Pointsharp MFA User Storage Configuration

Pointsharp MFA User Storage ConfigurationPointsharp multifactor authentication can be integrated with most popular remote access solutions to greatly improve security and provide a higher level of assurance for authenticating remote users. Although DirectAccess and Always On VPN natively provide multifactor authentication using certificates, integrating MFA should be considered standard procedure for any traditional client-based VPN solution.

Pointsharp User Storage

The Pointsharp multifactor authentication (MFA) solution uses an Active Directory Organizational Unit (OU) to store user information. This article will provide guidance for the proper configuration and delegation of the OU to ensure proper Pointsharp MFA operation.

Create the OU

A dedicated OU should be created and the Pointsharp service account delegated full control over the OU prior to configuring the software. To do this, open the Active Directory Users and Computers management console, right-click on the domain and choose New and then Organizational Unit.

Pointsharp MFA User Storage Configuration

Note: The OU does not have to be created at the domain level. It can be created or moved to another OU if desired.

Provide a name for the OU and select the option to Protect container from accidental deletion.

Pointsharp MFA User Storage Configuration

Create a Service Account

Establish a service account for Pointsharp by creating a user with no special privileges or group memberships. The Pointsharp service account does not require administrative rights of any kind. Be sure to use a very long and complex password. Select the options User cannot change password and Password never expires.

Pointsharp MFA User Storage Configuration

Delegate Permissions on the OU

In the Active Directory User and Computers management console, right-click the Pointsharp storage OU and choose Delegate Control….

Pointsharp MFA User Storage Configuration

Click Next, and then click Add to add the Pointsharp service account.

Pointsharp MFA User Storage Configuration

Click Next, then select the option to Create a custom task to delegate.

Pointsharp MFA User Storage Configuration

Click Next twice. In the Permissions window select Full Control. This will automatically select all other options. Click Next and then click Finish.

Pointsharp MFA User Storage Configuration

Once complete, proceed with the configuration of Pointsharp MFA user storage by using the service account credentials and storage OU created previously.

Pointsharp MFA User Storage Configuration

Additional Resources

Configure DirectAccess with One-Time Password (OTP) Authentication

DirectAccess and Azure Multifactor Authentication

Introduction

DirectAccess and Azure Multifactor AuthenticationDirectAccess can be configured to enforce strong user authentication using smart cards or one-time passwords (OTP). This provides the highest level of assurance for remote users connecting to the internal network via DirectAccess. OTP solutions are commonly used because they require less administration and are more cost effective than typical smart card implementations. Most OTP solutions will integrate with DirectAccess as long as they support Remote Access Dial-In User Service (RADIUS).

DirectAccess and Azure Multifactor Authentication

Azure Authentication-as-a-Service

Azure Multifactor Authentication (MFA) is a popular OTP provider used to enable strong user authentication for a variety of platforms, including web sites and client-based VPN. Unfortunately, it doesn’t work with DirectAccess. This is because Azure MFA uses a challenge/response method for which DirectAccess does not support. To use OTP with DirectAccess, the user must be able to enter their PIN and OTP immediately when prompted. There is no provision to begin the authentication process and wait for a response from the OTP provider.

PointSharp ID Multifactor Authentication

An excellent alternative to Azure MFA is PointSharp ID. PointSharp is a powerful OTP platform that integrates easily with DirectAccess. It is also very flexible, allowing for more complex authentication schemes for those workloads that support it, such as Exchange and Skype for Business.

DirectAccess and Azure Multifactor AuthenticationEvaluate PointSharp

You can download a fully-functional trial version of PointSharp ID here (registration required). The PointSharp ID and DirectAccess integration guide with detailed step-by-step instructions for configuring DirectAccess and PointSharp ID can be downloaded here. Consulting services are also available to assist with integrating PointSharp ID with DirectAccess, VPN, Exchange, Skype for Business, Remote Desktop Services, or any other solution that requires strong user authentication. More information about consulting services can be found here.

Additional Information

PointSharp Multifactor Authentication
Configure DirectAccess with OTP Authentication
DirectAccess Consulting Services
Implementing DirectAccess with Windows Server 2016

DirectAccess in Windows Server 2016 at Microsoft Ignite 2016

I’m pleased to announce that I will be delivering a community theater session at this year’s Microsoft ignite conference in Atlanta, GA. The session, THR2136 in the session catalog, is scheduled for Thursday, September 29 at 12:40PM. This is a level 200 talk where I’ll be providing a high-level overview of all remote access technologies in Windows Server 2016, including DirectAccess, client-based VPN, and Web Application Proxy (WAP). I’ll be focusing on what’s new in each of these technologies and demonstrating how each solution applies in different use cases.

DirectAccess in Windows Server 2016 at Microsoft Ignite 2016

In addition to the session, I’ll be spending time with the folks from PointSharp and Pluralsight in their respective booths too, answering questions and providing demonstrations. I hope to have copies of my new DirectAccess book to sign as well. Be sure to follow me on Twitter for up-do-date details. Hope to see you at the conference!

DirectAccess and OTP with PointSharp ID Webinar

Integrating multifactor authentication is essential for providing the highest level of security and assurance for DirectAccess clients. Smart cards work well for this, but they impose a heavy burden in terms of expense and administrative overhead. A more effective alternative is to use a One-Time Password (OTP) solution such as PointSharp ID.

DirectAccess and PointSharp ID Webinar

To learn more about the PointSharp ID OTP solution and how it integrates with DirectAccess, join me for a live webinar on Tuesday, July 27, 2106 at 10:00AM PDT where I’ll discuss the following topics.

  • What DirectAccess security risks can be mitigated with OTP?
  • What are the supporting infrastructure requirements for OTP authentication?
  • How to integrate the PointSharp IP solution with DirectAccess

You can register for this free live webinar here.

%d bloggers like this: