|
Posted by S. Pidgorny on July 27, 2007, 3:56 am
Please log in for more thread options Not really, haven't got experience, but I had to sit through few
presentations and demonstrations with Verisign. Yes, a server similar to ACE
Server is required. I'm not sure at all about their AD integration
capabilities - RSA, on the other hand, integrates with AD through LDAP for
authorisation, and provides Windows logon integration.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
> So you've got some experience with this, then? Is it similar to the
> ACE/Server in SecurID?
>
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
>
>
>> Steve - Verisign's one-time password solution does require a separate
>> product (it is called Unified Authentication Validation server in their
>> terminology).
>>
>> Until Windows supports OTP natively, there will be a need for separate
>> infrastructure supporting that functionality.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>>>I have two thoughts:
>>>
>>> 1. Smartcards, if you don't have a need for people to log in from random
>>> computers not in your control (kiosks, home machines, anything that
>>> lacks a smartcard reader).
>>>
>>> 2. Some customers have said good things about VeriSign's Unified
>>> Authentication product
>>>
(http://www.verisign.com/products-services/security-services/unified-authentication/index.html).
>>> I've not used it, but you might give it a look. I've been told that,
>>> unlike RSA's SecurID, this product doesn't need separate "authentication
>>> servers" -- it can authenticate directly against AD.
>>>
>>> Steve Riley
>>> steve.riley@microsoft.com
>>> http://blogs.technet.com/steriley
>>>
>>>
>>>> Hello all,
>>>>
>>>> I don't know if this is the right group to pose this question to and if
>>>> it's not, I apologize ahead of time. I'm wondering if anybody out
>>>> there can recommend a good two-factor authentication solution that
>>>> meets the following criteria:
>>>>
>>>> 1. Accommodates domain level logons
>>>> 2. Can be used to secure custom IIS applications
>>>> 3. Can be used to secure OWA
>>>> 4. Can be used for VPN authentication
>>>> 5. Scales so that one or more authentication servers can be placed in
>>>> multiple sites (both for redundancy and load balancing).
>>>> 6. Excellent customer support (with some of the solutions I've been
>>>> testing with, customer support is severely lacking)
>>>>
>>>> I've been testing several different solutions, but what I've tested
>>>> doesn't meet the criteria above in some way, shape or fashion. I am
>>>> willing to use a PKI based solution to secure the custom IIS apps and
>>>> OWA, but points 1 and 5 are paramount. A couple of the solutions being
>>>> tested were looking promising (such as Crypto-Shield, for example) and
>>>> met all my requirements except for point 5, where the solution would
>>>> only support 2 authentication servers per domain. Since we have a
>>>> single domain and multiple sites, being limited to a fixed maximum
>>>> number of authentication servers introduces a single point of failure
>>>> and can potentially add to cross-site WAN traffic.
>>>>
>>>> I'm also confused in regards to RSA's offering. According to the sales
>>>> rep I talked with, RSA SecurID doesn't support domain logons, but
>>>> according to their web site, one can use the SecurID tokens as smart
>>>> cards and tie a certificate from an Enterprise PKI to it, so wouldn't
>>>> this provide some level of domain level support? Admittedly, this
>>>> question is probably better suited for the sales rep, but I was having
>>>> a difficult time communicating with her. I'm hoping that someone here
>>>> can provide a definitive answer on whether or not the RSA solution can
>>>> be used to secure domain servers. From what I've read, the RSA
>>>> solution comes highly recommended but without the domain level support,
>>>> I won't be able to deploy it.
>>>>
>>>> In any event, if someone could provide a good recommendation, I would
>>>> certainly appreciate it.
>>>>
>>>> Regards,
>>>>
>>>> DLN
>>>>
>>
>>
| 
XML Sitemap