[KB3654] ESET Secure Authentication and Active Directory Schema Extensions

Details

ESET Secure Authentication Overview

ESET Secure Authentication (ESA) adds two-factor authentication (2FA) to VPNs, RADIUS devices, Remote Desktop Protocol and various web applications including Outlook Web Access. 2FA is enforced through one-time passwords (OTPs) that can be delivered via SMS, a mobile application, or hardware tokens (hard tokens).

Solution

Active Directory Schema extension in ESET Secure Authentication

ESET Secure Authentication (ESA) extends the Active Directory Schema. While some concern has been expressed that extending the Active Directory (AD) Schema can break Active Directory or cause other issues, ESA has been specifically designed to align with Microsoft best practices for extension of the AD Schema. These best practices have been documented in the following Microsoft Developer Network article:

Extending the Active Directory Schema

 

Microsoft best practices for extension of the AD observed by ESA include:

  • Only define globally interesting, relatively static information in the schema
  • Objects defined in the schema should not be created very often or modified frequently
  • Objects should have a long life
  • Use twice the maximum replication frequency when determining longevity or frequency
  • Test the application in a private forest and with other applications before deploying
  • The schema upgrade must be separate from the application installation

ESA complies with all of the above Microsoft recommendations.
 

Schema Extensions that ship with ESA

Microsoft provides a number of additional guidelines for schema extensions that ship with applications (such as ESA). ESA is designed to comply with these suggestions, which include the following:

  • The application and schema extensions were tested on a local network
  • A separate install has been created for ESA
  • The LDIF files for the schema installation are created
  • The application uses LDIFDE.exe to load the LDIF files
  • The application uses a registered prefix and base OID for each class and attribute
  • The application has a unique schemaIDGuid for each class and attribute

Considering that ESA follows all the official guidelines published by Microsoft with regards to extending Active Directory Schemas, there is no cause for concern about the safety/stability of such extensions performed by ESA upon installation.