Forum Discussion
Looking for an on-prem MFA solution for Active Directory and RDP
Hi everyone,
We're reviewing options for adding MFA to our on-premises Active Directory environment.
Most of our users authenticate with Active Directory, while administrators also use RDP for managing Windows servers.
Because part of our infrastructure is isolated from the Internet, we'd prefer an on-premises MFA solution instead of relying on a cloud-only service.
Has anyone implemented something similar recently?
I'm interested in hearing:
Which solution did you choose?
How difficult was the deployment?
Did you run into any compatibility or performance issues?
Is there anything you'd do differently if you were deploying it again?
Any real-world experience or recommendations would be greatly appreciated.
Thanks!
2 Replies
- RyanSteele-CoVSteel Contributor
This is something we have been looking at as well. I've successfully implemented YubiKey smart card in a proof of concept and it has been working well so far. You can learn more about it here: YubiKey smart card deployment guide
At a high level, the steps required to deploy are:
- Install the YubiKey minidriver on every server, as well as every workstation used for RDP
- Create and deploy a GPO to configure what happens when the YubiKey is removed (should the user be logged off or the desktop locked?), and allow ECC certificates to be used for logon and authentication
- Optionally configure a PIN Unlock Key (PUK) on each YubiKey deployed
- Create and deploy the certificate template to be enrolled, either with self-enrollment or for enrolling on behalf of each admin
- Once each admin is enrolled, enable the "Smart card is required for interactive log on" setting on their account
It has been working well so far but we are still very early in our PoC. (I am currently the only user testing at the moment, I have only deployed the minidriver on a handful of servers and am not yet enforcing smart card logon) so take that for what it's worth. Let me know if you'd like any further details.
- Allan Solomon MejiaTin Contributor
Hi Grey,
If your environment is truly isolated or has limited Internet connectivity, I'd focus on solutions that support on-premises authentication rather than cloud-dependent MFA.
For Windows logon and RDP, products like Duo Authentication for Windows Logon & RDP, RSA SecurID, NetIQ Advanced Authentication, or YubiKey (smart card/FIDO2) are commonly deployed in enterprise environments. The right choice depends on whether your environment is fully air-gapped or has occasional connectivity.
Beyond MFA, I'd also recommend hardening administrative access by:
- Restricting RDP through a Privileged Access Workstation (PAW) or jump server.
- Enforcing Just Enough Administration (JEA) or privileged access controls where appropriate.
- Using Windows LAPS for local administrator password management.
- Enabling auditing and monitoring of privileged logons.
If you're planning for the long term, it's also worth evaluating whether you'll eventually integrate with Microsoft Entra ID for hybrid identity. That can influence which MFA platform makes the most sense today.
One question: Is your environment completely air-gapped, or does it have controlled outbound connectivity? That distinction will narrow the list of viable MFA solutions considerably.