An alternative to ADFS with UserLock SSO & MFA
UserLock provides granular access security for on-premises Windows AD Server accounts with MFA, SSO, and more across all connection types.
Published November 25, 2021UserLock’s value proposition is straightforward: it helps secure on-premises Windows AD Server accounts while providing granular control over multi-factor authentication (MFA), single sign-on (SSO) and more.
With UserLock, admins can enforce these policies across all connection types, even those leveraging SAML. This means all users get secure and easy access to cloud applications with existing Windows AD credentials.
UserLock SSO Key Advantages for IT Admins | |
---|---|
Reduce Complexity Continue to use Windows Server AD as the authoritative user directory. |
|
Elevated Security Stop password sprawl from several different cloud applications. |
|
Microsoft ADFS, while reasonably popular, has a number of dependencies that help it work properly. Properly assembling those moving parts together can be somewhat challenging.
First, there’s the SSL certificate—which helps service HTTPS requests to the federation service. You also need a token signing certificate, an encrypting/decrypting certificate, ADFS domain controllers, a configuration database (Windows Internal Database or SQL Server), a DNS server, and a load balancer.
Furthermore, any interruptions to these services can cripple ADFS’ core functions.
For example, any applications tapping into ADFS need that signing certificate and key for ADFS to trust them. Microsoft actually warns that users who self-manage their certificates must back them up and make them independently available. Otherwise, ADFS can become unstable. In a general sense, any client-server connection errors can impact user access.
According to Microsoft, these are some key ADFS troubleshooting topics:
Event logging and auditing
Certificates
SQL connectivity
Integrated Windows authentication
Integration with Azure AD (now Microsoft Entra ID)
Additionally, third-party services can experience issues with ADFS’ built-in single sign-on (SSO) functionality—which can get a little clunky. It’s also worth noting that ADFS is a non-essential supplement to Azure AD in many cases. Microsoft primarily introduced it to tackle newer authentication protocols.
That said, some have experienced latency issues with their proxy servers while leveraging ADFS with older authentication protocols. Those using legacy solutions might look elsewhere.
Lastly, ADFS’ communication with domain controllers does incur a notable resource cost. ADFS introduces added load within AD itself, which can prevent other requests from processing.
UserLock does have its associated moving parts that handle connectivity to Active Directory. After all, AD isn’t a local-only utility. However, there are fewer components that can fail.
UserLock was designed from the ground up to integrate with Active Directory, ensuring that features like multi-factor authentication (MFA), SSO, and contextual access management work seamlessly.
UserLock supports all TOTP authenticators (E.g. Google, Microsoft, LastPass etc…), programmable hardware tokens, like YubiKey and Token2 and both time-based and HMAC-based one-time passwords.
Organizations can distribute their preferred array of access controls without sacrificing control or convenience.
This is inherently more approachable than PowerShell modules, requires less specialized knowledge, and is highly efficient. Drop-down menus, toggles, and fields make it easy to select from sets of default configurations—or add an additional level of granularity to your access-management process.
UserLock helps track users regardless of their device OS or access protocol. The list-style presentation is color coded, icon-rich, and easy to quickly scan.
For example with SSO connections to the cloud:
To secure remote access, UserLock MFA offers two separate capabilities.
First, UserLock works even without an internet connection. For obvious reasons, this is key to securing remote user access.
Second, UserLock also allows admins to apply MFA on off-network, off-domain connections. Thanks to a web app called UserLock Anywhere, UserLock prompts the user's machine(s) for MFA even if the user doesn't connect to the corporate network.
To further secure remote user access, UserLock also offers MFA for Microsoft 365 and RD(P) Gateways, along with other common MFA for remote work use cases.
This is another area where UserLock’s flexibility shines over ADFS. Admins can control access through a variety of mechanisms:
By taking context into account, UserLock will intelligently authorize, deny, or limit user access following authentication.
Based on machine and device: dictating how AD users log on according to IP address, location, department, or workstation OS
Based on hours: according to total session length, time quotas, and company hours of operation
Based on session type: including terminal sessions, those using RADIUS or RRAS, or IIS
Based on concurrent login caps and initial access points
This happens automatically without manual intervention, though UserLock allows admins to make granular changes as needed.
In addition to controlling all login attempts to your Windows AD domains, you can even audit or report on this activity.
Want to know who’s logged in across which services? The UserLock dashboard makes this easy by displaying all user sessions at a glance. However, there can come a time where user activity raises red flags. For situations like these, you can configure UserLock to alert key team members to suspicious behavior. It’s possible to quickly shut down access thereafter to prevent breaches.
Installing UserLock is possible on any Windows Server 2003+, either physical or virtual. It’s then easy to deploy on selected machines via user agent. These configurations are available with the application, permitting easy click-and-activate functionality across devices on your network. A powerful console is available for in-network access control. You can even protect user, group, or organization unit accounts as needed.
UserLock offers protection against the most common security threats to both on-site and remote access. According to a 2020 study over 40 million Microsoft users actively reused passwords, 50% of IT professionals reuse passwords across workplace accounts, and 49% share passwords with colleagues.
So if you’re looking to securely scale single sign-on and jumpstart productivity, UserLock is the logical choice. Forget creating new directories for user IDs. The combination of SSO and MFA offers unrivaled protection against unwanted access—minus the confusion.
Specifically designed for Windows AD access management, UserLock provides a host of features for power users and novices alike. No need to jump through the complex, technical hoops required before setting up ADFS. UserLock is a straightforward alternative that will reach more devices and satisfy more IT security and compliance requirements.