Step 4: Plan for OTP on the Remote Access Server
Applies To: Windows Server 2012 R2, Windows Server 2012
After planning for the one-time password (OTP) RADIUS server and certificate settings, the final step in planning a Remote Access OTP deployment is to plan for client OTP settings on the Remote Access server.
Task |
Description |
|---|---|
Plan for exemptions for users that you do not require to authentication using OTP. |
|
Plan to deploy the DirectAccess Connectivity Assistant (DCA) 2.0 to Windows 7 client computers. |
|
Plan for the use of smart cards for additional authorization. |
4.1 Plan for OTP client exemptions
When OTP authentication is enabled, by default all users are required to authenticate using a combination of user name and password, and OTP credentials. However, you can allow selected users to authenticate using a user name and password only, without OTP. To do this, create a security group and add any users that you want to exempt from OTP authentication.
Note
Only client computers from a single forest may be exempted due to the fact that only one security group can be selected for client exemptions.
4.2 Plan for Windows 7 clients
By default, Windows 7 client computers cannot authenticate using OTP. Windows 7 client computers require DCA 2.0 to authenticate using OTP in a Windows Server 2012 Remote Access deployment. For more information about DCA 2.0, see DirectAccess Connectivity Assistant 2.0 on the Microsoft Download Center.
4.3 Plan for smart cards
When OTP authentication is enabled, the option to enable the use of smart cards for additional authorization is available. Create a security group to allow temporary access in the event that a user’s smart card is not functional.