DED9

How to Configure One-Time Password (OTP) Authentication on Windows Server

When the subject of a dynamic second password was first raised, most people were reluctant to use it and considered it a useless solution. But when it comes to security, using dual one-time passwords is an efficient idea that Microsoft is well aware of and administrators can achieve a new level of protection by setting OTP in Windows Server.

By integrating DirectAccess and RRAS technology into a single role, Microsoft implemented the OTP (one-time password) authentication method so that remote access to Windows Server can be done in a completely secure and transparent process.

If you, as a professional administrator, have taken your first step by purchasing a Windows virtual server and would like to take measures to ensure the security of your server as much as possible, continue with the article:

Table of Contents

What is the whole scenario of setting OTP in Windows Server?

Windows servers that can be accessed remotely need security. Microsoft also attaches great importance to this issue, and therefore, by integrating new features, it does its best to ensure that all remote accesses are controllable and secure.

Two-step authentication with an OTP setting is one of Microsoft’s new security techniques that can be implemented for servers equipped with DirectAccess. Of course, this authentication is placed next to the login step with credentials (username and password) so that access security is ideal.

This feature can generally be implemented for the popular Windows Server 2012, 2016, 2019, and 2022. In this way, these servers integrate DirectAccess and RRAS under one remotely accessible role. If you are unfamiliar with these terms, there is no need to worry because we will provide the necessary explanations below.

But, it is essential to know that using a one-time password for authentication by configuring DirectAccess and RRAS integration is a great idea to increase security and prevent unauthorized remote access.

What is DirectAccess?

 

DirectAccess connectivity allows remote users to connect to resources and servers without needing an enterprise private network. With this type of connection, remote computers can always be connected to the organization’s network, and there is no need for the process of starting and stopping links by remote users.

In fact, DirectAccess connections are designed in such a way that when the remote system is connected to the Internet, the process of connecting to the server is done automatically, and authentication is done through credentials in Active Directory.

DirectAccess relies on the IPv6 protocol to establish a connection between the server and the remote user and uses IPv6 to access intranet resources and other DirectAccess clients. After the traffic encryption and packaging are done, the client uses the tunneling technology of their choice, such as 6TO4, and then connections and remote access management are done.

In general, the ability to implement several websites, increase the security of remote access, and be controllable through Group Policies are the most important advantages of this type of connection.

What is RRAS?

 

 

You must have realized by now how important the role of virtual private networks is in maintaining the security and privacy of private and public networks. It depends on you how much to spend in this field and what solutions to implement, but Microsoft has made things easier for administrators of Windows servers by providing RRAS, and by using it correctly, you can increase the performance of your network.

RRAS (Routing and Remote Access service) is a Microsoft server API software that allows the creation of a routing application and a remote access service to act as a network router. Of course, this software’s routing and remote access services work separately, and each has its own protocols.

But since the subject of our discussion is the security of remote connections, it is better to focus on the remote access service of this API. RRAS provides access to remote users through a private network, and this connection can be implemented based on IP or, like ISPs, we can authenticate for remote connection to the network. Also, RRAS supports direct or site-to-site connection to different remote servers.

In general, the most essential services of RRAS include the following:

Prerequisites for setting up OTP in Windows Server

Before we look at how to set up this security feature, it’s best to review its prerequisites:

 

Hardware requirements

Software requirements

To run this scenario, you need a series of software requirements that we explain below:

An OTP system for IPsec authentication requires a certificate authority to be deployed using its certificates. IPsec is generally not supported on the remote access system as a Kerberos proxy, so an internal CA is required.

– A Microsoft Enterprise CA is required to issue OTP certificates, which run on operating systems 2003 and above. Of course, the same CA used for IPsec authentication can also be used. The CA server must be accessible through the first infrastructure tunnel.

– Some particular users, such as admins, are exempted from this authentication step with OTP; therefore, it is better to have an Active Directory security group containing these unique users.

– Windows 8 and 10 systems use the NCA service to check the need for OTP credentials, and the NCA is also present in the operating system itself, so there is no need to install it. But if the client is equipped with operating system 7, DCA 2.0 must be installed.

 

How to authenticate by setting Windows Server OTP

 

The OTP authentication scenario includes the following steps:

1. Development of a DirectAccess server with advanced settings

Before setting OTP in Windows Server, you should consider deploying a remote access server. This process includes designing and configuring a network topology, setting up and developing certificates, setting up DNS and Active Directory, configuring remote access server settings, deploying DirectAccess clients, and preparing intranet servers.

If you do all the remote desktop server deployment steps correctly, DirectAccess clients running Windows 7, 8, 8.1, or 10 can connect directly to internal network resources through DirectAccess without additional connections. Overall, this provides the ease of access and management that Windows Server administrators are looking for.

2. Set remote access with the OTP authentication method

Besides having to think about setting up a single server, OTP on Windows Server requires a Microsoft Certificate Authority (CA), certificate templates for OTP, and a RADIUS-enabled OTP server.

Also, measures such as using Group Policy to prevent OTP authentication for some specific users are part of this setup process.

So after you’ve developed the DirectAccess server with advanced settings, it’s time to set up the RADIUS server. Note that the deployment phase of the RADIUS server requires the configuration of things such as the port, which you must write down because you will need them in the configuration phase of the remote access server.

After you’ve implemented the OTP certificate, it’s time to set up the remote access server for OTP.

If you follow these steps correctly, the following steps will be completed successfully:

3. Configure DirectAccess with OTP authentication

At this stage, you must perform a series of essential steps, such as preparing the OTP authentication infrastructure, configuring the OTP server, configuring the OTP settings on the remote access server, and updating the DirectAccess client settings.

4. Troubleshooting the OTP structure

In this step, you should identify and fix common errors related to authentication or how to activate OTP.
Roles and features related to OTP setting scenario in Windows Server

Role: Remote Access Management

This role, installed and removed by the Server Manager console, includes two services, DirectAccess and RRAS, previously related to other features and functions.

This role depends on several server features:

IIS web server – this web server is necessary for tasks such as configuring NLC to identify the location of DirectAccess clients, using the OTP authentication method, etc.

Windows Internal Database – This database is used for local remote access server accounting.

Feature: Remote Access Management Tools

This feature is installed during the following steps:

The features of this tool include the following:

Of course, this feature has its own dependencies, which include the following:

 

The impact of OTP on Windows Server security

 

The use of OTP technology in DirectAccess connections increases the security of the Windows Server and the entire network because a user needs OTP credentials to access the web, and these credentials are also provided by Workplace connections of Windows 8 and 10 systems or DCA of Windows 7 systems.

Just check the following steps to understand why setting OTP on Windows Server increases security:

Important points that you should know when setting up OTP in Windows Server!

conclusion

Security is one of the essential elements in the network and server world, and we did our best to make it easy for you to understand how to set OTP in Windows Server, and by using this information, you can maximize the level of security of your server against remote access. If you need more information in this field, you can get help from the Microsoft Learning section and follow your questions.

Thank you for staying with us until the end of the article. We hope that reading this article was helpful for you. If you have any questions or requests and need guidance, you can contact us by registering your opinion so we can answer you as soon as possible.

Exit mobile version