We have an RSA Authentication Manager server and a few hundred tokens. We are using this as a 2F back-end for Cisco Secure ACS and for Linux authentication (with the PAM module). If we wanted to use tokens with our Windows 2012 Active Directory servers, what additional components or products would we need? We want to be able to use AD accounts, but use the Token Code instead of the password. This would also not be required for all accounts, since we have a 2F PKI solution in place for system logins, but for applications that support AD/LDAP and not PKI, using the RSA SecuID Token seems like the best option to get these apps behind 2F.
The RSA Authentication agent for Windows can be installed on Win2012 R2, and you can Challenge (require PassCode 2-factor)
1. everyone,
2. everyone in a specific group
3. everyone NOT in a specific group
4. No one
However, with Windows you always have to logon with a Windows password even after authenticating with PassCode. But you can configure Windows Password Integration, and the RSA AM agent will tell the RSA AM server the MD5 hash of your Windows Password the first time you do this, and the subsequent times after that RSA will automatically log you on to Windows after you enter your PassCode successfully (until password expires, you change Windows Password, and RSA learns the new MD5 hash of the WinPassword...repeat)