I'm searching for information about how to integrate U2F (using YubiKey or similar devices) into an Active Directory Windows Domain (Will be a Windows 2016 Server). Especially I'm interested in securing the windows logon to workstations/servers to require a U2F token as a second factor (password only should not work at all).

In short the goal is that each authentication is either done via password+U2F token or using kerberos tokens.

Any hints where to find further information about this specific scenario or lessons learned would be great.


Short version

I started looking into using FreeRADIUS with Windows Network Policy Access Service (NPS) because we have a mixed Windows/Linux environment (and because YubiRADIUS is no longer supported). FreeRADUIS would be used to tie the YubiKey's to the AD Auth together.

In my searches I found a couple of non-free resources such as WiKID Systems and AuthLite for doing 2-factor with Yubikeys (links below). There -does- appear to be a way to get really close using built-in Windows services (using Network Policy and Access Services (NPS)) which I was using as a basis for my FreeRADIUS work.

Here is a tutorial for getting NPS working with WiKD

http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/

This URL describes how to get it to work with AuthLite

https://www.tachyondynamics.com/yubikey-and-windows-domain-2-factor-authentication/

Both implementations appear to want some form of RADIUS Server to pass along the second-factor auth. At least that is my understanding.

Additionally: if you search for "Windows Server 2016 2-factor yubikey", or similar, you may be able to find more.

Hope this helps!