lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
241 stars 20 forks source link

Duo/MFA integration without external services like adfs. #145

Open CodeNameTheOnlyOne opened 2 years ago

CodeNameTheOnlyOne commented 2 years ago

a simple method of combining the built in windows authentication with either a google authenticator code/ or some other service like duo to provide a simple mfa for new insurance requirements. i know i can do this with adfs but i have some customers that only have one server and running domain controller/lithnet/adfs all on the same server does not seem feasible, as iis/ams would both want 80/443 and adfs does not seem to like running on a dc.

a method of combining windows auth + some mfa all inside of ams would be great, i would be willing to pay for enterprise for this.

it could be as simple as sending an email with a code, that i could email to a cell phone, or a otp code.

if there is a method of doing this currently that would be great, just let me know if i missed something.

ryannewington commented 2 years ago

@CodeNameTheOnlyOne

We don't have this capability to do, this currently (and it's not terribly easy to add unfortunately), but we will consider this for our backlog for a future release. I appreciate the detail provided to articulate the case for this. It is well understood.

For what its worth, there shouldn't be any issue running ADFS and AMS on the same server, as you can tie AMS to a specific host name to listen on, so it shouldn't conflict. You'd have to run this in a VM though if you only had a single server which was the DC, so I agree this is not ideal.

The only other option I could suggest is using Yubikey devices as smart cards. This would require a PKI server, but I believe this can be deployed along side the DC role.

austinthomsen commented 2 years ago

Throwing my 2 cents in here. I think when people ask for Duo support they'd probably accept RADIUS or LDAP support. I can't speak for others, but we point a ton of IT infrastructure at our Duo Auth Proxy server for MFA. To the application it just looks like RADIUS or LDAP, but we get the protection of Duo MFA.

c3rberus commented 1 year ago

Support for Duo MFA would be great, or RADIUS where Duo Proxy could be used.

As a workaround for now, we have Azure AD P2 and Duo for admins, so we are able to setup Azure AD Conditional Access that calls out to Duo using custom control. Not great in that it has a dependency on Azure AD CA, but it works.