Pointsharp MFA User Storage Configuration

Pointsharp MFA User Storage ConfigurationPointsharp multifactor authentication can be integrated with most popular remote access solutions to greatly improve security and provide a higher level of assurance for authenticating remote users. Although DirectAccess and Always On VPN natively provide multifactor authentication using certificates, integrating MFA should be considered standard procedure for any traditional client-based VPN solution.

Pointsharp User Storage

The Pointsharp multifactor authentication (MFA) solution uses an Active Directory Organizational Unit (OU) to store user information. This article will provide guidance for the proper configuration and delegation of the OU to ensure proper Pointsharp MFA operation.

Create the OU

A dedicated OU should be created and the Pointsharp service account delegated full control over the OU prior to configuring the software. To do this, open the Active Directory Users and Computers management console, right-click on the domain and choose New and then Organizational Unit.

Pointsharp MFA User Storage Configuration

Note: The OU does not have to be created at the domain level. It can be created or moved to another OU if desired.

Provide a name for the OU and select the option to Protect container from accidental deletion.

Pointsharp MFA User Storage Configuration

Create a Service Account

Establish a service account for Pointsharp by creating a user with no special privileges or group memberships. The Pointsharp service account does not require administrative rights of any kind. Be sure to use a very long and complex password. Select the options User cannot change password and Password never expires.

Pointsharp MFA User Storage Configuration

Delegate Permissions on the OU

In the Active Directory User and Computers management console, right-click the Pointsharp storage OU and choose Delegate Control….

Pointsharp MFA User Storage Configuration

Click Next, and then click Add to add the Pointsharp service account.

Pointsharp MFA User Storage Configuration

Click Next, then select the option to Create a custom task to delegate.

Pointsharp MFA User Storage Configuration

Click Next twice. In the Permissions window select Full Control. This will automatically select all other options. Click Next and then click Finish.

Pointsharp MFA User Storage Configuration

Once complete, proceed with the configuration of Pointsharp MFA user storage by using the service account credentials and storage OU created previously.

Pointsharp MFA User Storage Configuration

Additional Resources

Configure DirectAccess with One-Time Password (OTP) Authentication

Microsoft Ignite Conference 2017

Will you be attending the Microsoft Ignite conference in Orlando, FL next week? Let’s connect! I’m not giving any talks this year, so I will be spending most of my time with the folks at Pointsharp in their booth in the expo hall. Want to talk security, remote access, multifactor authentication, load balancing/application delivery, PKI, or anything else? Stop by and say hi! Follow me on Twitter @richardhicks for live updates. In addition, I’ll be hosting a happy hour event with NetMotion on Tuesday, September 26 at 6PM at the Rocks lounge in the Hyatt Regency hotel just across the street from the conference center. Be sure to drop in and say hello! Hope to see you there!

Microsoft Ignite 2017

Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Planning and Implementing DirectAccess with Windows Server 2016I’m pleased to announce my newest video training course, Managing and Supporting DirectAccess with Windows Server 2016, is now available on Pluralsight! This new course is a follow-up to my previous course, Planning and Implementing DirectAccess with Windows Server 2016. This latest course builds upon the first one and covers advanced configuration such as enabling load balancing, configuring geographic redundancy, and enforcing strong user authentication using one-time passwords (OTP) and smart cards.

In addition, monitoring and reporting is covered, as well as implementing manage out for DirectAccess clients in supported scenarios. The course also includes a full hour of in-depth DirectAccess configuration and connectivity troubleshooting that will be valuable for all DirectAccess administrators.

The course includes the following training modules:

Configuring High Availability
Enabling Strong User Authentication
DirectAccess Monitoring and Reporting
Implementing Outbound Management for DirectAccess Clients
DirectAccess Troubleshooting

Throughout the course, I share valuable knowledge and insight gained from more than 5 years of experience deploying DirectAccess for some of the largest organizations in the world. Pluralsight offers a free trial subscription if you don’t already have one, so watch my latest DirectAccess video training course today!

Additional Resources

Planning and Implementing DirectAccess with Windows Server 2016 on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 on Pluralsight
Implementing DirectAccess with Windows Server 2016 book

DirectAccess and Azure Multifactor Authentication


DirectAccess and Azure Multifactor AuthenticationDirectAccess can be configured to enforce strong user authentication using smart cards or one-time passwords (OTP). This provides the highest level of assurance for remote users connecting to the internal network via DirectAccess. OTP solutions are commonly used because they require less administration and are more cost effective than typical smart card implementations. Most OTP solutions will integrate with DirectAccess as long as they support Remote Access Dial-In User Service (RADIUS).

DirectAccess and Azure Multifactor Authentication

Azure Authentication-as-a-Service

Azure Multifactor Authentication (MFA) is a popular OTP provider used to enable strong user authentication for a variety of platforms, including web sites and client-based VPN. Unfortunately, it doesn’t work with DirectAccess. This is because Azure MFA uses a challenge/response method for which DirectAccess does not support. To use OTP with DirectAccess, the user must be able to enter their PIN and OTP immediately when prompted. There is no provision to begin the authentication process and wait for a response from the OTP provider.

PointSharp ID Multifactor Authentication

An excellent alternative to Azure MFA is PointSharp ID. PointSharp is a powerful OTP platform that integrates easily with DirectAccess. It is also very flexible, allowing for more complex authentication schemes for those workloads that support it, such as Exchange and Skype for Business.

DirectAccess and Azure Multifactor AuthenticationEvaluate PointSharp

You can download a fully-functional trial version of PointSharp ID here (registration required). The PointSharp ID and DirectAccess integration guide with detailed step-by-step instructions for configuring DirectAccess and PointSharp ID can be downloaded here. Consulting services are also available to assist with integrating PointSharp ID with DirectAccess, VPN, Exchange, Skype for Business, Remote Desktop Services, or any other solution that requires strong user authentication. More information about consulting services can be found here.

Additional Information

PointSharp Multifactor Authentication
Configure DirectAccess with OTP Authentication
DirectAccess Consulting Services
Implementing DirectAccess with Windows Server 2016

%d bloggers like this: