Jackson Thornton LogoJackson Thornton, a certified public accounting and consulting firm, was established in Montgomery, Alabama, on March 3, 1919. For nearly a century, Jackson Thornton has evolved and expanded to provide more of what businesses need, whether strategic planning, business consulting, technology consulting or specialized industry services.

In the early 1980s, Jackson Thornton Utilities, the first group to establish an industry specialization, was launched. Jackson Thornton’s Valuation and Litigation Consulting Group was created in the early 1990s in response to the growing need for experienced professionals trained in business valuation and litigation support services. Continuum Education + Training was developed in 2001 to support clients in conference environments by providing program and keynote speakers, conference entertainment and staff retreats.

Jackson Thornton Technologies LLC (JTT) was also founded in 2001 to support clients’ information technology needs. In 2008, Jackson Thornton opened its fifth office in Nashville, Tennessee. In 2016, the firm acquired Auburn/Opelika based Brantley Boucher & Farr LLP, expanding their reach into East Alabama. Jackson Thornton now serves more than 4,000 clients, in six locations, with a team of more than 200 professionals trained as both accountants and business consultants.

PROBLEM

Jackson Thornton uses Remote Desktop Services (RDS) to allow users to access a virtual desktop from inside and outside their corporate network. Their users access the RDS environment from mostly unmanaged devices including many different flavors of tablets. There is currently a risk of unmanaged devices being stolen or lost and potentially providing an intruder with access to their RDS environment. In addition, they need to extend additional levels of authentication and security to their Outlook Web Access and Citrix Netscalar systems. Internal users needed to bypass the MFA process through a list of trusted IP addresses that represent their internal network and remote locations.

SOLUTION

Cloud Navigator’s solution to this problem utilized Azure Multifactor Authentication (MFA) together with an on-premise Azure MFA server to create an authentication sequence that would require two forms of identification in order to gain access to the RDS environment:

  • Something only the user knows – his username/password combo
  • A one-time text or soft token that only the user has access to through their phone.

The solution uses Microsoft Azure Multifactor Authentication (Azure MFA) for three reasons.

  1. Jackson Thornton already owned the licenses of EMS through their MSFT partner benefits.
  2. Azure MFA can complete the second layer of authentication via cell phone or smart device (a device that most people already have) instead of requiring a hard token.
  3. Azure MFA can also be set to require a unique PIN that only the user knows. No matter what device is used to access the RDS deployment, the user will need more than his user credentials (which are often cached) to get in.

A Remote Desktop login request to RDS that includes Azure MFA looks like this:

  1. User logs into RD Web Access and double clicks a RemoteApp (or desktop connection)
  2. The user’ login credentials for the website are used to validate the user (Web SSO), so no need to give them again.
  3. The user then gets an SMS text message on their smart device that provides them a 6 digit numeric code (the one-time password).
  4. The user replies to the text message by inputting this 6 digit code. Azure MFA includes the option to require the user know a predefined unique PIN as well, so that replies to a text message have to come from the user.
  5. The user is authenticated, and the RemoteApp (or desktop connection) opens.

Note: SMS txt authentication isn’t the only way that Azure MFA can communicate with users, it can include authentication by phone call and also using an App on a smartphone.

RESULTS

Cloud Navigator initially setup a proof of concept of the involved technologies utilizing cloned test version of the RDS servers to avoid impacting production. Once the RD Gateway / Azure MFA solution met Jackson Thornton’s requirements in the test lab, they decided to run a test pilot in production. This started with a small group of early adopter users to test the process and develop documentation, and then it expanded to be rolled out throughout the entire company in less than a month.

MFA was also implemented on their current Outlook Web Access server and also on the Citrix Netscalar using RADIUS authentication to the Azure MFA server. Today Jackson Thornton digital access is protected by layers of authentication to prevent external attackers from obtaining user credentials.