Azure Mfa For Rdp



  1. Azure Mfa For Rdp
  2. Azure Mfa Rds Gateway
  3. Mfa Remote Desktop Gateway
  1. We need to set up multi factor authentication when connecting to server using RDP. I have tried Azure MFA Server, but it gives so much troubles. Maybe anyone have some information about this or practice with this kind of things. Thank you in advance.
  2. Jul 29, 2020 For steps on how to do this, see Publish Remote Desktop with Azure AD Application Proxy. How Azure AD App Proxy works in an RDS deployment. Configure the Remote Desktop web client. Next, complete setup by enabling the Remote Desktop web client for user access. See details on how to do this at Set up the Remote Desktop web client for your users.
  3. In addition to all RDP connections, we even have our cisco firewall and switches logins (RADIUS auth to the NPS server) protected with Azure AD+MFA now. One key thing that I struggled with early on was trying to have the MFA NPS extension installed on the same server as the RDG (RD Gateway) server.
  4. See full list on docs.microsoft.com.

Azure Mfa For Rdp

The combination of Azure MFA and RD Gateway means that your users can access their work environments from anywhere while performing strong authentication. Since Windows Authentication for terminal services is not supported for Server 2012 R2, use RD Gateway and RADIUS to integrate with MFA Server.

Azure MFA is a fantastic product – Its easy to setup and maintain, and not very costly to purchase (for pricing, click here). The great thing about Azure MFA is that it becomes very easy to secure your local directory, but also your remote desktop connections or RDS your 2008/2012 farms. There is just one downside; Out of the box Remote Desktop(terminal services) security does not work on Server 2012R2. I’m not sure why Microsoft decided to not support 2012R2 RDP access. I actually have a ticket outstanding with the Azure MFA team.

Of course there a solution; instead of securing direct RDP access, you can decide to secure Remote Desktop Gateway and have your users connect to the Remote Desktop Gateway. This might sound like a large change but I always advise my clients to use RD gateway – mostly due to it being accessible from almost all locations due to running on port 443 and having SSL security is a nice added bonus.

To add MFA to RD gateway we need to perform the following prerequisites ;

  1. Deploy a standard RD-Gateway, with NPS. This can be done on a separate server, or on the RDS server if you have a small farm.
  2. Deploy Microsoft Azure MFA on a different server, Please note: MFA and NPS cannot run on the same server due to NPS and MFA Radius clients running on the same ports. For a good tutorial on how to install Azure MFA see the following link: link
  3. Open port 443 to your RD gateway server.
  4. Choose a shared secret and note it – We’ll use the example “ThisIsNotASecret”

After performing the first 3 steps, its time to set up RD Gateway, NPS and the Azure MFA Server

RD Gateway setup:

  • Open the RD Gateway console, and right-click the server name, choose the tab “RD CAP Store”
  • Turn off the “Request clients to send a statement of health” check box if you have clients that are not NAP capable.
  • Select “Central server running NPS” and remove the current server if there is any, Now enter the hostname of the MFA server and our selected shared secret “ThisIsNotASecret”.
  • Close the Console – we’re done on this side. 🙂

NPS Setup:

  • Open the NPS console and go to RADIUS Clients, Right click and select New
  • Enter a friendly name – e.g. AzureMFA and note this.
  • enter the IP of the MFA server & our selected shared secret “ThisIsNotASecret”
  • click OK and move to “Remote Radius servers” in the left hand menu.
  • Double click the default TS Gateway Server Group and click edit, select the Azure MFA server from this list and click on load balancing.
    • Change the priority to 1 and the weight to 50
    • change the number of seconds before a connection is dropped to 45 seconds.(could be less, but I select 45 seconds to keep uniformity among servers)
    • Change the number of seconds before server is unavailable to 45 seconds.(could be less, but I select 45 seconds to keep uniformity among server
    • Click OK and close this window. Move to Connection Request Policies
  • You should see the default connection policy here – disable or delete this, as we will create our own policies.
  • Right click the policies and select “New” Name this policy “Receive MFA Requests”. The settings for this policy are:
    • NAS Port type: Virtual(VPN)
    • Client Friendly Name: AzureMFA
    • Authentication Provider: Local Computer
    • Override Authentication: Disabled
  • Create another policy and name this “Send MFA requests”. The settings for this policy are:
    • NAS Port type: Virtual (VPN)
    • Accounting provider name: TS GATEWAY SERVERS GROUP
    • Authentication Provider name: TS GATEWAY SERVER GROUP
    • Authentication provider: Forwarding request
  • And that concludes the NPS setup. Almost there! 🙂

Azure MFA Setup:

The last steps are fairly straight forward:

  • Open the MFA administrator console and select the RADIUS option in the left hand menu.
  • Enable Radius and on the clients tab add the IP of the NPS server.
  • enter the shared secret “ThisIsNotASecret”.
  • Now select the tab “Targets” and enter the IP of the RDS Server.
  • Go to the left hand menu and select user. Enable a user for tests with SMS messages or the app.
  • Open the Windows Firewall for inbound Radius traffic
  • Test! 🙂 If you followed the manual to the letter you now secured your RD Gateway with MFA.

Happy MFA’ing! 🙂

-->

Often, Remote Desktop (RD) Gateway uses the local Network Policy Services (NPS) to authenticate users. This article describes how to route RADIUS requests out from the Remote Desktop Gateway (through the local NPS) to the Multi-Factor Authentication Server. The combination of Azure MFA and RD Gateway means that your users can access their work environments from anywhere while performing strong authentication.

With

Since Windows Authentication for terminal services is not supported for Server 2012 R2, use RD Gateway and RADIUS to integrate with MFA Server.

Install the Azure Multi-Factor Authentication Server on a separate server, which proxies the RADIUS request back to the NPS on the Remote Desktop Gateway Server. After NPS validates the username and password, it returns a response to the Multi-Factor Authentication Server. Then, the MFA Server performs the second factor of authentication and returns a result to the gateway.

Important

As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers that want to require multi-factor authentication (MFA) during sign-in events should use cloud-based Azure AD Multi-Factor Authentication.

To get started with cloud-based MFA, see Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication.

If you use cloud-based MFA, see how to integrate with RADIUS authentication for Azure Multi-Factor Authentication.

Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual.

Prerequisites

  • A domain-joined Azure MFA Server. If you don't have one installed already, follow the steps in Getting started with the Azure Multi-Factor Authentication Server.
  • An existing configured NPS Server.
  • A Remote Desktop Gateway that authenticates with Network Policy Services.
Azure Mfa For Rdp

Note

This article should be used with MFA Server deployments only, not Azure MFA (Cloud-based).

Configure the Remote Desktop Gateway

Configure the RD Gateway to send RADIUS authentication to an Azure Multi-Factor Authentication Server.

Azure Mfa Rds Gateway

  1. In RD Gateway Manager, right-click the server name and select Properties.
  2. Go to the RD CAP Store tab and select Central server running NPS.
  3. Add one or more Azure Multi-Factor Authentication Servers as RADIUS servers by entering the name or IP address of each server.
  4. Create a shared secret for each server.

Configure NPS

The RD Gateway uses NPS to send the RADIUS request to Azure Multi-Factor Authentication. To configure NPS, first you change the timeout settings to prevent the RD Gateway from timing out before the two-step verification has completed. Then, you update NPS to receive RADIUS authentications from your MFA Server. Use the following procedure to configure NPS:

Modify the timeout policy

  1. In NPS, open the RADIUS Clients and Server menu in the left column and select Remote RADIUS Server Groups.
  2. Select the TS GATEWAY SERVER GROUP.
  3. Go to the Load Balancing tab.
  4. Change both the Number of seconds without response before request is considered dropped and the Number of seconds between requests when server is identified as unavailable to between 30 and 60 seconds. (If you find that the server still times out during authentication, you can come back here and increase the number of seconds.)
  5. Go to the Authentication/Account tab and check that the RADIUS ports specified match the ports that the Multi-Factor Authentication Server is listening on.

Prepare NPS to receive authentications from the MFA Server

  1. Right-click RADIUS Clients under RADIUS Clients and Servers in the left column and select New.
  2. Add the Azure Multi-Factor Authentication Server as a RADIUS client. Choose a Friendly name and specify a shared secret.
  3. Open the Policies menu in the left column and select Connection Request Policies. You should see a policy called TS GATEWAY AUTHORIZATION POLICY that was created when RD Gateway was configured. This policy forwards RADIUS requests to the Multi-Factor Authentication Server.
  4. Right-click TS GATEWAY AUTHORIZATION POLICY and select Duplicate Policy.
  5. Open the new policy and go to the Conditions tab.
  6. Add a condition that matches the Client Friendly Name with the Friendly name set in step 2 for the Azure Multi-Factor Authentication Server RADIUS client.
  7. Go to the Settings tab and select Authentication.
  8. Change the Authentication Provider to Authenticate requests on this server. This policy ensures that when NPS receives a RADIUS request from the Azure MFA Server, the authentication occurs locally instead of sending a RADIUS request back to the Azure Multi-Factor Authentication Server, which would result in a loop condition.
  9. To prevent a loop condition, make sure that the new policy is ordered ABOVE the original policy in the Connection Request Policies pane.

Configure Azure Multi-Factor Authentication

The Azure Multi-Factor Authentication Server is configured as a RADIUS proxy between RD Gateway and NPS. It should be installed on a domain-joined server that is separate from the RD Gateway server. Use the following procedure to configure the Azure Multi-Factor Authentication Server.

  1. Open the Azure Multi-Factor Authentication Server and select the RADIUS Authentication icon.
  2. Check the Enable RADIUS authentication checkbox.
  3. On the Clients tab, ensure the ports match what is configured in NPS then select Add.
  4. Add the RD Gateway server IP address, application name (optional), and a shared secret. The shared secret needs to be the same on both the Azure Multi-Factor Authentication Server and RD Gateway.
  5. Go to the Target tab and select the RADIUS server(s) radio button.
  6. Select Add and enter the IP address, shared secret, and ports of the NPS server. Unless using a central NPS, the RADIUS client and RADIUS target are the same. The shared secret must match the one setup in the RADIUS client section of the NPS server.

Next steps

Mfa Remote Desktop Gateway

  • Integrate Azure MFA and IIS web apps

  • Get answers in the Azure Multi-Factor Authentication FAQ





Comments are closed.