Professional Documents
Culture Documents
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Blog
Reviews
Presentations
Scripts
HotfixesandWorkarounds
SiteNavigation
Type&hitentertosearch...
devolutions
April25,2014
KristinL.GriffinandFreekBerson
Uncategorized
StepByStepUsingWindowsServer2012R2RDGateway
withAzureMultifactorAuthentication
Toreadthisarticleinpdfclick:AzureMFAandRDGnoHA.pdf
WehaveaclientthatusesRDGatewaytoallowuserstoaccesstheirRDSdeploymentfromoutsidetheircorporatenetwork.They
haveabout1000+users.TheirusersaccesstheRDSenvironmentfrommostlyunmanageddevicesincludingmanydifferentflavorsof
tablets.Theclientwasworriedabouttheseunmanageddevicesbeingstolenorlostandpotentiallyprovidinganintruderwithaccessto
theirRDSenvironment.
Inresearchingsolutionstothisproblem(andgiventhebreadthofthetypesofunmanagedclientstheywantedtosupport)welookedat
usingmultifactorauthenticationtogetherwithRDGatewaytocreateanauthenticationsequencethatwouldrequiretwoformsof
identificationinordertogainaccesstotheRDSenvironment:
1.Somethingonlytheuserknowshisusername/passwordcombo
2.Aonetimepassword
Ifsomeofyouarenotveryfamiliarwiththegrowingneedfortwofactorauthentication,readTheincreasingneedfortwofactor
authentication,byOrinThomas,contributingeditorforWindowsITProandaWindowsSecurityMVP.
WeexploredsomedifferentmultifactorauthenticationofferingsandhomedinonMicrosoftAzureMultifactorAuthentication(Azure
MFA)forthreereasons.First,thepricepointisexcellentcomparedtosomeothercompetingsolutions.Second,AzureMFAcan
completethesecondlayerofauthenticationviacellphoneorsmartdevice(adevicethatmostpeoplealreadyhave)insteadof
requiringahardtoken.Third,AzureMFAcanalsobesettorequireauniquePINthatonlytheuserknows.Nomatterwhatdeviceis
usedtoaccesstheRDSdeployment,theuserwillneedmorethanhisusercredentials(whichareoftencached)togetin.
ARemoteDesktoploginrequesttoRDGatewaythatincludesAzureMFAlookslikethis:
1.UserlogsintoRDWebAccessanddoubleclicksaRemoteApp(ordesktopconnection)
2.Theuserlogincredentialsforthewebsiteareusedtovalidatetheuser(WebSSO),sononeedtogivethemagain.
3.TheuserthengetsanSMStextmessageontheirsmartdevicethatprovidesthema6digitnumericcode(theonetime
password).
4.Theuserrepliestothetextmessagebyinputtingthis6digitcodeandaddingtheiruniquepredefinedPINtotheendofthe
sequenceAzureMFAincludestheoptiontorequiretheuserknowapredefineduniquePINaswell,sothatrepliestoatext
messagehavetocomefromtheuser.
5.Theuserisauthenticated,andtheRemoteApp(ordesktopconnection)opens.
Note:SMStxtauthenticationisnttheonlywaythatAzureMFAcancommunicatewithusers.Inaseparateupcomingarticlewell
coverthevariousauthenticationoptionsAzureMFAprovideswhichwillincludeforexampleauthenticationbyphonecallandalso
usinganApponasmartphone.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
1/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
BecausetheRDGateway/AzureMFAsolutionmetthecustomersrequirementsonpaper,wedecidedtorunatestpilot.First,we
implementedAzureMFAwithanRDSenvironmentthatonlyhadoneRDGatewayserver(itwasnothighlyavailable).Thenwe
implementedwithmultipleRDGatewayserversinahighavailabilityconfiguration.Thesetupsbothworkedwell,butthesetupwas
differentforthesescenarios.InthisarticlewewillwalkthroughsettingupAzureMFAwithoneRDGateway.Inournextarticlewe
willexplorehighlyavailableconfigurations.
HowAzureMFAWorksWithRDGateway
LetslookcloserathowMFAworkswithRDGatewaytoprovidetwofactorauthentication.First,inordertounderstandthesetup
stepsyouwillgothrough,youneedtoknowhowRDGatewayworkstoauthenticateusers.
RDGatewayandNPS
RDGatewayusesNPS(NetworkPolicyServices),aWindowsServer2012inboxfeature,tomaintainNetworkPolicies(intheRD
GatewayManagerinterfacethesepoliciesarecalledRDConnectionAccessPolicies,orRDCAPs).Ingeneral,RDGateway(and
NPS)worktogethertoauthenticateauserlikethis:
1.TheuserlogincredentialsgetssenttoRDGateway.
2.NPSchecksthecredentialsagainstitsNetworkPoliciestoseeiftheuserisallowedtoaccessRDGateway.(ThisistheRD
CAPcheckinRDGatewayspeak).
IfthecredentialsareallowedbyNPS,then
3.RDGatewaycheckstheusercredentialsagainstitsResourceAuthorizationPolicies(RDRAPsarehousedinanXMLfileon
theRDGatewayserver)toseeiftheuserisallowedtoaccesstherequestedendpointandallowsordeniestheconnection.
AddingAzureMFA
WhenyouaddinAzureMFA,thenausergetsauthenticatedlikethis:
1.TheuserlogincredentialsgetssenttoRDGateway.
2.NPSchecksthecredentialsagainstitsNetworkPoliciestoseeiftheuserisallowedtoaccessRDGateway.(ThisistheRD
CAPcheckinRDGatewayspeak).
IfthecredentialsareallowedbyNPS,then:
3.TheloginrequestissenttoMFAServer
4.MFAServercommunicateswiththeenduser(bySMStext,phonecall,mobileapporOATHtoken)askingthemtoreplyby
repeatingthesentletter/numbersequenceback,andaddingtheiruniquePINtotheendifMFAissetuptorequireapersonalPIN.
5.MFAreceivestheusersreply,checkstheresponse.Iftheresponseiscorrect,thenMFAsendsanacceptresponsetoRD
Gateway.
IfRDGatewaygetsanAcceptresponsefromMFA,then:
6.RDGatewaycheckstheusercredentialsagainstitsRDRAPstoseeiftheuserisallowedtoaccesstherequestedendpointand
allowsordeniestheconnection.
InjectingAzureMFAintotheAuthenticationSequence
WhenyouhaveoneRDGatewayserverrunningwithalocallyrunningNPSservice(thedefaultconfiguration),youhavetohave
somewaytogettheMFAserverintothecommunicationsequence.AsshowninFigure1,youdothisbytrickingRDGatewayyou
configureRDGatewaytouseacentralizedNPSserverbutyoupointittotheMFAserver.Thecommunicationworkslikethis:
1.RDGgetstheinitialuserloginrequest
2.RDGatewayforwardstheRADIUSrequestthroughNPStoMFAserver.
3.MFAserverforwardsifrightbacktoNPSontheRDGatewayserver
4.RDGatewayvalidatestheusercredentialsanddoestheRDCAPcheck.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
2/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
5.NPSthensendsanACCEPTorREJECTtoMFAserver.
6.OnACCEPT,MFAwillperformthetwofactorauthenticationsequencewiththeuser(viaphonecall,textormobileapp).If
theuserreturnsthecorrectletter/numbersequence,itsendsanACCEPTtoRDGateway.
7.FinallyRDGatewaywillchecktheRDRAPandeitherallowordenytheconnection.
Figure1:YoutrickRDGatewayintothinkingitisusingacentralizedNPS.
ImplementinganOnPremiseAzureMFAServerwithRDGateway
AzureMFAcanbeusedinclouddrivenscenarios,butitcanalsobeusedwithonpremiseapplications,andthatiswhatweare
concentratingonherewewillshowyouhowtosetupanonpremiseAzureMFAservertoprovidemultifactorauthenticationtoan
onpremiseRDGatewayimplementation.
First,herearethethingsyouwillneedtoproceed:
AworkingRDSenvironment,includingRDGateway(runningNPSlocally)
AworkingRDWebAccesswebsitewithpublishedRemoteAppsordesktops
AnAzureaccountconfiguredwithbillinginformation.Thisarticleassumesyouhavealreadysetthisup.Ifyouhavenot,then
signUpForAzurehere:https://account.windowsazure.com/SignUp
Adomainjoinedserver(physicalorVM)designatedtobetheAzureMFAonpremiseserver
AcellphonetorespondtoAzureMFASMstextrequests
Aclienttestdevice(aPCortabletforexample)preferablywithInternetExplorer
Nowwewillwalkthroughthesemainsetupsteps:
1.InstallprerequisitesonthedesignatedAzureMFAserver
2.CreateaMultifactorAuthenticationProviderinAzure
3.DownloadandinstalltheonpremiseMFAserversoftware
4.ConfigureMFAServer,RDGatewayandNPS
5.SetupaTestUserinAzureMFAServeranddosometesting
PreRequisites
TheonpremiseAzureMFAServer(fromhereonoutcalledMFAServer)installrequiresthe.NETFramework3.5Features,andit
willnotautoinstallitduringthesetupsoyouneedtoinstallitfirst.FromServerManager,selecttheAddRolesandFeaturesoption,
select.NET3.5FrameworkFeaturesandclickInstall(showninFigure2).
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
3/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Figure2:Installthe.NETFramework3.5Features
CreateaMultifactorAuthenticationProviderinAzure
Next,createaMultifactorAuthenticationProviderinAzure.Followthesesteps:
1.FromtheMFAserver,logintotheMicrosoftAzureManagementPortal:https://manage.windowsazure.com/.
2.Inthelefthandcolumn,scrolltothebottomandclickthe+Newbutton(showninFigure3.)
Figure3:CreateanewMultifactorAuthenticationproviderinAzure
3.Figure4showsfivecolumnsfromwhichyouwillselectpropertiesofthenewMFAprovider.SelectAppServicesinthefirst
column,selectActiveDirectoryinthesecondcolumn,andselectMultifactorAuthProviderinthethirdcolumn.Thenclickthe
QuickCreatebutton.Fillouttheformthatappears.
FortheUsageModelyouhavetwooptions:
PerEnabledUsermeansyoupayafixedfeeforeveryuseraccountthatisconfiguredtouseMFA.Eachusergetsan
unlimitedamountofauthorizations.
PerAuthenticationmeansyoupayafixedfeeper10authentications.Theamountofusersisunlimited.
Bothmodelshavepossibleusecases.Youneedtofigureoutwhichmodeltogowithinadvance,asyoucannotchangetheUsage
ModelonceyoucreatetheMFAprovider.
TheDirectoryoptionsallowyoutoconnectthisMFAprovidertoanAzureActiveDirectory.Becausethisimplementationwill
useanonpremiseMFAServerthatwillbejoinedtotheonpremisedomain,leavetheoptionsettoDonotlinkadirectory.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
4/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Figure4:ChoosetheMFAproviderpropertiesfromthedesignatedfivecolumns.
4.FromtheAzuremainpageyoushouldseeyourMFAprovidercreated.
5.SelectitandthenclickthemanageiconatthebottomofthepageasshowninFigure5.
Figure5:SelecttheMFAproviderandthenclickManagetoaccesstheMFAManagementportal
DownloadandInstalltheOnPremiseAzureMFAServerSoftware
TheWindowsAzureMultifactorAuthenticationmanagementportalwillopeninanewbrowsertab,showninFigure6.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
5/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Figure6:TheWindowsAzureMultifactorAuthenticationmanagementportal
FollowthesestepstodownloadandinstalltheAzureMFAsoftware.
1.OnthistabclicktheDOWNLOADSbutton.YouwillgetthescreenshowninFigure7.
Figure7:Downloadthesoftware,thengenerateactivationcredentials.
2.ClickthesmallDownloadlinkrightabovetheGenerateNewActivationCredentialsbutton.Savethedownloadfile,thenrun
it.
3.MeanwhilegobacktothewebpageandclicktheGenerateNewActivationCredentialsbutton.Theactivationcredentialsare
onlygoodfor10minutes.EntertheactivationcredentialsontheActivatescreenoftheinstallshowninFigure8.Ifyour
credentialsexpirebeforeyouenterthem,clicktheGenerateNewActivationCredentialsbuttonagaintogetanewset.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
6/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Figure8:SpecifytheactivationcredentialsduringtheMFAsetup
TIP:DuringtheactivationprocessthePhoneFactoronlineserviceiscontacted(MicrosoftboughtPhoneFactor,andmadeAzure
MultifactorAuthenticationsoyoumayseePhoneFactorindocumentsorsomeGUIscreensstill).Forthistoworkyouneedtobe
abletomakeconnectiontotheoutsideonport443.InscenarioswhereyourserverrunningMFAisusingaProxyServer,runthe
followingcommandtomakeusetheMFAserviceleverageyourproxyservertoo:
netshWinHTTPSetProxyproxyserver=FQDN_of_Proxy_Server:8080
OtherwiseyoucouldrunintothefollowingerrorshowninFigure9:
Figure9:ErrorindicatingtheMFAServicecouldnotbereached
ConfigureRDGatewayServer,NPSandMFAServer
NowyouneedtoconfigureRDGateway,NPS,andMFAServertocommunicatewitheachother.
ConfigureRDGateway
First,youfakeoutRDGatewayandconfigureittouseaCentralRDCAPstore,butyoupointittothenewMFAserver.Followthese
steps:
1.OpenRDGatewayManager,rightclicktheservername,andselectProperties.
2.SelecttheRDCAPStoretab(showninFigure11).
3.SelecttheCentralserverrunningNPSoption.
4.EnterthenameorIPaddressoftheMFAserverandclickAdd.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
7/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
5.EnterasharedsecretinthecorrespondingpopupboxandclickOK.
Figure11:ConfiguringRDGatewaytousecentralNPS
MakeNPSandMFATalkToEachOther
NowyouneedtoconfigureNPS(locatedontheRDGatewayserver)andMFAservertotalktoeachother.NPSandMFAserverboth
useaRADIUSclientandRADIUSservertocommunicatewitheachother.SoyouconfigureaRADIUSclientandaRADIUSserver
(depictedinFigure10)oneachserverlikethis:
OntheRDGatewayserver,inNPSyouconfiguretwoConnectionRequestPolicies:
ThefirstwillsendcommunicationtoMFAServerviaaRemoteRADIUSServerGroup
ThesecondwillreceivecommunicationfromMFAserverviaaRADIUSclient
OntheMFAserveryouconfigure:
ARADIUSclienttoreceivecommunicationfromtheNPSserver
ARADIUSTargettosendcommunicationtotheNPSserver
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
8/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Figure10:NPSandMFAserveruseRADIUSserversandclientstocommunicatewitheachother.
ConfigureNPS
First,youneedtopreventNPSfromtimingoutbeforeMFAsauthenticationhascompleted.Followthesesteps(showninFigure12):
1.InNPS,expandtheRADIUSClientsandServersmenuandselectRemoteRADIUSServerGroups.
2.WhenyousetupRDGatewayitcreatesanentryherenamedTSGATEWAYSERVERGROUP.Rightclickthisgroupand
selectProperties.
3.SelecttheMFAserverlistedandselectEdit.
4.SelecttheLoadBalancingtab.
5.ChangetheNumberofsecondswithoutresponsebeforerequestisconsidereddroppedandtheNumberofsecondsbetween
requestswhenserverisidentifiedasunavailableto3060seconds.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
9/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Figure12:AdjusttheRADIUSserversettingsinNPS.
NextyouneedtoconfigureNPStoreceiveRADIUSauthenticationsfromMFAserver.SoyoucreateaRADIUSclient.Followthese
steps:
1.Intheleftcolumn,rightclickRADIUSClientsandchooseNew.
2.AddaFriendlyNameandtheaddressoftheMFAserverasshowninFigure13.
3.AddasharedsecretandclickOK.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
10/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Figure13:CreateaRADIUSclientinNPS.
Next,configuretwoConnectionRequestPoliciesinNPSonetoforwardrequeststotheRemoteRADIUSServerGroup(whichis
settoforwardtoMFAserver),andtheothertoreceiverequestscomingfromMFAserver(tobehandledlocally).
TheeasiestwaytodothisistousetheexistingpolicythatwascreatedwhenyoucreatedanRDCAPinRDGateway.Followthese
steps:
1.InNPSexpandthePoliciessectionintheleftsideofthescreenandthenselectConnectionRequestPolicies.Youshouldseea
policyalreadycreatedthere,calledTSGATEWAYAUTHORIZATIONPOLICY.
2.RightclickthispolicyandselectDuplicatePolicy.
Note:Inordertoeasilytellwhateachpolicyisdoing,Irenamemypolicieslikethis:
IrenameTSGATEWAYAUTHORIZATIONPOLICYtoToMFA
IrenameCopyofTSGATEWAYAUTHORIZATIONPOLICYtoFromMFA
3.DoubleclickthenewduplicatepolicyandselecttheConditionstab.
4.AddaClientFriendlyNameasshowninFigure14.UsethesameFriendlynameyousetfortheRADIUSclientyoucreated
earlier.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
11/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Figure14:AddaClientFriendlyNametotheexistingTSGATEWAYAUTHORIZATIONPOLICY.
5.NowselecttheSettingstabandchangetheAuthenticationProvidertoAuthenticaterequestsonthisserverasshownin
Figure15.
Figure15:Changethepolicytoauthenticaterequestslocally.
6.SelectAccountingandmakesuretheForwardaccountingrequestscheckboxisnotchecked.ThenclickOK.Whenyou
aredone,yourpolicysettingsshouldshowuponthemaininterfaceasshowninFigure16.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
12/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Figure16:OverviewoftheNPSpolicysettingsoftheFromMFApolicy
7.Makesurethatthispolicy(thecopyoftheoriginal)isorderedfirst,aheadoftheoriginalpolicy.
8.Youshouldnothavetomakeanychangestotheoriginalpolicybutdoublechecktomakesurethatitcontainssettingsas
showninFigure17.
Figure17:Makesuretheoriginalpolicyhasthesettingsoutlinedhere.
ConfigureMFAServer
NowyouneedtoconfiguretheMFAServersoftwarewithaRADIUStargetandclient.Followthesesteps:
1.OntheMFAserveropentheMultifactorAuthenticationServerandclicktheRADIUSAuthenticationicon.
2.ChecktheEnableRADIUSauthenticationcheckbox.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
13/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
3.OntheClientstab,clicktheAddbutton.
4.AddtheRDGateway/NPSserverIPaddress,andasharedsecret.Thesharedsecretneedstomatchtheoneaddedtothe
CentralCAPStoreconfigurationinRDGatewayManager.
5.ClicktheTargettabandchoosetheRADIUSserver(s)radiobutton.
6.ClickAddandentertheIPaddress,sharedsecretandportsoftheNPSserver.Thesharedsecretmustmatchtheoneconfigured
fortheRADIUSclientoftheNPSserver.
Testing
ToabletotestthescenarioyouneedtoaddaTestUsertoMFAandconfigureitwithanauthenticationmethod.Hereshowtodoit:
1.OntheMFAserveropentheMultiFactorAuthenticationServerandselecttheUsersicon.
2.ClicktheImportUsersfromActiveDirectorybutton.
3.Drilldowninthecontainerhierarchytotheuseraccountyouwanttotestwith,selecttheuseraccountandclickImport.
4.Doubleclickthenewlycreateduseraccount(asshowninFigure18).
Figure18:Configurethetestuserssettings.
5.OntheGeneraltab:
a.Enterthecountrycodeandthephonenumberofthecellphoneyouwillusetotestwith.
b.SelecttheTextMessageoption.ThenselectOTP+PINfromthecorrespondingdropdownmenutotheright.
c.EnteraPINorclicktheGeneratebuttontogenerateanewpincode.
6.SelecttheEnabledcheckbox,andclickApplytosavetheconfiguration.
Totestthescenarioperformthefollowingsteps:
1.FromyourtestclientdeviceopenInternetExplorerandbrowsetotheRDWebAccesswebsite,andloginwithatestaccount.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
14/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
2.OpenaRemoteApporRemoteDesktop.OntheclientthedialogshowninFigure19willremainopenuntilthetwofactor
authenticationhasbeencompleted:
Figure19:LaunchtheRDPsession
3.YouwillreceiveatextmessagefromMFAserverasshowninFigure20.
Figure20:YoushouldreceiveatextmessagefromMFAserver.
4.ReplytothetextbytypingtheOneTimePasswordintheinitialtextmessageandaddtheuniqueuserPINtotheendofyour
response.
5.Ifyoutypeinthecorrectinformationthemultifactorauthenticationwillcompletesuccessfullyandthesessionwillopen.
Troubleshooting
Whenwewereworkingwiththisinstallation,wedidnotsetthingsuprightthefirsttime(orthesecond).Sowehadtotroubleshoot
ourpilot.Unfortunatelywedidnotfindverymuchtohelpus.Theeventlogswereourfriendhowever.
Whenyoumakeasuccessfulconnection(completewithUDPchannelsthroughRDGateway),youwillget16eventlogentriesinthe
RDGatewayoperationaleventlog.Itislocatedat:
EventViewer/ApplicationsandServicesLogs/Microsooft/Windows/TerminalServicesGateway/Operational
These16entriescorrespondtothesuccessfulconnectionlikethis:
1.UsermetCAPpolicyrequirementsandcanconnecttoRDGateway
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
15/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
2.UsermetRAPpolicyrequirementsandcanconnecttoRDConnectionBroker
3.TheuserconnectedtoRDConnectionBrokerusingHTTP
4.TheuserconnectedtoRDConnectionBrokerusingUDP
5.TheuserconnectedtoRDConnectionBrokerusingUDPProxy
6.TheuserconnectedtoRDConnectionBrokerusingUDP(secondchannel)
7.TheuserconnectedtoRDConnectionBrokerusingUDPProxy(secondchannel)
8.TheuserdisconnectedtoRDConnectionBrokerusingHTTP
9.TheuserdisconnectedtoRDConnectionBrokerusingUDP
10.TheuserdisconnectedtoRDConnectionBrokerusingUDP
11.UsermetRAPpolicyrequirementsandcanconnecttoRDSessionHost
12.TheuserconnectedtoRDSessionHostusingHTTP
13.TheuserconnectedtoRDSessionHostusingUDP
14.TheuserconnectedtoRDSessionHostusingUDPProxy
15.TheuserconnectedtoRDSessionHostusingUDP(secondchannel)
16.TheuserconnectedtoRDSessionHostusingUDPProxy(secondchannel)
WhatwefoundwasthatifyouhaveaproblemwithmisconfiguredpoliciesinNPS,youmostlikelywillgetaneventlogerroratstep
one.TheeventlogwillsaythatyoudidnotmeetCAPrequirementsevenifyoudo.
Ifyourunintothis,checkyourpolicies.Ifyouaresuretheyarecorrect,thenmakesureyourCAPworksifyouusealocalNPS
(switchtheRDGatewayCAPstoresettingbacktoLocal).IfitworkswhenyouchoosetheLocaloptionthenwerecommendyou
redoyourpolicies.RemovethepoliciesyouhaveeditedorcreatedinNPS.ThenredotheCentralCAPsettinginRDGateway
Manager(putitbacktoLocal,thenchangeitagaintoCentral).DoingthiswillrecreaterequiredstartingpiecesinNPS,andyoucan
recreateandeditpoliciesfromthere.
Q&A
Q:ArethereotherwaystoconfigurethecommunicationinNPSthatwillwork?
A:Yes,therearemultiplewaystosetupthecommunicationinNPSthatwillwork.Forexample,wegotthisworkingalsoby:
LeavingRDGatewaywithalocalNPSinsteadoffakingitout.
AddingtwoRADIUSclientsinNPS,onefortheRDGatewayserverandonefortheMFAserver.
ConfiguringtwoConnectionRequestPoliciestohandlecommunicationfromNPStoMFAserver(onebyfriendlynameand
theotherbyIPaddress).
ConfiguringtwoConnectionRequestPoliciestohandlecommunicationfromMFAservertoNPS(onebyfriendlynameand
theotherbyIPaddress).
Butthisconfigurationturnedouttobeprettytouchy.Wewereabletorepeatedlybreakthisinstallationandtheonlyrepairthatwould
workwastoundothepoliciesinNPSandstartover.
WearegoingtowalkthroughotherpossibleconfigurationscenariosinournextarticlewhenwetalkaboutRDGatewayandAzure
MFAhighavailabilityscenarios.
Q:WhydoIneedtochangethetimeoutsfortheRemoteRADIUSServerGroupinNPSfrom5secondsto3060seconds?
A:BecauseittakestimetoperformprimaryauthenticationwithRDGatewayandthentoperformtwofactorauthenticationbefore
returningaresponsetoRDG,theRADIUStimeoutsinNPSneedtobeincreasedto60seconds.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
16/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Q:HowdoesAzureknowtobillmewhenIdeployAzureMFAonpremise?
A:YougetbilledthroughtheMultiFactorAuthProvidercreatedinAzure.TheMFAServerreportsthenumberofenabledusersto
theMFAcloudservice,whichreportsbillingtotheAzurecommercesystems.
Q:WhatpieceofAzureMFAtakescareofsendingthetextmessagestocellphones?
A:AllsecondfactorauthenticationsareperformedthroughtheMFAcloudservice.Thatserviceperformsthephonecalls,text
messagesandpushnotifications(mobileapp).WhenusingtheonpremiseMFAServer,theserverrequeststheauthenticationfrom
thecloudservice.
Q:WhenIgetaTXTmessagefromAzureMFAwithmyOTP,itcomesfromwhatseemstoberandomphonenumbers.Howare
userssupposedtoknowthatthisislegit?IsthereawaytoidentifythisotherthanthefriendlynameintheMFAsetup?
A:AzureusesmultipleSMSproviderstoday,eachwithapoolofnumbersthattheSMSmessagesaresentfrom.Microsoftisbringing
anSMSshortcodeintoproductionveryshortlyandthenmostoftheSMStrafficintheUSwillbesentfromthatshortcodesothere
willbesomeconsistencyinplacesoon.YoucanalsocustomizetheSMSmessagethatissentbygoingintoCompanySettingsSMS
Text.
Q:HowdoesanonpremiseAzureMFAservercommunicatewithAzureMFAcloudservices?
A:TheMFAServercommunicatestotheMFAcloudserviceoverport443outbound.Figure21showsahighlevelarchitecturethat
showstheMFAServeronpremises,AzureADandtheMFAcloudservice.
Figure21:MFAHighLevelarchitecture
OtherHelpfulArticles
GettingstartedwithWindowsAzureMultiFactorAuthentication
RADIUSAuthentication
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
17/18
1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
RemoteDesktopGatewayandAzureMultiFactorAuthenticationServerusingRADIUS
Summary
ThissetupisasimpleoneasingleRDGatewayandsingleonpremiseAzureMFAservergreatfortestingaconcept,butwhat
aboutamorerealworldsolution?Inupcomingarticleswewillshowyouhowtoconfigureahighlyavailablesolutionincluding
multipleRDGateways,multipleMFAServers.WewillalsoexplorevariousAzureMFAauthenticationmethodssuchasphonecall,
andmobileappoptions.CheckRDSGurus.comforupdates!
KristinGriffin&FreekBerson
23
Like
46
Tweet
89
0 Share
WorkingwithRDWebAccessinWindowsServer2012R2
RDSDeploymentPossibilities
KristinL.Griffin
ViewAllPosts
FreekBerson
ViewAllPosts
Copyright2013.CreatedbyRDSGurus.PoweredbyWordPress.
Blog
Reviews
Presentations
Scripts
HotfixesandWorkarounds
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
18/18