Greetings all, We have a customer that uses 2FA (not sure what kind specifically) with RDP to administer their servers. They recently have been mandated to use restricted admin mode with RDP. When they do so, 2FA breaks… apparently they don’t even get prompted for the second factor, and (I believe) the authentication fails. The users, workstations, and servers are all in the same domain. Has anyone seen a similar problem? Can you explain how 2FA fits into the RDP authentication flow in this sort of scenario? -gil
2FA breaks with RDP and restricted admin mode?
- 227 Views
- Last Post 18 February 2016
Gil, Are the servers 2012 R2? Regards, Mark Parris Active Directory & Azure Consultancy MVP Enterprise Mobility | MCM Directory ServicesMobile: +44 7801 690596
If you haven’t, you might take a look at
notes for restricted admin mode “client requires credential-less logon over CredSSP (also known as "restricted admin mode"). If the server supports this mode then it is
acceptable for the client to send empty credentials in the TSPasswordCreds structure defined in [MS-CSSP] section 188.8.131.52.1.<2>”
. There were a couple talks at TechEd 2014 that went into details but I couldn’t find the details on them in my notes.
If the MFA solution depends on having the credential, it won’t get it with restricted admin mode. My impression is that restricted admin mode would also bypass
(break) those solutions that rely on a custom GINA.