Two factor authentication w/AD - specify field other than "Description" for the 2FA serial # CW#7572176

Michael Legato (Support) 8 years ago updated 7 years ago 6

Partner is using AD authentication and would like to specify a different field in AD besides Description for the system to check/pull the 2FA serial number for validation. He uses Description for other things in AD and said he cannot append these details at the end as it may break some other things in the environment.

He also does not want to use LDAP as he has a multi-domain environment that doesn't work with LDAP.

Is there a reason this was declined? We have the same request and this seems to be rather simple to implement (allow customer to define the attribute field used in AD and then point to that field for this information). With PCI DSS 3.2 out requiring 2FA for administrative access, this is important to us and we absolutely do NOT want to use the Description field, and it makes no sense why that field would have been chosen for this purpose. We may need to stop using ScreenConnect and drop our maintenance if this is not addressed soon to allow us to meet the requirements of PCI DSS 3.2.

This can be setup through the LDAP user source method.

We're looking to use 2FA as well and this is holding us back from implementing until we can find another way to store this information. The description field in AD makes no sense as a place to store this information. Can someone look at this request again to see if this can be changed or at lease offer an explanation as to why it cannot?

This field can be customized by setting up the LDAP user source method instead of Active Directory:


Specifically, you would specify it under the UserPasswordQuestionAttribute field.