Active Directory Federation Services, AD-FS, is the de facto identity provider in a Microsoft environment. Many organizations will be using it to authenticate Office 365 users to an on-premise Active Directory. Support amongst cloud service providers is growing, allowing you to authenticate not just O365 users but users of a variety of business applications.

To protect against a variety of attacks, you may want to require multi-factor authentication (MFA). Out the box, AD-FS only provides support for X.509 certificates. Thankfully there’s the concept of Authentication Adapters, allowing you to develop your own MFA plug-in. I’ve put together a RADIUS plugin that allows you to prompt users to enter a one-time PIN and send the response to a RADIUS server, along with the accounts userPrincipalName, for validation.

The software is open-source and licensed under the GPL and relies on the excellent Radius.Net library.

Download

I strongly recommend compiling your own version rather than downloading a DLL and installing it into your AD FS servers. If you’re comfortable with the risks of that, you can download it from the links below.

Installation

The below instructions cover installation into AD FS and make no attempt to document any RADIUS/NPS configuration.

  1. Extract the zip file to a convenient location and open install.ps1 in your favorite editor;
  2. Amend the variables in install.ps1 to match your RADIUS server, shared key and any ports needed;
  3. From an elevated PowerShell prompt, run install.ps1
  4. Restart the AD FS service to complete registration
  5. If you have multiple AD FS servers in your farm, repeat the process on each but press CTRL-C when prompted to register the authentication adapter