Yubikey and Windows Domain 2-Factor Authentication

Picking up where we left off last, I was showing you the awesome usefulness, security and affordability of Yubikey (Yubico’s 2-Factor authentication token) and using it for 2-factor authentication on network devices.  Well, I’d like to go another step forward: 2-Factor authentication for Windows computers to a Windows Active Directory environment.  If your enterprise deployment already has a smart-card/PKI environment for users and computers similar to the DoD (re: DoD PKI), then then rest of this probably won’t be useful for you.  If your users, servers and network devices still rely on single user names and passwords, then please read on.

AuthLite + Yubikey

This isn’t as “free” as the solution YubiRADIUS offers.  In fact there’s a licensing cost for each user.  Having said that, the cost is still less than an RSA SecurID deployment.  Yubico partners with a company called Collective Software which maintains the Yubikey and Windows AD integration called AuthLite.  At first, I was sceptical on how useful this was going to be.

First step is installing the software agent on your domain controllers.  This process is very simple:

  • Download the agent directly on your first domain controller: 64-bit (for Windows 2008 R2) or 32-bit (for Windows 2008 32-bit)
  • The user installing it must be an Enterprise Admin (or in a Schema Admins) group
  • Install as administrator
  • Don’t check the box until you install the other domain controllers since this is the first installation.
  • Click the defaults and let the installation finish.  If there are any errors it’s likely because AD replication may be having problems or your user account doesn’t have the right permissions.
  • Now you’ll be prompted to reboot – do this.
  • After you log back in the AuthLite Configuration window will pop up.  You won’t be able to do much until you at least get an evaluation license.  To do that go to http://AuthLite.com/License enter the License ID.  See picture below.  My ID is “AD” as it will likely be your domain name.
  • Once you fill out the license request you’ll get a key back via email.  Enter it in the “Enter Your License Key” area

config1

  • Once you are all licensed, you’ll need to enter either a user name or security group on the “Select AuthLite Users.”  I find it easier to control these functions by adding users to a group.  As shown below I called mine “ADyubi”

config2

  •  Next go to “Offline Logon Permissions,” and add either a select group of computers or all of your domain computers and the security group the users are part of.  This allows users to logon when Domain Controllers (DCs) can’t be reached.  This is a good idea for users that need to access local documents and are not connected to the LAN.  Don’t worry the encryption info about the keys is stored locally so OTP (one-time password is still supported).  Given your security level, you may not want this because the encrypted seeds are now stored on user laptops.
  • Now install AuthLite on your other DCs and your workstations that will be part of this – remember to click the check-box on install to have it sync with current AuthLite installations.
  • Once you install on the workstation have the user login to the workstation hit CTRL+ALT+DELETE and select “Change a Password”
  • select the user
  • enter the current password and a new one (or just the same one), but make sure you have the Yubikey inserted in the USB port and you check the box “Set up a new AuthLite Key for this account.”  Now hit go.
  • You’ll be asked to delete the current key configuration.  You’ll need to delete it, so don’t do this on a Yubikey that has other purposes.
  • Now logout and log back in by entering your password, then tap the Yubikey button, and hit enter.  Provided installation, licensing and configuration were done correctly, you should login via 2-Factor without a problem.

 Adding Network Device Authentication to Yubikey + AuthLite

In the last blog I told you about using YubiRADIUS for network device login.  However, if you want to completely integrate authentication and 2-factor authentication, I recommend you use the RADIUS service and NPS Plugin.  Configure the “IAS/NPS Plugin” just like the below picture.  I recommend you make sure NPS is working fine before you continue.

config3

Once you restart both the AuthLite and NPS service, you should be able to authenticate with OTP and password on your network device.  The only downside to using NPS with AuthLite instead of YubiRADIUS is it only supports PAP RADIUS mode.  This means the username and password are sent in plain-text.  This may seem bad, but remember you are using 2-factor.  The OTP will always be different.  Having said that, there are many enterprises that feel this is too much of a security issue.

If having PAP is too much of a security issue for you and would rather use CHAP with YubiRADIUS, that is fine.  However, the OTP will be stripped off the AD logon request message sent to the DC.  There may be a way to use “One-Factor Authentication” on YubiRADIUS and have the password sent be both the password and OTP.  I have not tested this, so I am not sure this will work.  I will get back to everyone to let them know if it does.  Thanks again for reading!

 

 

Scroll to Top