Hi all,
Here is what I want to get done :
- Machine authentication before logon, (Pre logon)
- After logon keep this connection alive (Post Logon)
- Switch to User authentication with IdP Azure MFA.
And let's hope I can explain Azure to do MFA while "On-Prem" - other outgoing IP to 0365 for RemoteAccess?
So far I have made
- Machine Authentication work via Certificate (ADCS) Pre- and Post-Logon.
- Get User authentication work with MFA (with Pre-Machine Certficate Auth)
Now, the issue starts :
- Either have Pre and Post Machine certificate (but not have MFA)
Issue is 'post-it' password on the PC = At theft they are on our network! - Either have Pre Machine and Post MFA, but with a gap between the post-logon moment and validating MFA.
Issue, as it's a gap in what we try to achieve, be always behind out protect solution.
No logon or proper AD auth at logon.
Or am I missing somewhere, a parameter or a trick to make the switch work as described.
It has been a long journey to get to this point, the last mile is seaming to be the biggest hurdle.
Ps, I'm interrested in your POV, but stick to the topic please.
Kind regards
Tim