blog posts

How to Configure One-Time Password (OTP) Authentication on Windows Server

When the subject of a dynamic second password was first raised, most people were reluctant to use it and considered it a useless solution. But when it comes to security, using dual one-time passwords is an efficient idea that Microsoft is well aware of and administrators can achieve a new level of protection by setting OTP in Windows Server.

By integrating DirectAccess and RRAS technology into a single role, Microsoft implemented the OTP (one-time password) authentication method so that remote access to Windows Server can be done in a completely secure and transparent process.

If you, as a professional administrator, have taken your first step by purchasing a Windows virtual server and would like to take measures to ensure the security of your server as much as possible, continue with the article:

Table of Contents

  • What is the whole scenario of setting OTP in Windows Server?
  • What is DirectAccess?
  • What is RRAS?
  • Prerequisites for setting up OTP in Windows Server
  • Hardware requirements
  • Software requirements
  • How to authenticate by setting Windows Server OTP
  • The effect of OTP on the security of Windows Server
  • Important points that you should know when setting up OTP in Windows Server!

What is the whole scenario of setting OTP in Windows Server?

Windows servers that can be accessed remotely need security. Microsoft also attaches great importance to this issue, and therefore, by integrating new features, it does its best to ensure that all remote accesses are controllable and secure.

Two-step authentication with an OTP setting is one of Microsoft’s new security techniques that can be implemented for servers equipped with DirectAccess. Of course, this authentication is placed next to the login step with credentials (username and password) so that access security is ideal.

This feature can generally be implemented for the popular Windows Server 2012, 2016, 2019, and 2022. In this way, these servers integrate DirectAccess and RRAS under one remotely accessible role. If you are unfamiliar with these terms, there is no need to worry because we will provide the necessary explanations below.

But, it is essential to know that using a one-time password for authentication by configuring DirectAccess and RRAS integration is a great idea to increase security and prevent unauthorized remote access.

What is DirectAccess?

 

DirectAccess connectivity allows remote users to connect to resources and servers without needing an enterprise private network. With this type of connection, remote computers can always be connected to the organization’s network, and there is no need for the process of starting and stopping links by remote users.

In fact, DirectAccess connections are designed in such a way that when the remote system is connected to the Internet, the process of connecting to the server is done automatically, and authentication is done through credentials in Active Directory.

DirectAccess relies on the IPv6 protocol to establish a connection between the server and the remote user and uses IPv6 to access intranet resources and other DirectAccess clients. After the traffic encryption and packaging are done, the client uses the tunneling technology of their choice, such as 6TO4, and then connections and remote access management are done.

In general, the ability to implement several websites, increase the security of remote access, and be controllable through Group Policies are the most important advantages of this type of connection.

What is RRAS?

 

 

You must have realized by now how important the role of virtual private networks is in maintaining the security and privacy of private and public networks. It depends on you how much to spend in this field and what solutions to implement, but Microsoft has made things easier for administrators of Windows servers by providing RRAS, and by using it correctly, you can increase the performance of your network.

RRAS (Routing and Remote Access service) is a Microsoft server API software that allows the creation of a routing application and a remote access service to act as a network router. Of course, this software’s routing and remote access services work separately, and each has its own protocols.

But since the subject of our discussion is the security of remote connections, it is better to focus on the remote access service of this API. RRAS provides access to remote users through a private network, and this connection can be implemented based on IP or, like ISPs, we can authenticate for remote connection to the network. Also, RRAS supports direct or site-to-site connection to different remote servers.

In general, the most essential services of RRAS include the following:

  • Remote access
  • Network address translation services
  • Dial-up remote access server
  • Routing
  • Other services related to routers

Prerequisites for setting up OTP in Windows Server

Before we look at how to set up this security feature, it’s best to review its prerequisites:

  • You must deploy a DirectAccess server before setting up OTP.
  • Windows 7 clients must use DCA 2.0 to support OTP.
  • OTP does not support PIN change.
  • It would help if you used public critical infrastructure.
  • Policies outside of the DirectAccess management console or Windows PowerShell cmdlets are supported.

 

Hardware requirements

  • The system is equipped with the necessary hardware power for Windows Server 2012 or 2016
  • At least one system running Windows 7, 8, or 10 as a DirectAccess client
  • OTP server with PAP support over RADIUS
  • A hardware or software OTP token

Software requirements

To run this scenario, you need a series of software requirements that we explain below:

An OTP system for IPsec authentication requires a certificate authority to be deployed using its certificates. IPsec is generally not supported on the remote access system as a Kerberos proxy, so an internal CA is required.

– A Microsoft Enterprise CA is required to issue OTP certificates, which run on operating systems 2003 and above. Of course, the same CA used for IPsec authentication can also be used. The CA server must be accessible through the first infrastructure tunnel.

– Some particular users, such as admins, are exempted from this authentication step with OTP; therefore, it is better to have an Active Directory security group containing these unique users.

– Windows 8 and 10 systems use the NCA service to check the need for OTP credentials, and the NCA is also present in the operating system itself, so there is no need to install it. But if the client is equipped with operating system 7, DCA 2.0 must be installed.

 

How to authenticate by setting Windows Server OTP

 

The OTP authentication scenario includes the following steps:

1. Development of a DirectAccess server with advanced settings

Before setting OTP in Windows Server, you should consider deploying a remote access server. This process includes designing and configuring a network topology, setting up and developing certificates, setting up DNS and Active Directory, configuring remote access server settings, deploying DirectAccess clients, and preparing intranet servers.

If you do all the remote desktop server deployment steps correctly, DirectAccess clients running Windows 7, 8, 8.1, or 10 can connect directly to internal network resources through DirectAccess without additional connections. Overall, this provides the ease of access and management that Windows Server administrators are looking for.

2. Set remote access with the OTP authentication method

Besides having to think about setting up a single server, OTP on Windows Server requires a Microsoft Certificate Authority (CA), certificate templates for OTP, and a RADIUS-enabled OTP server.

Also, measures such as using Group Policy to prevent OTP authentication for some specific users are part of this setup process.

So after you’ve developed the DirectAccess server with advanced settings, it’s time to set up the RADIUS server. Note that the deployment phase of the RADIUS server requires the configuration of things such as the port, which you must write down because you will need them in the configuration phase of the remote access server.

After you’ve implemented the OTP certificate, it’s time to set up the remote access server for OTP.

If you follow these steps correctly, the following steps will be completed successfully:

  • The DirectAccess client requests a one-time password.
  • The remote access server receives this request and checks the validity of this request.
  • If valid, the server acts as an authority and issues an OTP certificate.
  • This OTP is sent to the DirectAccess client.
  • The client registers this OTP certificate signed and sent by the remote access server.

3. Configure DirectAccess with OTP authentication

At this stage, you must perform a series of essential steps, such as preparing the OTP authentication infrastructure, configuring the OTP server, configuring the OTP settings on the remote access server, and updating the DirectAccess client settings.

4. Troubleshooting the OTP structure

In this step, you should identify and fix common errors related to authentication or how to activate OTP.
Roles and features related to OTP setting scenario in Windows Server

Role: Remote Access Management

This role, installed and removed by the Server Manager console, includes two services, DirectAccess and RRAS, previously related to other features and functions.

This role depends on several server features:

IIS web server – this web server is necessary for tasks such as configuring NLC to identify the location of DirectAccess clients, using the OTP authentication method, etc.

Windows Internal Database – This database is used for local remote access server accounting.

Feature: Remote Access Management Tools

This feature is installed during the following steps:

  • This feature is installed by default by the server after installing the remote access role and supports the remote access console user interface.
  • If desired, this feature can be installed on any server that does not run the Remote Access role, which can be used to manage the remote system running RRAS and DirectAccess.

The features of this tool include the following:

  • Graphical and command-line-based remote access tools
  • Remote access module for Windows PowerShell

Of course, this feature has its own dependencies, which include the following:

  • Group Policy Management console
  • RAS Connection Management Kit (CMAK)
  • Windows PowerShell 3.0
  • Graphical management tools and infrastructure

 

The impact of OTP on Windows Server security

 

The use of OTP technology in DirectAccess connections increases the security of the Windows Server and the entire network because a user needs OTP credentials to access the web, and these credentials are also provided by Workplace connections of Windows 8 and 10 systems or DCA of Windows 7 systems.

Just check the following steps to understand why setting OTP on Windows Server increases security:

  • The DirectAccess client enters domain credentials to access the DirectAccess infrastructure servers through the infrastructure tunnel. If the connection fails, Workplace will notify the user of
  • a credential failure and connection failure. Then a pop-up will open, and the SMART CARD credentials will be requested.
  • After the OTP credentials are entered, this information is sent to the remote access server via SSL and the intelligent card login certificate request.
  • The remote access server initiates the OTP authentication process through a RADIUS-based OTP server.
  • If successful, the Remote Access server signs the certificate request using the CA and sends it to the user’s DirectAccess client.
  • The DirectAccess client sends this signed certificate to the CA and stores it with the Kerberos SSP/AP.
  • After these steps, the user authenticates securely a  nd transparently using the certificate and connects to the network.

Important points that you should know when setting up OTP in Windows Server!

  • OTP authentication can be used simultaneously and in parallel with Smart Card and TPM-based authentication.
  • Enabling OTP in the Remote Access Management console also allows the smart card authentication method.
  • Creating a security group can exempt some users from two-step authentication to authenticate only with a username and password.
  • It is possible to use the OTP authentication method for multiple sites with remote access, which applies to all entry points.
  • Users using the KEY FOB OTP token must enter the PIN followed by the passcode in the DirectAccess OTP dialog.
  • Users using the PIN PAD OTP token only need to enter the passcode in the DirectAccess OTP dialog.
  • OTP should not be enabled when WEBDAV is enabled.

conclusion

Security is one of the essential elements in the network and server world, and we did our best to make it easy for you to understand how to set OTP in Windows Server, and by using this information, you can maximize the level of security of your server against remote access. If you need more information in this field, you can get help from the Microsoft Learning section and follow your questions.

Thank you for staying with us until the end of the article. We hope that reading this article was helpful for you. If you have any questions or requests and need guidance, you can contact us by registering your opinion so we can answer you as soon as possible.