Skip to main content

Windows Login/RDP Integration

SecTrail MFA adds multi-factor authentication to Windows operating system logins and Remote Desktop Protocol (RDP) access.

Features​

πŸ–₯️ Windows Logon​

  • MFA for local and domain user logins
  • Support for Windows 10, Windows 11, and Windows Server
  • Workstation and server protection

πŸ”Œ RDP (Remote Desktop)​

  • Adding MFA to remote desktop connections
  • Compatible with Network Level Authentication (NLA)
  • RDP Gateway integration

πŸ‘€ Multiple User Support​

  • Different MFA policies for multiple users on the same machine
  • Separation of domain and local users
  • Group-based policies

Configuration Steps​

SecTrail MFA Side​

  1. API Client: An Agent-type API client must be created for the API information required during the installation of the SecTrail Credential Provider
  2. Application Profile: Factor configuration for Windows RDP - an RDP-type application profile must be created
  3. Authentication Methods: Add desired authentication methods (Push, SMS OTP, Soft OTP, etc.) to the application profile

Windows Side​

The SecTrail MFA Credential Provider is installed on the Windows machine. This provider adds MFA factors to the Windows login screen and communicates with the SecTrail MFA API in the background.

Credential Provider Installation Steps​

1. Start the Installation Wizard

Start the SecTrail Credential Provider 2.0 installation wizard. Click the **Next** button to continue.

2. OAuth Connection Information

Enter the SecTrail MFA OAuth connection information:

  • **SecTrail MFA URL**: The HTTPS address of your SecTrail MFA server
  • **API Client ID**: Agent-type API Client credential
  • **API Client Secret**: API Client secret key

Test the connection with the **Test Connection** button.

3. Select Authentication Scope

Select the scenarios in which SecTrail MFA will be applied:

  • **Enable for all login scenarios**: MFA for both local login and RDP connections
  • **Enable only for Remote Desktop (RDP) connections**: MFA for RDP connections only
4. Select Installation Location

Select the location where the Credential Provider will be installed. The default location is set to C:\Program Files\SecTrail Credential Provider. A minimum of 3.8 MB of free disk space is required.

5. Ready to Install

All settings are complete. Review the installation location and click the **Install** button to start the installation.

6. Installation Complete

SecTrail Credential Provider has been successfully installed. Click the **Finish** button to close the installation wizard. You may need to restart the system for the changes to take effect.

After completing these steps, SecTrail MFA verification will be initiated on the Windows login screen or RDP connections.

Supported Authentication Methods​

Authentication methods that can be used in Windows Login/RDP integration:

  • LDAP Verification: Authentication with an Active Directory or LDAP server
  • Local Verification: Authentication with SecTrail MFA's local user database
  • LDAP+OTP: Two-factor authentication with password + OTP in a single screen
  • Soft OTP: Time-based one-time password via mobile application (SecTrail Authenticator)
  • SMS OTP: One-time password sent via SMS
  • Mail OTP: One-time password sent via Email
  • Push Notification Verification: Approval via push notification through the mobile application (SecTrail Authenticator)
  • Approved OTP: Verification with pre-approved OTP codes

Usage Scenarios​

Scenario 1: Domain Controller Protection​

Mandatory MFA for RDP access to Windows Domain Controller servers.

Scenario 2: Administrator Workstation​

MFA for logging into workstations used by IT administrators.

Scenario 3: Remote Employee​

MFA for remote users accessing office computers via RDP.

Scenario 4: Critical Servers​

Additional security for accessing critical systems like database and application servers.

Policy Management​

Group-Based Policies​

  • Domain Admins: Mandatory MFA for all accesses
  • Developers: MFA for RDP accesses
  • Standard Users: No MFA for local logon, MFA for RDP

Time-Based​

  • Mandatory MFA outside of business hours
  • Requirement for an additional factor on weekends

Location-Based​

  • MFA for RDP access from IP addresses outside the office
  • Additional security for connections outside the VPN

Technical Details​

Supported Windows Versions​

  • Windows 10 (Pro, Enterprise)
  • Windows 11 (Pro, Enterprise)
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
CAUTION

Administrator privileges are required for the installation of the Windows Credential Provider.

TIP

We recommend installing and testing with the RDP-only option first.