Appendix B: Security : Network Access Security : Two-Factor Authentication
Two-Factor Authentication
The following are options for providing two-factor authentication to a vCloud Solution:
*Enable SSPI support in vCloud Director 5.1 and delegate authentication to Active Directory, which has a number of two-factor solutions.
*Implement a third-party solution (for example, HyTrust Cloud Control).
vCloud Director 5.1 adds support for Security Support Provider Interface (SSPI), which is Microsoft’s proprietary implementation of GSSAPI. SSPI is an API for obtaining numerous security services, including integrated Windows authentication. Using SSPI to delegate identity verification to Windows and Active Directory allows for the use of a number of authentication mechanisms such as secure token or two-factor authentication.
The following are two-factor authentication design implications:
*The authentication method must be set to Kerberos to enable SSPI.
*The Service Principal Name (SPN) must be specified. The SPN is a name that a client uses to uniquely identify an instance of a service.
*A KeyTab file is needed to enable authentication for the SPN.
*Using SSPI implies that the workstation must be a member of an Active Directory domain.
*By using SSPI, vCloud Director is allowing a trust relationship to Active Directory to perform the authentication on behalf of vCloud Director.
*Using native support for two-factor authentication solutions through SSPI enables service providers and enterprise organizations to achieve strong authentication without requiring manual configuration or integration of each individual virtualization host.
*Combining technologies from VMware and third parties such as RSA, Symantec, and HyTrust enables end-to-end security of vCloud infrastructure and accelerates time to market.
*VMware is continually evolving and adding new security components to its security framework, including capabilities such as controlling identities enterprise-wide, supporting more secure authentication methods, and providing interoperability with future vCloud Director releases.