Pretty sure I know the answer to this, but is there any native way like certificates, i.e. a way that doesn’t cost money, to do MFA with Remote Desktop? Todd
MFA for RDP
- 191 Views
- Last Post 17 June 2015
The absolute no money option is to use internal PKI and provision virtual smart cards to TPM enabled workstations.
Right now this is for servers, desktops are out of scope at the moment. Servers don’t typically have TPMs and VM’s definitely don’t. L We have an internal PKI, I’ll research virtual smart cards some and see what they’re about. Is a TPM required? Todd
TPM would be on the workstation accessing the RDP session on the server. That is where you would need a traditional smartcard and a virtual smartcard anyway to access the protected server.
One problem with V-Smartcards is that the user is tied to the workstation as oppose to a traditional SC which moves with you from station to station as long as the proper software is installed.
Ah. I see, so the computer becomes the “smart card”, i.e. the “something I have” and the pin for that virtual smartcard becomes the “something I know”? Thus satisfying multi-factor? Because this is tied to my domain account I wouldn’t use my domain creds anymore but the VSC to log in?
Your VSC is tied to your domain account. For those servers “Requiring” smartcard auth you will be able to choose that logon type and for those server that don’t require smart card auth you can use you primary
auth (Username/pass). You will be given a choice in the logon box that appears when you connect to the RDP since the system will detect that you have primary auth creds and a smartcard. Choose one and proceed.
Brian is correct; you are tied to that workstation with that virtual smart card.
For relatively low cost, you can look into Yubikey Neo’s in CCID mode with PIV; still use your existing internal PKI and setup an enrollment station for provisioning. You can now take your smartcard with you.