• State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 4846 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

2 factor authentication

Ian S. Lindsay
over 6 years ago

Is it possible to setup 2 factor authentication for the Active Roles web interfaces?

  • 0 over 6 years ago
    Interesting question. I would guess, it is not simple.

    Assumption: ARS is supposed to be in Intranet only and Not exposed to Internet.

    Concern. ARS is not designed to be Authentication Master. ARS acts as a Network Resource which (a) relies on AD Authentication Mater (DC) and (b) reads Authenticated AD\user token (his AD\group membership) to decipher AD\ARS delegation Groups and calculate resulting granular delegation AT (Access Templates).
    In ARS there is no explicit place to control ARS User Authentication and to feed code for 2FA. For example, Password Manager does have explicitly End-User Authentication “code place” to feed 2FA code in it. Because PWM acts like semi-independent Authentication Master via Q/A regardless of AD/DC Authentication (Forgot My Password).

    Idea. Put 2FA in front-of-ARS and not inside-ARS. Make RDP to Jump Box-W-2FA and ARS Admin Service is restricted to talk to Jump Box Client (only).
  • 0 over 6 years ago
    Agree with Aidar in principle. The only authentication that takes place when "logging into" AR is the passing of windows credentials through the browser and this is really only to "help" AR to figure out what the user is allowed to do in the context of the application. Moreover, this only occurs if the browser is setup to challenge for credentials as this is not default behavior for IIS (that hosts the AR front end) and really acts as a form of gatekeeper for the app. To put it in simplest terms, IMO, the 2FA layer would have to be placed in front of IIS.
  • 0 over 6 years ago
    I'll start out by saying - I hate the approach we are using. ;)

    We setup IIS behind an F5, using a shared domain account to run the AppPool - so there is a single account passing the user credentials to the web. Because, Kerberos.

    With all the hosts configured with non-kernel mode auth, https bindings set, and the required SPN's for flavor. Our users login with PIV to their PC, launch the browser (ie) with elevated creds - using runas from the command line or right-click/runas a different user from the shortcut icon.

    the web interface accepts the pass through credentials of the connected user.
    The site is available to their non-priv account, without providing any privileges other than read. When their browser connects in elevated priv mode, then their delegated rights are served up all steamy with a side of rice.

    One missing-link in the ARS world, is a proper challenge from the ARS web site to ask for PIV/PIN and username hint. Give me that, and I'll be happy - too.