Score:0

Options for web application using Windows Authentication (IIS and Kerberos) to require MFA

vn flag

Apologies in advance if this question is better suited on another StackExchange site; this felt like the best first choice.

Background

I have a web application (.NET Framework, ASP.NET Web Forms and MVC) running on IIS (any version). The application has no authentication logic, instead relying only on IIS configured for Windows Authentication (Negotiate); the application then references HttpContext.Current.User.Identity.Name to retrieve the Windows user.

I've been tasked with adding MFA to the login flow but I've hit a roadblock on if this is even possible. Below is my current understanding and why I believe it isn't possible; my question is whether I've missed something.

Goals:

  • When an end-user connects to the application, require a second factor authentication check
  • No application level changes

Current Understanding:

  • With Windows Authentication, the user is already authenticated, and the challenge from IIS is only to include the current authentication token along with the request
  • IIS used to have an option to interrupt this flow and redirect to the MFA challenge via Microsoft's MFA server, but this was discontinued and no longer available.
  • There are no other options currently available to interrupt the IIS authentication flow
  • Potential Option #1 - Rework application to include authentication logic (most likely toward OAuth / OpenID Connect) and invoke MFA challenge at that point
  • Potential Option #2 - Place an application proxy in between the end user and the application; the app proxy would require login plus MFA, and then redirect to the application.

I'm at the point where I know enough to know I don't know enough, but I'm missing what more to understand to dig in further.

Is my understanding of Windows Authentication and available options to achieve MFA correct, or is there something else I am missing that will help me move forward?

Lex Li avatar
vn flag
You also have a third option to write/buy an IIS module that handles MFA. This module can perform its tasks just after Windows authentication passes. But overall, option 1 has far more vendors for you to choose from, so you should stick to that.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.