Active Directory Federation Services, AD-FS, is the de facto identity provider in a Microsoft environment. Many organizations will be using it to authenticate Office 365 users to an on-premise Active Directory. Support amongst cloud service providers is growing, allowing you to authenticate not just O365 users but users of a variety of business applications.
In certain circumstances, you may want to require multi-factor authentication (MFA). Out the box, AD-FS only provides support for X.509 certificates. Thankfully there’s the concept of Authentication Adapters, allowing you to develop your own MFA plug-in. I’ve developed a quick RADIUS plugin that allows you to prompt users to enter a one-time PIN and send the response to a RADIUS server, along with the accounts userPrincipalName, for validation.
The software is open-source and licensed under the GPL and relies on the excellent Radius.Net library.
Download
I strongly recommend compiling your own version rather than downloading a DLL and installing it into your AD FS servers. If you’re comfortable with the risks of that, you can download it from the links below.
Download Sourcecode (C#, 4.5)
Download Binaries (Version 1.0).
Installation
The below instructions cover installation into AD FS and make no attempt to document any RADIUS/NPS configuration.
- Extract the zip file to a convenient location and open install.ps1 in your favorite editor;
- Ammend the variables in install.ps1 to match your RADIUS server, shared key and any ports needed;
- From an elevated PowerShell prompt, run install.ps1
- Restart the AD FS service to complete registration
- If you have multiple AD FS servers in your farm, repeat the process on each but press CTRL-C when promtped to register the authentication adapter