Configure Additional Authentication Methods for AD FS
Applies To: Windows Server 2016, Windows Server 2012 R2
In order to enable multi-factor authentication (MFA), you must select at least one additional authentication method. By default, in Active Directory Federation Services (AD FS) in Windows Server 2012 R2, you can select Certificate Authentication (in other words, smart card-based authentication) as an additional authentication method.
If you select Certificate Authentication, ensure that the smart card certificates have been provisioned securely and have pin requirements.
Did you know that Microsoft Azure provides similar functionality in the cloud? Learn more about Microsoft Azure identity solutions.
Create a hybrid identity solution in Microsoft Azure:
- Learn about Azure Multi-Factor Authentication.
- Manage identities for single-forest hybrid environments using cloud authentication.
- Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.|
Microsoft and third-party additional authentication methods
You can also configure and enable Microsoft and third-party authentication methods in AD FS in Windows Server 2012 R2. Once installed and registered with AD FS, you can enforce MFA as part of the global or per-relying-party authentication policy.
Below is an alphabetical list of Microsoft and third-party providers with MFA offerings currently available for AD FS in Windows Server 2012 R2.
|Provider||Offering||Link to learn more|
|Duo Security||Duo MFA Adapter for AD FS||Duo Authentication for AD FS|
|Gemalto||Gemalto Identity & Security Services||http://www.gemalto.com/identity|
|inWebo Technologies||inWebo Enterprise Authentication service||inWebo Enterprise Authentication|
|Login People||Login People MFA API connector for AD FS 2012 R2 (public beta)||https://www.loginpeople.com|
|Microsoft Corp.||Microsoft Azure MFA||Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications (see step 3)|
|One Identity||Starling 2FA AD FS||Starling 2FA AD FS Adapter|
|One Identity||Defender AD FS||Defender AD FS Adapter|
|Ping Identity||PingID MFA Adapter for AD FS||PingID MFA Adapter for AD FS|
|RSA, The Security Division of EMC||RSA SecurID Authentication Agent for Microsoft Active Directory Federation Services||RSA SecurID Authentication Agent for Microsoft Active Directory Federation Services|
|SafeNet, Inc.||SafeNet Authentication Service (SAS) Agent for AD FS||SafeNet Authentication Service: AD FS Agent Configuration Guide|
|Swisscom||Mobile ID Authentication Service and Signature Services||Mobile ID Authentication Service|
|Symantec||Symantec Validation and ID Protection Service (VIP)||Symantec Validation and ID Protection Service (VIP)|
|Trusona||Essential (passwordless MFA) and Executive (Essential + Identity Proofing)||Trusona Multi-factor Authentication|
Custom Authentication Method for AD FS in Windows Server 2012 R2
We now provide instructions for building your own custom authentication method for AD FS in Windows Server 2012 R2. For more information, see Build a Custom Authentication Method for AD FS in Windows Server 2012 R2.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.