NPS working with two factors in policy

Hi All,
We are using a Microsoft 2008 server with NPS installed and running. We would like our wireless employees to log-in based on two factors:
1. They use their domain username/password
2. The computer they are using has a computer account on the domain.
It appears that the policy we create allows them to login using one criteria or the other, but not both.
Currently we have two Windows groups under our existing Policy. I have a screen shot of them attached. If I limit it to one or the other - it will work. However, when both are in, as they are below - nothing gets authenticated. 

No, you can't check two-factors but if you go for computer-only authentication you would prevent users from using their private PCs.
If you absolutely need user authentication for accounting purposes you could achieve higher security if you would use non-exportable certificates for users (EAP-TLS) instead of allowing username / password logon (PEAP).
These are the options:
With user machine names and passwords
You can check only for computer accounts in your domain; requires re-config of standard re-authentication behavior at your clients. Private PCs cannot connect as they don't have domain accounts and domain users are not members of the machine
group configured in the policy.
You can check for "computers or user" in the way described, based on default re-authentication as either machine or user.
Issue: NPS will allow users to logon on their private PCs as they can type in domain credentials. Same / worse with user only authentication.
With certificates
Same options but users will not be able (easily, without some malicous intent) to transfer certificates from the corporate PCs to their private ones.
For machine certificates that is even harder is it would require admin privileges on the machine.
Given these options, some of my clients finally went for computer authentication only as it is safer than allowing "computer or user" authentication.
With computers, machine accounts / passwords (PEAP) are as secure as certificates (EAP-TLS) in my opinion (assuming normal users are not admins), so in order to minimize efforts I would pick password authentication.
Elke

Similar Messages

  • Visual Studio 2013 Community Azure Login Not Working with Two-factor Authentication

    Has anybody had any problems logging in to Azure to publish when using Visual Studio 2013 Community and with two-factor authentication turned on?
    I couldn't log on until I turned off two-factor authentication.
    Regards

    Hello John,
    Thanks for posting here!
    You can try and set a credential helper like
    git-credential-winstore in order to cache your credentials. See if that helps.
    Couple of questions here:
    1) Are you using a MSA account by any chance?
    2) When you turn on two-factor authentication, do you get any error message?
    3) Did you try with different browsers?
    Looking forward to your response!
    Regards,
    Sadiqh

  • Is there a way to work with two or more app at the same time on iPhone or iPad

    Is there a way to work with two or more app at the same time on iPhone or iPad?

    What i am attempting to achieve is to work with at least two app at the same time. For example: select any picture from my albums to attach them in an email. Another example is get data from an app to use it with the calc app. And there are more exaples for it. And for sure I need support for an iPad air. I mencioned the other tablet just to try to be a bit clearer.

  • Can you setup handoff to work with two mac computers on the same network?

    I am attempting to setup handoff to work with two computers on the same network. I cannot seem to get it to work. Should I be able to?

    I'm not sure but I haven't seen anything on the Apple site that indicates that it would not work. The following troubleshooting documents may help: Get help using Continuity with iOS 8 and OS X Yosemite - Apple Support
    Note in particular the Mac models supported. The other thing that occurs to me is that in addition to being on the same network they would have to be within Bluetooth range of each other.

  • Apex mixes applications working with two windows at the same time

    Hi all, while developing in Apex I have found the following problem:
    Working with two different applications at the same time, the browser goes from one to another indistinctly.
    To reproduce the problem:
    1. Open the same application builder in two different Firefox windows
    2. Open a different application in each window (In my case: application 103 in window1 and application 105 in window2)
    3. Go to shared components in both windows (window1 first)
    - window1 breadcrumbs show: Home > Application Builder > Application 103 > Shared Components
    - window2 breadcrumbs show: Home > Application Builder > Application 105 > Shared Components
    4. Click in any shared component in window1 (Templates, Authentication Schemes...)
    - window1 breadcrumbs show: Home > Application Builder > Application *105* > Shared Components > Templates (Application 105 instead of 103)
    Is it a bug? I have read the known issues [[Here]|http://www.oracle.com/technetwork/developer-tools/apex/downloads/apex402knownissues-189793.html] but it does not appear.
    Related Data:
    Application Express version 4.0.2.00.07
    Firefox 3.6.15
    SO: Windows XP
    The error is not reproduced with IE7. I have not tested any other browser.
    Regards,
    Molina

    If you tried opening up two pages in the same application each of which modifies the same page items, you would notice the same issue.
    This is because, in a session there is only one set of values for page items(or application items) and every parallel call to the same page would update the same bind variables.
    Now the development environment or Apex Builder is also an apex application , and when try and open up the pages as you mentioned, they both access the same Application Builder page and sets/resets any existing values for those variables(and maybe cookies too if they are being used) , hence the 'mixing up'.
    If that didn't convince you, check the URL of both the pages when you load them, they should show the same page number ( f?p=APP_ID:PAGE_NUMBER syntax). Imagine if the same approach was done with one of your application pages, say an edit form opened from a report with multiple records in multiple tabs like what happened with this case: {message:id=9346663}
    So this really isn't a bug in a way, because that is how session states in apex is/was maintained. Ofcourse if they used another kind of development platform for building pages, it may have been avoided, but thats an altogether different point in itself.

  • I have recently installed Mavericks and since then I have been unable to shut down or log out of my mac.  I work with two screens and now I seem to have programmes at the top of both screens which I didn't before.  any advice?

    I have recently installed Mavericks on my desk top and since then I have been unable to switch off my computer without crashing it. I work with two screen and now I seem to have the menu bar on the second screen as well which I did not have before.  Can you please help me?

    Dr Bettina, I had similar problems with Mavericks. I installed it on a Mini and a 13" MacBook Pro. I can't speak to your disdplay issues, but I can confirm the inability to logout, shut down, or restarft without a forced, power button shut down. I can also report frequent System Prefs freezes and finder issues, like folder contents taking half a minuite or more to render, or not appearing at all. And while a few Adobe CC apps actually ran faster, InDesign ran like molasses uphill in Decemner.
    I tried uninstalling or disabling numerous 3rd party apps and pref panes. I unplugged everything but the keyboard, ran DiskWarrier, repaired permissions, did fsck -f, trashed various preference files, reinstalled the OS... You name it, and I tried it — short of a potion using eye of newt.
    After two days of totally hosed productivity, I restored OS 10.8.5 on the Mini so I could actually get some work done. However, I've decided to leave Mavericks on the MBP as a sort of crash dummy, and will install and thoroughly test all updates until stability has been achieved. Then — and only then — will I upgrade the Mini to Mavericks, even if it means waiting 'til a .2 or even .3 update.
    Good luck to you...

  • HT201343 I bought my macbook pro on August 2011 at an apple store, with the Intel i7. However mirrorring in not working with two of my Apple TVs. These Apple TVs are 2nd and third generation loaded with the latest software. Can someone help?

    I bought my macbook pro on August 2011 at an apple store, with the Intel i7. However mirrorring in not working with two of my Apple TVs. These Apple TVs are 2nd and 3rd generation loaded with the latest software. I can succesfully transmit from my itunes on my Macbook pro to both Apple TVs, but I can not see the airplay icon on the taskbar. Can someone help?

    About AirPlay and Airplay Mirroring
    AirPlay Mirroring requires a second-generation Apple TV or later, and is supported on the following Mac models: iMac (Mid 2011 or newer), Mac mini (Mid 2011 or newer), MacBook Air (Mid 2011 or newer), and MacBook Pro (Early 2011 or newer). For non-qualifying Macs you can try using Air Parrot.
    Several Apple Articles Regarding AirPlay
    Apple TV (2nd and 3rd gen)- How to use AirPlay Mirroring
    How to set up and configure AirPort Express for AirPlay and iTunes
    About AirPlay Mirroring in OS X Mountain Lion
    iTunes 10- About playing music with AirPlay
    Troubleshooting AirPlay and AirPlay Mirroring
    Using AirPlay

  • Works with two component iu in the same PDA

    HI:
    I have two componentes IU in Mobile 7.1 patch07 for handhelds.
    I need to access a view from one componente iu to another view of another componente iu.
    Can I work with two componet iiu n the same PDA and have communication from one to another?
    Best Regards.
    Maria Elena

    HI:
    There any way to configure the main menu of SAP Mobile 7.1 where you have applications that are deployed in the PDA?
    De esta manera podría crear más de un componente dentro de una aplicación y poder tener más de un link en el menu principal
    Best regards
    Maria Elena

  • Why does final cut x not recognize the sharp PN- K321 monitor ( European version ) as output video monitor and premiere it? Working with two cinema display and PN- K321 and I can not preview the output video at 4K for DisplayPort, whereas with premie

    Why does final cut x not recognize the sharp PN- K321 monitor ( European version ) as output video monitor, and premiere yes?
    Working with two cinema display and PN- K321 and I can not preview the output video at 4K by DisplayPort, whereas with premiere and after effects I have no problems

    Look, you can build an HD DVD with an SD movie, just as you can build an SD DVD with an HD movie. This is not a bug, it is most likely user error. Apple will not be addressing it.
    Just start over, and ensure you are building an SD DVD by bringing up the inspector for the disc (click on the background in the Graphical tab).
    Make sure SD DVD is selected:
    (If you do the same thing on your ill fated project, you'll see that HD DVD is selected)
    Build your DVD and you'll be fine.
    Patrick
    P.S. You will need to google HD DVD and Blu-Ray if you want to understand the difference between the formats. The reason that DVDSP included HD DVD was that its format was similar to SD DVD's. Blu-Ray is something else entirely.

  • Working with two or more tables in Numbers

    Working with two or more tables in Numbers
    It is possible to write numbers or names in Table 1 B-2, B-3, B-4, B-5, B-6 etc. and automatically copy in Table 2 only B-2, B-4, B-9, B23 etc.
    What do I need to do???
    Thanks for the help

    The table on the left is named "Source" and on the right "Destination":
    In the table "Destination" on the right:
    B2=Source :: B2
    select B2 and fill down

  • I am working with two computers in my profession (Mac/PC). I want to download testversions, lets say Premiere Elements 13, for Mac and PC using my adobe login. Is this possible?

    I am working with two computers in my profession (Mac/PC). I want to download testversions, lets say Premiere Elements 13, for Mac and PC using my adobe login. Is this possible?

    Sure. Elements is cross-platform, anyway.
    Mylenium

  • Working with two cams

    I have shots from two cams which I am preparing to capture into Adobe Premiere.
    I know there's a way to work with two cams-monitoring, but is it the case when capturing ?
    I am capturing via Firewire.  My card has more than one slot - so guess I can plug-in two cams at same time.  But can I A/B between the two cams prior to capture (record) into Adobe ?
    Or is the multiple cam into Adobe only for ''already captured'' shots ?
    Thanks,
    Rob

    You need to capture the data streams separately (not simultaneously)

  • Working with two RecordSets

    Is it possible to work with two recordsets in one method?
    If so, I havnt been able to figure out how.
    Any Suggestions?
    Stef

    Sure. Why not? But your problem has nothing to with them being "in the same method". It's more likely to do with this quote from the API documentation for java.sql.Statement:
    "Only one ResultSet object per Statement object can be open at any point in time. Therefore, if the reading of one ResultSet object is interleaved with the reading of another, each must have been generated by different Statement objects. All statement execute methods implicitly close a statment's current ResultSet object if an open one exists."

  • Working with two computers. One of them not working

    I've been working with two computers. In one of them where I have already  installed several programs downloaded with the Adobe Application Manager, when I try to open a program is giving me a message to sign in for a 30 day trial of the program? Why is this happening?

    Try http://helpx.adobe.com/creative-suite/kb/trial--1-launch.html

  • Vmware horizon radius integration with two factor authentication

    -1 down vote  favorite
    I have deployed vmware horizon view connection server (Evaluation/Trial version), i want to integrate it with two factor authentication server. But after configuring RADIUS parameters in admin portal of connection server, it’s not allowing me to save the settings. Please suggest.
    I have attached the snap for your reference.

    The SMTP server supports what is referred to as third party authentication. To take advantage of this you would need to provide all of the authentication code, however -- there's no way to do part of the authentication and then pass control back to the messaging server for the rest. So you'd need to do both password checks, one of which is presumably done via LDAP auth, yourself.
    As far as LDAP proxy and RADIUS, we use a standard LDAP simple bind. The ODSEE LDAP proxy is often used in OCMS deployments, so that is a known good solution. We don't directly support RADIUS; the aforementioned third party authentication could be used to tie into such a system.
    - Jeff

Maybe you are looking for

  • How can I play .caf files on Windows desktop computer

    I have a voice/sound recording program called Recorder Pro on my iPhone5.   It generates .caf files, which can be transferred to my desktop computer while the phone is connected, using iTunes/Apps (where the bottom left panel upon scrolling down has

  • Disable Window keys ALT+TAB, CTRL+ALT+DEL

    Hello i am developing an application in which i need to catch the ALT+TAB and CTRLALT+DEL key events and handle it in my own way. The default action of showing the next window or the task manager should not take place. In the event handler i have giv

  • SAP FIORI and Gateway as standalone

    Hi I want to install Netweaver gateway and FIORI for paystub app. I want to decide whether i should install these on the current ECC6 EHP6 box or install them on a separate box. What are the pros and cons with both situations Thanks Tushar

  • Parallel ledger - activation

    Hello, we have new General Ledger (ECC 5.0) for two years. During this year we decided to use paralel ledger for IAS / IFRS purposes from 1.1.2007 backwards. We have activated the additional parallel ledger according to SAP documentation. Now we need

  • Capture destination file already exists

    After doing a series of voice overs successfully, I reopened the FCE application and I'm getting this message.  Cannot create any further voice overs. Solutions?