Interesting question. I would guess, it is not simple.
Assumption: ARS is supposed to be in Intranet only and Not exposed to Internet.
Concern. ARS is not designed to be Authentication Master. ARS acts as a Network Resource which (a) relies on AD Authentication Mater (DC) and (b) reads Authenticated AD\user token (his AD\group membership) to decipher AD\ARS delegation Groups and calculate resulting granular delegation AT (Access Templates).
In ARS there is no explicit place to control ARS User Authentication and to feed code for 2FA. For example, Password Manager does have explicitly End-User Authentication “code place” to feed 2FA code in it. Because PWM acts like semi-independent Authentication Master via Q/A regardless of AD/DC Authentication (Forgot My Password).
Idea. Put 2FA in front-of-ARS and not inside-ARS. Make RDP to Jump Box-W-2FA and ARS Admin Service is restricted to talk to Jump Box Client (only).
Interesting question. I would guess, it is not simple.
Assumption: ARS is supposed to be in Intranet only and Not exposed to Internet.
Concern. ARS is not designed to be Authentication Master. ARS acts as a Network Resource which (a) relies on AD Authentication Mater (DC) and (b) reads Authenticated AD\user token (his AD\group membership) to decipher AD\ARS delegation Groups and calculate resulting granular delegation AT (Access Templates).
In ARS there is no explicit place to control ARS User Authentication and to feed code for 2FA. For example, Password Manager does have explicitly End-User Authentication “code place” to feed 2FA code in it. Because PWM acts like semi-independent Authentication Master via Q/A regardless of AD/DC Authentication (Forgot My Password).
Idea. Put 2FA in front-of-ARS and not inside-ARS. Make RDP to Jump Box-W-2FA and ARS Admin Service is restricted to talk to Jump Box Client (only).
