I'm searching for information about how to integrate U2F (using YubiKey or similar devices) into an Active Directory Windows Domain (Will be a Windows 2016 Server). Especially I'm interested in securing the windows logon to workstations/servers to require a U2F token as a second factor (password only should not work at all).
In short the goal is that each authentication is either done via password+U2F token or using kerberos tokens.
Any hints where to find further information about this specific scenario or lessons learned would be great.
Short version
I started looking into using FreeRADIUS with Windows Network Policy Access Service (NPS) because we have a mixed Windows/Linux environment (and because YubiRADIUS is no longer supported). FreeRADUIS would be used to tie the YubiKey's to the AD Auth together.
In my searches I found a couple of non-free resources such as WiKID Systems and AuthLite for doing 2-factor with Yubikeys (links below). There -does- appear to be a way to get really close using built-in Windows services (using Network Policy and Access Services (NPS)) which I was using as a basis for my FreeRADIUS work.
Here is a tutorial for getting NPS working with WiKD
http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/
This URL describes how to get it to work with AuthLite
https://www.tachyondynamics.com/yubikey-and-windows-domain-2-factor-authentication/
Both implementations appear to want some form of RADIUS Server to pass along the second-factor auth. At least that is my understanding.
Additionally: if you search for "Windows Server 2016 2-factor yubikey", or similar, you may be able to find more.
Hope this helps!