Products/Active Directory/MFA
Active Directory · Kerberos · NTLM · LDAP · SMB · RDP

Add MFA to Active Directory.

Enforce MFA on every domain authentication from a single DC Sensor on your domain controllers. No cloud sync, no proxy servers, nothing on workstations or member servers.

Enforcement topologyagentless
Workstation / RDP
Kerberos · NTLM
DC SensorDomain Controller
evaluate()
Authnull MFA
push
User's phone
Auth is held at the DC — the login waits, the runas never opens, the share stays locked — until the user approves.
Protocols
Kerberos · NTLM · LDAP · SMB · RDP
Deployment
Agentless DC Sensor
Methods
Wallet · Duo · Okta
Setup
Same afternoon
How enforcement works

The DC intercepts the auth, then holds it until the user approves.

Every Kerberos, NTLM, LDAP, and SMB request is evaluated against policy at the domain controller. Service accounts are detected and skipped automatically. Every decision is logged for audit.

Logon sequence
1user→DCAS-REQ Kerberos
2DC→authnullevaluate(user,src,proto)
3→phonepush · DC holds ticket ⏳
4phone→authnull approved
5DC→userTGT issued
authnull-dc — decisions.log
14:02:11 jdoe@CORP RDP src=10.0.4.12 → allow (in-office)
14:02:47 admin@CORP Krb src=203.0.113.9 → challenge push→wallet
14:02:52 admin@CORP ··· → approved, issue TGT ✓
14:03:20 svc-backup$ NTLM src=10.0.1.5 → skip (service acct)
14:04:05 mreyes@CORP SMB src=198.51.100.7 → deny (timeout)
Every access path

One MFA layer across every way into your domain.

Your IdP protects cloud apps. Authnull adds MFA to the infrastructure it misses — domain logons, RDP, RADIUS, and every server your SSO portal never sees.

Active Directory MFA

Enforce MFA on every domain authentication from a single agent on your domain controllers. No cloud sync, no proxies, nothing on member servers.

Kerberos · NTLM · LDAP · SMB

Windows & RDP

Block RDP sessions, runas commands, and file-share access until MFA is approved — held at the DC.

RDP · runas · SMB shares

Domain admin accounts

Always require MFA on privileged logons — the accounts an attacker actually wants — while standard users follow your policy.

Domain Admins · tier-0

Windows servers

Protect domain-joined member servers and DCs at logon — agentless, enforced from the DC Sensor with nothing on the server itself.

2019 · 2022 · core
Deployment, honestly

Two deployment modes. No software on endpoints.

The DC Sensor runs on your domain controllers and covers everything on the domain. Add the RADIUS Bridge for VPN gateways and network gear that speak RADIUS.

Agentless

Recommended
User logonDomain ControllerAuthnull MFA
A single DC Sensor service on your domain controllers — nothing on endpoints.Covers domain logon, RDP, runas, SMB file shares.Fastest path to coverage and the easiest to roll back.Requires the machine to reach Authnull at logon time.

Use when: domain-joined Windows servers, desktops, and RDP access.

RADIUS Bridge

VPN · Network
VPN / FirewallRADIUS BridgeAuthnull MFA
For VPN gateways, firewalls, and network gear that speak RADIUS.Runs on a Linux server or Docker — no Windows agent required.Same AD identities, same MFA policy, every entry point.

Use when: Cisco, Aruba, Juniper, Fortinet, or any RADIUS-capable VPN or firewall.

Granular policy

Require MFA exactly where it matters.

Scope policy by user, group, OU, source, and time — so admins from outside the network always hit MFA, while a desk in the office stays out of your way.

UserGroupOUSource IP / geoTime of dayMachine
Policy · Privileged remote accessenabled
WHEN user in Domain Admins
AND source outside corp network
AND time 18:00 – 07:00
REQUIRE MFA
ELSE allow with push
Domain admin protection

Your domain admins are the keys to the kingdom. Treat them that way.

Require MFA on every privileged logon — held at the domain controller until the admin approves. Service accounts are detected and excluded automatically, and every decision is logged for audit.

Step-up on privileged logon
Domain Admins and tier-0 accounts always hit MFA — standard users follow your policy.
Service account protection
Authnull automatically detects machine and service accounts in AD and excludes them from MFA challenges — no false positives on automated processes.
Audit trail
Every authentication decision is logged — user, source IP, protocol, factor used, verdict, and timestamp. Exportable for SIEM via syslog.
Supported methods

Works with your existing Duo or Okta — no rip and replace.

Authnull sits in front of AD and triggers push via the provider your users are already enrolled in. Bring your own Duo or Okta tenant, or use Authnull Wallet directly.

Authnull Wallet
primary · push notification
primary
Duo
existing Duo tenant · push
bring your own
Okta
existing Okta tenant · push
bring your own
Authenticator TOTP
offline-capable
coming soon
Live in an afternoon

Six steps from download to enforced.

01

Configure Active Directory

~ 10 min

Connect Authnull to your AD via LDAP — domain, IP, search base, bind credentials. No schema changes.

02

Install the DC Sensor

~ 15 min

Deploy the lightweight DC Sensor on your domain controllers. It intercepts Kerberos, NTLM, LDAP, and SMB at the DC — nothing on endpoints.

03

Enroll users via Wallet

~ 5 min / user

Users install the Authnull Wallet app and register their factor. Enrollment tracked per user — Registered or Pending.

04

Monitor user status

ongoing

The dashboard shows every AD user and service account, their enrollment state, and last authentication event.

05

Set policy

~ 15 min

Define who must MFA — by user, group, OU, source IP, and time. Start with Domain Admins, then widen.

Agentless MFA enforced

same day ✓

Policy goes live. Every covered domain authentication triggers a push — held at the DC until the user approves.

Helps you evidence
SOC 2 Type IICCPA
FAQ

Active Directory MFA, answered.

Can you enforce MFA on Active Directory without Azure or Entra?

Yes. Authnull enforces MFA directly against on-prem Active Directory — no Entra ID, Azure AD, or cloud-sync required. It works on domain logon, RDP, and server access using your existing domain, so you can add MFA without migrating identity to the cloud.

Does Authnull MFA work for RDP and Windows logon?

Yes — MFA is enforced at interactive Windows logon (console and RDP), including Remote Desktop session hosts, jump boxes, and member servers. You can require it for everyone or scope it to privileged accounts and remote sources only.

Do I have to install software on every machine?

No. The DC Sensor runs on your domain controllers only — nothing on workstations, member servers, or endpoints. Domain logon, RDP, and RADIUS are all covered without touching user machines.

We already have Duo — do we have to replace it?

No. Authnull sits in front of Active Directory and can trigger your existing Duo push. If you already have Duo or Okta enrolled, users keep using the same app — Authnull just adds the AD enforcement layer.

Can I require MFA only for domain admins?

Yes. Policy is scoped by user, group, OU, source IP, and time — so you can require MFA for Domain Admins logging in from outside the network, while leaving standard in-office users untouched.

How long does it take to deploy?

Most teams connect the domain, set a policy, and enforce MFA on a pilot group the same afternoon. Agentless coverage needs no endpoint rollout, and you can widen from a pilot OU to the whole domain at your own pace.

Put MFA on Active Directory this week.

Start free on your own domain, or have us walk your AD environment in 20 minutes and map a rollout.

Get in touch