Remote Desktop Gateway RADIUS authentication
This article describes how to configure a Windows server to enable two-factor authentication when Remote Desktop Authentication (RDP) is connected to the RD Gateway service. Show RD Gateway — a Windows server component that allows you to connect to the desktop through a gateway that performs VPN functions, which is to create an encrypted connection over the TLS protocol. In addition, the gateway allows you to limit session timeout, control user access to drives, USB, clipboard, printer and network resources. Applicable for versions:
Possible authentication methods:
To configure the second authentication factor, you need to install and configure MultiFactor Radius Adapter. Operation Principle
Installing servicesYou will need Windows Server with Remote Desktop Gateway and Network Policy and Access Service components installed. The server can run autonomously or in a domain. The installation process is detailed in multiple sources, use for example this comprehensive article. Installation of the server certificateTo encrypt the traffic between the client and the server, as well as to authenticate the server, a certificate issued by a public certification authority is required. You can buy such certificate or get it for free in Let's Encrypt. How to do this in 5 minutes — read our article. Setting up Remote Desktop GatewayIn Server Manager, open Tools -> Remote Desktop Services -> Remote Desktop Gateway Manager. Next, under Policies -> Connection Authorization Policies, click on the right side of Configure Central RD CAP.
NPS SettingRADIUS ProxyIt is necessary to create a setting for proxying a request from RD Gateway to MultiFactor Radius Adapter. Open the Server Manager -> Tools -> Network Policy Server.
Radius ClientDescribe the MultiFactor Radius Adapter as a RADIUS client so that NPS will accept requests from it.
Connection request policiesWe need two policies: one to accept requests from the RD Gateway and proxy to the MultiFactor Radius Adapter component, the other to accept requests from the component and authentication in the domain.
Setting up Multifactor Radius AdapterSpecify the first factor of &mdash authentication; Radius and configure the NPS connection Client ConfigurationOpen the connection to the remote desktop (mstsc.exe);
If something's not workingLook at this:
In this post I am configuring a test case for Multi-Factor Authentication. We are going to convert a existing remote desktop gateway deployment with username / password authentication and a central NPS running on ADC to use the MFA. As I like to use oneNote with pen on my Surface more then I do Visio I have quickly put a diagram of the situation I have now: And below the situation what I have in mind for use of Multi Factor Authentication: So here we go… First I am going to configure the MFA to act as a proxy Radius in between the RDG and ADC (NPS in my situation). I am going to add the RDG as an Client for the MFA proxy As Radius proxy I am going to send my request to the Radius Server (Target): On the Remote Desktop Gateway I am removing the ADC Server as central policy server and add the MFA server (proxy radius): After changing the setting open the NPS Console on the RDG server. We need to change the timeout settings for the request to the radius server as we need time to authenticate to the Azure MFA, answer the call or click the app and then send the authentication back to the radius. Under Remote Radius Server open the TS Gateway Server Group. Then choose edit. At the Load Balancing tab set the Number of seconds without response before request is considered dropped to 60 seconds. On the NPS server (my case the ADC) I need to add MFA server as radius client. So I open the NPS Console on the ADC and add new radius client : Here I have created the MFA Radius client on the ADC: Now on the Connection Request Policies I added the just created Client Friendly name (MFA) as condition so only the MFA Proxy can authenticate to the NPS for connecting and authenticating the RDG requests: If I have deployed and configure a user for the Remote Desktop gateway and MFA (phone number or App) I should be able to login the Remote Desktop servers. In my case I did I hope these series gave you a quick understanding of how On Premise Multi-Factor Authentication works and how you can use it in your environment. |