Forum Discussion
Grey_ai1
Jul 15, 2026Copper Contributor
Looking for an on-prem MFA solution for Active Directory and RDP
Hi everyone, We're reviewing options for adding MFA to our on-premises Active Directory environment. Most of our users authenticate with Active Directory, while administrators also use RDP for mana...
RyanSteele-CoV
Jul 15, 2026Steel Contributor
This is something we have been looking at as well. I've successfully implemented YubiKey smart card in a proof of concept and it has been working well so far. You can learn more about it here: YubiKey smart card deployment guide
At a high level, the steps required to deploy are:
- Install the YubiKey minidriver on every server, as well as every workstation used for RDP
- Create and deploy a GPO to configure what happens when the YubiKey is removed (should the user be logged off or the desktop locked?), and allow ECC certificates to be used for logon and authentication
- Optionally configure a PIN Unlock Key (PUK) on each YubiKey deployed
- Create and deploy the certificate template to be enrolled, either with self-enrollment or for enrolling on behalf of each admin
- Once each admin is enrolled, enable the "Smart card is required for interactive log on" setting on their account
It has been working well so far but we are still very early in our PoC. (I am currently the only user testing at the moment, I have only deployed the minidriver on a handful of servers and am not yet enforcing smart card logon) so take that for what it's worth. Let me know if you'd like any further details.