Remote Desktop Gateway RADIUS authentication

This article describes how to configure a Windows server to enable two-factor authentication when Remote Desktop Authentication [RDP] is connected to the RD Gateway service.

RD Gateway — a Windows server component that allows you to connect to the desktop through a gateway that performs VPN functions, which is to create an encrypted connection over the TLS protocol. In addition, the gateway allows you to limit session timeout, control user access to drives, USB, clipboard, printer and network resources.

Applicable for versions:

• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019

Possible authentication methods:

• Telegram
• The call [to accept the call and press #]
• Mobile application [soon]

To configure the second authentication factor, you need to install and configure MultiFactor Radius Adapter.

Operation Principle

1. The user connects to the remote desktop via the RD Gateway;

1. The RD Gateway uses Network Policy Server [NPS] access settings;

1. the NPS receives a request from the RD Gateway, forwards the MultiFactor Radius Adapter component;
2. The component makes a callback to the NPS to check the user login and password.

1. NPS receives a request from a component, checks the user login and password, and access policies

1. The component sends a login confirmation request to the user's phone;
2. The user confirms the request in the phone and connects to the VPN.

Installing services

You will need Windows Server with Remote Desktop Gateway and Network Policy and Access Service components installed. The server can run autonomously or in a domain.

The installation process is detailed in multiple sources, use for example this comprehensive article.

Installation of the server certificate

To encrypt the traffic between the client and the server, as well as to authenticate the server, a certificate issued by a public certification authority is required. You can buy such certificate or get it for free in Let's Encrypt. How to do this in 5 minutes — read our article.

Setting up Remote Desktop Gateway

In Server Manager, open Tools -> Remote Desktop Services -> Remote Desktop Gateway Manager.

Next, under Policies -> Connection Authorization Policies, click on the right side of Configure Central RD CAP.

1. On the RD CAP Store tab, click the Local Server Running NPS option.

2. On the "SSL Certificate" tab, make sure that a valid certificate is installed.

3. Save and close

NPS Setting

RADIUS Proxy

It is necessary to create a setting for proxying a request from RD Gateway to MultiFactor Radius Adapter.

Open the Server Manager -> Tools -> Network Policy Server.

1. From the RADIUS Clients and Servers menu, select Remote RADIUS Server Groups.
2. Create a new group

• Title: Radius Adapters
• Add a new Radius Server
  • Address: Address of the component MultiFactor Radius Adapter
  • Shared secret: from component settings
  • Load Balancing: 40-second timeouts

Radius Client

Describe the MultiFactor Radius Adapter as a RADIUS client so that NPS will accept requests from it.

1. In me RADIUS Clients and Servers select RADIUS Clients.
2. Create a new client:

• Friendly name: MultiFactor Radius Adapter
• Address: from component settings
• Shared Secret: from component settings

Connection request policies

We need two policies: one to accept requests from the RD Gateway and proxy to the MultiFactor Radius Adapter component, the other to accept requests from the component and authentication in the domain.

1. In the Connection Request Policies section, open the properties of "TS GATEWAY AUTHORIZATION POLICY" &mdash policy; this policy is created automatically and is responsible for processing connection requests from RD Gateway.

• On the Settings -> Authentication tab, select "Forward requests to the following remote RADIUS server group for authentication";
• Save and close.

1. Create a new policy for processing requests from a component:

• Policy name: From Multifactor Radius Adapter;
• Type of network access server: Remote Desktop Gateway;
• In the next step, add a condition:
  • Client Friendly Name — MultiFactor Radius Adapter;
• The rest of the default steps;
• Save and close.

1. Move the "From Multifactor Radius Adapter" policy to a level higher than "TS GATEWAY AUTHORIZATION POLICY".

Setting up Multifactor Radius Adapter

Specify the first factor of &mdash authentication; Radius and configure the NPS connection

Client Configuration

Open the connection to the remote desktop [mstsc.exe];

1. Specify the address of the computer you want to connect to;
2. click "Options" on the "Advanced" tab;
3. Enter the gateway address

1. Start the connection, enter the login and password with the domain
2. A request will be received from the Multifactor to confirm access.

If something's not working

Look at this:

In this post I am configuring a test case for Multi-Factor Authentication. We are going to convert a existing remote desktop gateway deployment with username / password authentication and a central NPS running on ADC to use the MFA.

As I like to use oneNote with pen on my Surface more then I do Visio I have quickly put a diagram of the situation I have now:

And below the situation what I have in mind for use of Multi Factor Authentication:

So here we go…

First I am going to configure the MFA to act as a proxy Radius in between the RDG and ADC [NPS in my situation].

I am going to add the RDG as an Client for the MFA proxy

As Radius proxy I am going to send my request to the Radius Server [Target]:

On the Remote Desktop Gateway I am removing the ADC Server as central policy server and add the MFA server [proxy radius]:

After changing the setting open the NPS Console on the RDG server. We need to change the timeout settings for the request to the radius server as we need time to authenticate to the Azure MFA, answer the call or click the app and then send the authentication back to the radius.

Under Remote Radius Server open the TS Gateway Server Group. Then choose edit.

At the Load Balancing tab set the Number of seconds without response before request is considered dropped to 60 seconds.

On the NPS server [my case the ADC] I need to add MFA server as radius client. So I open the NPS Console on the ADC and add new radius client :

Here I have created the MFA Radius client on the ADC:

Now on the Connection Request Policies I added the just created Client Friendly name [MFA] as condition so only the MFA Proxy can authenticate to the NPS for connecting and authenticating the RDG requests:

If I have deployed and configure a user for the Remote Desktop gateway and MFA [phone number or App] I should be able to login the Remote Desktop servers. In my case I did

I hope these series gave you a quick understanding of how On Premise Multi-Factor Authentication works and how you can use it in your environment.