DirectAccess and Azure Multifactor Authentication

Introduction

DirectAccess and Azure Multifactor AuthenticationDirectAccess can be configured to enforce strong user authentication using smart cards or one-time passwords (OTP). This provides the highest level of assurance for remote users connecting to the internal network via DirectAccess. OTP solutions are commonly used because they require less administration and are more cost effective than typical smart card implementations. Most OTP solutions will integrate with DirectAccess as long as they support Remote Access Dial-In User Service (RADIUS).

DirectAccess and Azure Multifactor Authentication

Azure Authentication-as-a-Service

Azure Multifactor Authentication (MFA) is a popular OTP provider used to enable strong user authentication for a variety of platforms, including web sites and client-based VPN. Unfortunately, it doesn’t work with DirectAccess. This is because Azure MFA uses a challenge/response method for which DirectAccess does not support. To use OTP with DirectAccess, the user must be able to enter their PIN and OTP immediately when prompted. There is no provision to begin the authentication process and wait for a response from the OTP provider.

PointSharp ID Multifactor Authentication

An excellent alternative to Azure MFA is PointSharp ID. PointSharp is a powerful OTP platform that integrates easily with DirectAccess. It is also very flexible, allowing for more complex authentication schemes for those workloads that support it, such as Exchange and Skype for Business.

DirectAccess and Azure Multifactor AuthenticationEvaluate PointSharp

You can download a fully-functional trial version of PointSharp ID here (registration required). The PointSharp ID and DirectAccess integration guide with detailed step-by-step instructions for configuring DirectAccess and PointSharp ID can be downloaded here. Consulting services are also available to assist with integrating PointSharp ID with DirectAccess, VPN, Exchange, Skype for Business, Remote Desktop Services, or any other solution that requires strong user authentication. More information about consulting services can be found here.

Additional Information

PointSharp Multifactor Authentication
Configure DirectAccess with OTP Authentication
DirectAccess Consulting Services
Implementing DirectAccess with Windows Server 2016

Microsoft DirectAccess Connectivity Assistant 2.0 Now Available

Recently Microsoft announced the availability of the DirectAccess Connectivity Assistant (DCA) v2.0. DCA v2.0 is required to be installed on Windows 7 DirectAccess clients when they are connecting to a DirectAccess Server running Windows Server 2012. It is important to note that DCA v2.0 is not required (and should not be installed) on Windows 8 DirectAccess clients. In addition, DCA v2.0 should not be installed on Windows 7 DirectAccess clients when they are connecting to a Windows Server 2008 R2/Forefront UAG 2010 DirectAccess server. For Windows 7 DirectAccess clients accessing corporate network resources over Windows Server 2008 R2/Forefront UAG 2010, install DCA v1.5. DCA v1.5 can be found on the Forefront UAG server at C:\Program Files\Microsoft Forefront Unified Access Gateway\common\bin\da\dca.

The DCA provides DirectAccess users with connectivity status information, detailed diagnostics and troubleshooting, and is required to support One-Time Password (OTP) authentication. You can download DCA v2.0 here.

%d bloggers like this: