information issued in certificates.
Select the Issuance Requirements tab and set the value for This number of authorized signatures to 1. Confirm that Application Policy is selected from the Policy type required in signature drop-down list and choose the OTP certificate request signing template created previously.
Select the Extensions tab, highlight Application Policies and click Edit. Highlight Client Authentication and click Remove. Ensure that the only application policy listed is Smart Card Logon.
Certificate Authority Configuration
In the Certificate Authority management console, right-click Certificate Templates, choose New, and then Certificate Template to Issue. Highlight both of the certificate templates created previously and click Ok.
Open an elevated command prompt and enter the following command:
certutil.exe -setreg dbflags +DBFLAGS_ENABLEVOLATILEREQUESTS
Restart the Certificate Authority service by right-clicking the CA in the Certificate Authority management console and choosing All Tasks and then Stop Service. Once complete, repeat these steps and choose Start Service.
DirectAccess Server Configuration
Configuring the DirectAccess server to use OTP for authentication is somewhat challenging. As of this writing, the GUI is broken and will raise an error message complaining that no CA servers can be detected, despite the fact they are online.
No CA servers can be detected, and OTP cannot be configured. Ensure that servers added to the list are available on each domain controller in the corporate network.
To work around this issue, configure DirectAccess OTP authentication using PowerShell. Before proceeding, collect the names of the certificate templates you created previously, along with the RADIUS sever hostname and shared secret. In addition be sure to add the CA sever(s) to the DirectAccess management servers as outlined below.
To configure DirectAccess OTP, open an elevated PowerShell window and enter the following commands:
# Add CA server to DirectAccess Management Servers Add-DAMgmtServer –MgmtServer <CA_Server_Name> # Enable and Configure DirectAccess OTP $ca = "<CA_Server_Name>\<CA_Name>" $template = "<Template Name>" $signingtemplate = "<Signing Template Name>" $radius = "<RADIUS_Server_Name>" $secret = "<Shared_Secret>" Set-DAServer -UserAuthentication TwoFactor Enable-DAOtpAuthentication -CAServer $ca -CertificateTemplateName $template -RadiusServer $radius -SharedSecret $secret -SigningCertificateTemplateName $signingtemplate
Note: Although the initial configuration of DirectAccess OTP is not possible with the GUI, subsequent OTP settings can be managed in the GUI. For example, you can still use the GUI to add or remove RADIUS servers and manage OTP exemptions. However, adding or removing CA servers or changing certificate templates will still have to be done using PowerShell.
DirectAccess OTP Client Experience
When a DirectAccess client is outside of the corporate network and has established DirectAccess connectivity, users can log on to their machine and access their desktop, but they will not be able to access corporate resources without first providing their OTP. The status indicator for the DirectAccess connection will indicate that action is needed. Clicking on Workplace Connection will indicate that credentials are needed. Clicking Continue will prompt the user to Press Ctrl+Alt+Delete where they will be prompted for their OTP.
Using dynamic, one-time passwords is an effective way to provide the highest level of assurance for remote DirectAccess clients. It does come with some potential drawbacks, so be sure to consider those before implementing OTP.