DirectAccess and Azure Multifactor Authentication

Introduction

DirectAccess and Azure Multifactor AuthenticationDirectAccess can be configured to enforce strong user authentication using smart cards or one-time passwords (OTP). This provides the highest level of assurance for remote users connecting to the internal network via DirectAccess. OTP solutions are commonly used because they require less administration and are more cost effective than typical smart card implementations. Most OTP solutions will integrate with DirectAccess as long as they support Remote Access Dial-In User Service (RADIUS).

DirectAccess and Azure Multifactor Authentication

Azure Authentication-as-a-Service

Azure Multifactor Authentication (MFA) is a popular OTP provider used to enable strong user authentication for a variety of platforms, including web sites and client-based VPN. Unfortunately, it doesn’t work with DirectAccess. This is because Azure MFA uses a challenge/response method for which DirectAccess does not support. To use OTP with DirectAccess, the user must be able to enter their PIN and OTP immediately when prompted. There is no provision to begin the authentication process and wait for a response from the OTP provider.

PointSharp ID Multifactor Authentication

An excellent alternative to Azure MFA is PointSharp ID. PointSharp is a powerful OTP platform that integrates easily with DirectAccess. It is also very flexible, allowing for more complex authentication schemes for those workloads that support it, such as Exchange and Skype for Business.

DirectAccess and Azure Multifactor AuthenticationEvaluate PointSharp

You can download a fully-functional trial version of PointSharp ID here (registration required). The PointSharp ID and DirectAccess integration guide with detailed step-by-step instructions for configuring DirectAccess and PointSharp ID can be downloaded here. Consulting services are also available to assist with integrating PointSharp ID with DirectAccess, VPN, Exchange, Skype for Business, Remote Desktop Services, or any other solution that requires strong user authentication. More information about consulting services can be found here.

Additional Information

PointSharp Multifactor Authentication
Configure DirectAccess with OTP Authentication
DirectAccess Consulting Services
Implementing DirectAccess with Windows Server 2016

DirectAccess and OTP with PointSharp ID Webinar

Integrating multifactor authentication is essential for providing the highest level of security and assurance for DirectAccess clients. Smart cards work well for this, but they impose a heavy burden in terms of expense and administrative overhead. A more effective alternative is to use a One-Time Password (OTP) solution such as PointSharp ID.

DirectAccess and PointSharp ID Webinar

To learn more about the PointSharp ID OTP solution and how it integrates with DirectAccess, join me for a live webinar on Tuesday, July 27, 2106 at 10:00AM PDT where I’ll discuss the following topics.

  • What DirectAccess security risks can be mitigated with OTP?
  • What are the supporting infrastructure requirements for OTP authentication?
  • How to integrate the PointSharp IP solution with DirectAccess

You can register for this free live webinar here.

DirectAccess SQL Server High CPU Usage

UPDATE – March 14, 2016: Microsoft has published official guidance for implementing the changes outlined in this article using PowerShell. Details here.

Introduction

DirectAccess SQL Server High CPU UsageRADIUS and Inbox accounting are the two supported logging options for DirectAccess in Windows Server 2012 R2. When Inbox accounting is selected, a Windows Internal Database (WID) is provisioned. Part of the base operating system, WID is functionally similar to SQL Server Express.

SQL Server Utilization Issues

Over the last few months I’ve had a few customers reach out to me with a peculiar performance issue. For customers with very busy DirectAccess servers, where those servers have also been configured to use Inbox accounting, they’ve reported observing unusually high CPU utilization on the sqlservr.exe process.

DirectAccess SQL Server High CPU Usage
Image courtesy Thomas Vuylsteke. Used with permission. – setspn.blogspot.com

As luck would have it, Thomas Vuylsteke, a Microsoft Platforms Premiere Field Engineer (PFE), had already identified the issue and a workaround. Thomas traced the source of high CPU utilization on the sqlservr.exe process to a missing index on a session state table in the DirectAccess accounting database. If you are interested in learning how he performed the troubleshooting to identify and resolve this problem, you can read his entire blog post here.

Resolution

To resolve this issue, create an index on the Session Table in the DirectAccess database. Changes to WID must be made locally, as it is not remotely manageable. WID does not include a management interface, which means the SQL Server management tools would normally have to be installed. However, I’m not a fan of installing any extraneous software on the DirectAccess server, so thankfully one of the readers of Thomas’ excellent article on this subject, Fredrik Elmqvist, provided a very helpful alternative. Fredrik suggesting using the HeidiSQL tool, for which a fully portable version exists. This allows for changes to be made to the WID database without having to install any additional software.

Changes to WID

Begin by downloading the portable version of HeidiSQL here. Next, log on to the DirectAccess server as the local administrator. It is crucial that you must be the local administrator, not just a local or domain user with local administrator privileges. Extract the files from the download and copy them to the DirectAccess server, then follow these steps:

  1. Double-click heideisql.exe to launch the management tool.
  2. Click on New and then for the Network Type select Microsoft SQL Server (named pipe).
  3. For the Hostname / IP: enter \\.\pipe\MICROSOFT##WID\tsql\query.
  4. Select the option to Use Windows Authentication.
  5. Click Open to continue.DirectAccess SQL Server High CPU Usage
  6. Click the Query tab in the center console window and enter the following commands:
    Use RaAcctDb
    Create NonClustered Index IdxSessionTblSessionState on SessionTable (SessionState,ConnectionID)
  7. Click the Run icon in the tool bar or press F9. This will execute the code and create the missing index on the Session Table in the DirectAccess database.DirectAccess SQL Server High CPU Usage
  8. Confirm the index was created by clearing the previous query or creating a new query and then entering the following commands:
    select * from sys.indexes
    where name like ‘idx%’
    order by name ascDirectAccess SQL Server High CPU Usage

Summary
Once the change has been made, sqlservr.exe CPU utilization should return to normal. If you have multiple DirectAccess servers configured in a load-balanced array or in a multisite configuration, be sure to repeat these steps on each DirectAccess server in the organization.

%d bloggers like this: