Step by Step - Using Windows Server 2012 R2 RD Gateway With Azure Multifactor Authentication - RDS Gurus

1/23/2015
StepByStepUsingWindowsServer2012R2RDGatewaywithAzureMultifactorAuthentication|RDSGurus
Blog
Reviews
Presentations
Scripts
HotfixesandWorkarounds
SiteNavigation
Type&hitentertosearch...
devolutions
April25,2014
KristinL.GriffinandFreekBerson
Uncategorized
StepByStepUsingWindowsServer2012R2RDGateway
withAzureMultifactorAuthentication
Toreadthisarticleinpdfclick:AzureMFAandRDGnoHA.pdf
WehaveaclientthatusesRDGatewaytoallowuserstoaccesstheirRDSdeploymentfromoutsidetheircorporatenetwork.They
haveabout1000+users.TheirusersaccesstheRDSenvironmentfrommostlyunmanageddevicesincludingmanydifferentflavorsof
tablets.Theclientwasworriedabouttheseunmanageddevicesbeingstolenorlostandpotentiallyprovidinganintruderwithaccessto
theirRDSenvironment.
Inresearchingsolutionstothisproblem(andgiventhebreadthofthetypesofunmanagedclientstheywantedtosupport)welookedat
usingmultifactorauthenticationtogetherwithRDGatewaytocreateanauthenticationsequencethatwouldrequiretwoformsof
identificationinordertogainaccesstotheRDSenvironment:
1.Somethingonlytheuserknowshisusername/passwordcombo
2.Aonetimepassword
Ifsomeofyouarenotveryfamiliarwiththegrowingneedfortwofactorauthentication,readTheincreasingneedfortwofactor
authentication,byOrinThomas,contributingeditorforWindowsITProandaWindowsSecurityMVP.
WeexploredsomedifferentmultifactorauthenticationofferingsandhomedinonMicrosoftAzureMultifactorAuthentication(Azure
MFA)forthreereasons.First,thepricepointisexcellentcomparedtosomeothercompetingsolutions.Second,AzureMFAcan
completethesecondlayerofauthenticationviacellphoneorsmartdevice(adevicethatmostpeoplealreadyhave)insteadof
requiringahardtoken.Third,AzureMFAcanalsobesettorequireauniquePINthatonlytheuserknows.Nomatterwhatdeviceis
usedtoaccesstheRDSdeployment,theuserwillneedmorethanhisusercredentials(whichareoftencached)togetin.
ARemoteDesktoploginrequesttoRDGatewaythatincludesAzureMFAlookslikethis:
1.UserlogsintoRDWebAccessanddoubleclicksaRemoteApp(ordesktopconnection)
2.Theuserlogincredentialsforthewebsiteareusedtovalidatetheuser(WebSSO),sononeedtogivethemagain.
3.TheuserthengetsanSMStextmessageontheirsmartdevicethatprovidesthema6digitnumericcode(theonetime
password).
4.Theuserrepliestothetextmessagebyinputtingthis6digitcodeandaddingtheiruniquepredefinedPINtotheendofthe
sequenceAzureMFAincludestheoptiontorequiretheuserknowapredefineduniquePINaswell,sothatrepliestoatext
messagehavetocomefromtheuser.
5.Theuserisauthenticated,andtheRemoteApp(ordesktopconnection)opens.
Note:SMStxtauthenticationisnttheonlywaythatAzureMFAcancommunicatewithusers.Inaseparateupcomingarticlewell
coverthevariousauthenticationoptionsAzureMFAprovideswhichwillincludeforexampleauthenticationbyphonecallandalso
usinganApponasmartphone.
http://www.rdsgurus.com/uncategorized/stepbystepusingwindowsserver2012r2rdgatewaywithazuremultifactorauthentication/
1/18
1/23/2015
BecausetheRDGateway/AzureMFAsolutionmetthecustomersrequirementsonpaper,wedecidedtorunatestpilot.First,we
implementedAzureMFAwithanRDSenvironmentthatonlyhadoneRDGatewayserver(itwasnothighlyavailable).Thenwe
implementedwithmultipleRDGatewayserversinahighavailabilityconfiguration.Thesetupsbothworkedwell,butthesetupwas
differentforthesescenarios.InthisarticlewewillwalkthroughsettingupAzureMFAwithoneRDGateway.Inournextarticlewe
willexplorehighlyavailableconfigurations.
HowAzureMFAWorksWithRDGateway
LetslookcloserathowMFAworkswithRDGatewaytoprovidetwofactorauthentication.First,inordertounderstandthesetup
stepsyouwillgothrough,youneedtoknowhowRDGatewayworkstoauthenticateusers.
RDGatewayandNPS
RDGatewayusesNPS(NetworkPolicyServices),aWindowsServer2012inboxfeature,tomaintainNetworkPolicies(intheRD
GatewayManagerinterfacethesepoliciesarecalledRDConnectionAccessPolicies,orRDCAPs).Ingeneral,RDGateway(and
NPS)worktogethertoauthenticateauserlikethis:
1.TheuserlogincredentialsgetssenttoRDGateway.
2.NPSchecksthecredentialsagainstitsNetworkPoliciestoseeiftheuserisallowedtoaccessRDGateway.(ThisistheRD
CAPcheckinRDGatewayspeak).
IfthecredentialsareallowedbyNPS,then
3.RDGatewaycheckstheusercredentialsagainstitsResourceAuthorizationPolicies(RDRAPsarehousedinanXMLfileon
theRDGatewayserver)toseeiftheuserisallowedtoaccesstherequestedendpointandallowsordeniestheconnection.
AddingAzureMFA
WhenyouaddinAzureMFA,thenausergetsauthenticatedlikethis:
1.TheuserlogincredentialsgetssenttoRDGateway.
2.NPSchecksthecredentialsagainstitsNetworkPoliciestoseeiftheuserisallowedtoaccessRDGateway.(ThisistheRD
CAPcheckinRDGatewayspeak).
IfthecredentialsareallowedbyNPS,then:
3.TheloginrequestissenttoMFAServer
4.MFAServercommunicateswiththeenduser(bySMStext,phonecall,mobileapporOATHtoken)askingthemtoreplyby
repeatingthesentletter/numbersequenceback,andaddingtheiruniquePINtotheendifMFAissetuptorequireapersonalPIN.
5.MFAreceivestheusersreply,checkstheresponse.Iftheresponseiscorrect,thenMFAsendsanacceptresponsetoRD
Gateway.
IfRDGatewaygetsanAcceptresponsefromMFA,then:
6.RDGatewaycheckstheusercredentialsagainstitsRDRAPstoseeiftheuserisallowedtoaccesstherequestedendpointand
allowsordeniestheconnection.
InjectingAzureMFAintotheAuthenticationSequence
WhenyouhaveoneRDGatewayserverrunningwithalocallyrunningNPSservice(thedefaultconfiguration),youhavetohave
somewaytogettheMFAserverintothecommunicationsequence.AsshowninFigure1,youdothisbytrickingRDGatewayyou
configureRDGatewaytouseacentralizedNPSserverbutyoupointittotheMFAserver.Thecommunicationworkslikethis:
1.RDGgetstheinitialuserloginrequest
2.RDGatewayforwardstheRADIUSrequestthroughNPStoMFAserver.
3.MFAserverforwardsifrightbacktoNPSontheRDGatewayserver
4.RDGatewayvalidatestheusercredentialsanddoestheRDCAPcheck.
2/18
1/23/2015
5.NPSthensendsanACCEPTorREJECTtoMFAserver.
6.OnACCEPT,MFAwillperformthetwofactorauthenticationsequencewiththeuser(viaphonecall,textormobileapp).If
theuserreturnsthecorrectletter/numbersequence,itsendsanACCEPTtoRDGateway.
7.FinallyRDGatewaywillchecktheRDRAPandeitherallowordenytheconnection.
Figure1:YoutrickRDGatewayintothinkingitisusingacentralizedNPS.
ImplementinganOnPremiseAzureMFAServerwithRDGateway
AzureMFAcanbeusedinclouddrivenscenarios,butitcanalsobeusedwithonpremiseapplications,andthatiswhatweare
concentratingonherewewillshowyouhowtosetupanonpremiseAzureMFAservertoprovidemultifactorauthenticationtoan
onpremiseRDGatewayimplementation.
First,herearethethingsyouwillneedtoproceed:
AworkingRDSenvironment,includingRDGateway(runningNPSlocally)
AworkingRDWebAccesswebsitewithpublishedRemoteAppsordesktops
AnAzureaccountconfiguredwithbillinginformation.Thisarticleassumesyouhavealreadysetthisup.Ifyouhavenot,then
signUpForAzurehere:https://account.windowsazure.com/SignUp
Adomainjoinedserver(physicalorVM)designatedtobetheAzureMFAonpremiseserver
AcellphonetorespondtoAzureMFASMstextrequests
Aclienttestdevice(aPCortabletforexample)preferablywithInternetExplorer
Nowwewillwalkthroughthesemainsetupsteps:
1.InstallprerequisitesonthedesignatedAzureMFAserver
2.CreateaMultifactorAuthenticationProviderinAzure
3.DownloadandinstalltheonpremiseMFAserversoftware
4.ConfigureMFAServer,RDGatewayandNPS
5.SetupaTestUserinAzureMFAServeranddosometesting
PreRequisites
TheonpremiseAzureMFAServer(fromhereonoutcalledMFAServer)installrequiresthe.NETFramework3.5Features,andit
willnotautoinstallitduringthesetupsoyouneedtoinstallitfirst.FromServerManager,selecttheAddRolesandFeaturesoption,
select.NET3.5FrameworkFeaturesandclickInstall(showninFigure2).
3/18
1/23/2015
Figure2:Installthe.NETFramework3.5Features
CreateaMultifactorAuthenticationProviderinAzure
Next,createaMultifactorAuthenticationProviderinAzure.Followthesesteps:
1.FromtheMFAserver,logintotheMicrosoftAzureManagementPortal:https://manage.windowsazure.com/.
2.Inthelefthandcolumn,scrolltothebottomandclickthe+Newbutton(showninFigure3.)
Figure3:CreateanewMultifactorAuthenticationproviderinAzure
3.Figure4showsfivecolumnsfromwhichyouwillselectpropertiesofthenewMFAprovider.SelectAppServicesinthefirst
column,selectActiveDirectoryinthesecondcolumn,andselectMultifactorAuthProviderinthethirdcolumn.Thenclickthe
QuickCreatebutton.Fillouttheformthatappears.
FortheUsageModelyouhavetwooptions:
PerEnabledUsermeansyoupayafixedfeeforeveryuseraccountthatisconfiguredtouseMFA.Eachusergetsan
unlimitedamountofauthorizations.
PerAuthenticationmeansyoupayafixedfeeper10authentications.Theamountofusersisunlimited.
Bothmodelshavepossibleusecases.Youneedtofigureoutwhichmodeltogowithinadvance,asyoucannotchangetheUsage
ModelonceyoucreatetheMFAprovider.
TheDirectoryoptionsallowyoutoconnectthisMFAprovidertoanAzureActiveDirectory.Becausethisimplementationwill
useanonpremiseMFAServerthatwillbejoinedtotheonpremisedomain,leavetheoptionsettoDonotlinkadirectory.
4/18
1/23/2015
Figure4:ChoosetheMFAproviderpropertiesfromthedesignatedfivecolumns.
4.FromtheAzuremainpageyoushouldseeyourMFAprovidercreated.
5.SelectitandthenclickthemanageiconatthebottomofthepageasshowninFigure5.
Figure5:SelecttheMFAproviderandthenclickManagetoaccesstheMFAManagementportal
DownloadandInstalltheOnPremiseAzureMFAServerSoftware
TheWindowsAzureMultifactorAuthenticationmanagementportalwillopeninanewbrowsertab,showninFigure6.
5/18
1/23/2015
Figure6:TheWindowsAzureMultifactorAuthenticationmanagementportal
FollowthesestepstodownloadandinstalltheAzureMFAsoftware.
1.OnthistabclicktheDOWNLOADSbutton.YouwillgetthescreenshowninFigure7.
Figure7:Downloadthesoftware,thengenerateactivationcredentials.
2.ClickthesmallDownloadlinkrightabovetheGenerateNewActivationCredentialsbutton.Savethedownloadfile,thenrun
it.
3.MeanwhilegobacktothewebpageandclicktheGenerateNewActivationCredentialsbutton.Theactivationcredentialsare
onlygoodfor10minutes.EntertheactivationcredentialsontheActivatescreenoftheinstallshowninFigure8.Ifyour
credentialsexpirebeforeyouenterthem,clicktheGenerateNewActivationCredentialsbuttonagaintogetanewset.
6/18
1/23/2015
Figure8:SpecifytheactivationcredentialsduringtheMFAsetup
TIP:DuringtheactivationprocessthePhoneFactoronlineserviceiscontacted(MicrosoftboughtPhoneFactor,andmadeAzure
MultifactorAuthenticationsoyoumayseePhoneFactorindocumentsorsomeGUIscreensstill).Forthistoworkyouneedtobe
abletomakeconnectiontotheoutsideonport443.InscenarioswhereyourserverrunningMFAisusingaProxyServer,runthe
followingcommandtomakeusetheMFAserviceleverageyourproxyservertoo:
netshWinHTTPSetProxyproxyserver=FQDN_of_Proxy_Server:8080
OtherwiseyoucouldrunintothefollowingerrorshowninFigure9:
Figure9:ErrorindicatingtheMFAServicecouldnotbereached
ConfigureRDGatewayServer,NPSandMFAServer
NowyouneedtoconfigureRDGateway,NPS,andMFAServertocommunicatewitheachother.
ConfigureRDGateway
First,youfakeoutRDGatewayandconfigureittouseaCentralRDCAPstore,butyoupointittothenewMFAserver.Followthese
steps:
1.OpenRDGatewayManager,rightclicktheservername,andselectProperties.
2.SelecttheRDCAPStoretab(showninFigure11).
3.SelecttheCentralserverrunningNPSoption.
4.EnterthenameorIPaddressoftheMFAserverandclickAdd.
7/18
1/23/2015
5.EnterasharedsecretinthecorrespondingpopupboxandclickOK.
Figure11:ConfiguringRDGatewaytousecentralNPS
MakeNPSandMFATalkToEachOther
NowyouneedtoconfigureNPS(locatedontheRDGatewayserver)andMFAservertotalktoeachother.NPSandMFAserverboth
useaRADIUSclientandRADIUSservertocommunicatewitheachother.SoyouconfigureaRADIUSclientandaRADIUSserver
(depictedinFigure10)oneachserverlikethis:
OntheRDGatewayserver,inNPSyouconfiguretwoConnectionRequestPolicies:
ThefirstwillsendcommunicationtoMFAServerviaaRemoteRADIUSServerGroup
ThesecondwillreceivecommunicationfromMFAserverviaaRADIUSclient
OntheMFAserveryouconfigure:
ARADIUSclienttoreceivecommunicationfromtheNPSserver
ARADIUSTargettosendcommunicationtotheNPSserver
8/18
1/23/2015
Figure10:NPSandMFAserveruseRADIUSserversandclientstocommunicatewitheachother.
ConfigureNPS
First,youneedtopreventNPSfromtimingoutbeforeMFAsauthenticationhascompleted.Followthesesteps(showninFigure12):
1.InNPS,expandtheRADIUSClientsandServersmenuandselectRemoteRADIUSServerGroups.
2.WhenyousetupRDGatewayitcreatesanentryherenamedTSGATEWAYSERVERGROUP.Rightclickthisgroupand
selectProperties.
3.SelecttheMFAserverlistedandselectEdit.
4.SelecttheLoadBalancingtab.
5.ChangetheNumberofsecondswithoutresponsebeforerequestisconsidereddroppedandtheNumberofsecondsbetween
requestswhenserverisidentifiedasunavailableto3060seconds.
9/18
1/23/2015
Figure12:AdjusttheRADIUSserversettingsinNPS.
NextyouneedtoconfigureNPStoreceiveRADIUSauthenticationsfromMFAserver.SoyoucreateaRADIUSclient.Followthese
steps:
1.Intheleftcolumn,rightclickRADIUSClientsandchooseNew.
2.AddaFriendlyNameandtheaddressoftheMFAserverasshowninFigure13.
3.AddasharedsecretandclickOK.
10/18
1/23/2015
Figure13:CreateaRADIUSclientinNPS.
Next,configuretwoConnectionRequestPoliciesinNPSonetoforwardrequeststotheRemoteRADIUSServerGroup(whichis
settoforwardtoMFAserver),andtheothertoreceiverequestscomingfromMFAserver(tobehandledlocally).
TheeasiestwaytodothisistousetheexistingpolicythatwascreatedwhenyoucreatedanRDCAPinRDGateway.Followthese
steps:
1.InNPSexpandthePoliciessectionintheleftsideofthescreenandthenselectConnectionRequestPolicies.Youshouldseea
policyalreadycreatedthere,calledTSGATEWAYAUTHORIZATIONPOLICY.
2.RightclickthispolicyandselectDuplicatePolicy.
Note:Inordertoeasilytellwhateachpolicyisdoing,Irenamemypolicieslikethis:
IrenameTSGATEWAYAUTHORIZATIONPOLICYtoToMFA
IrenameCopyofTSGATEWAYAUTHORIZATIONPOLICYtoFromMFA
3.DoubleclickthenewduplicatepolicyandselecttheConditionstab.
4.AddaClientFriendlyNameasshowninFigure14.UsethesameFriendlynameyousetfortheRADIUSclientyoucreated
earlier.
11/18
1/23/2015
Figure14:AddaClientFriendlyNametotheexistingTSGATEWAYAUTHORIZATIONPOLICY.
5.NowselecttheSettingstabandchangetheAuthenticationProvidertoAuthenticaterequestsonthisserverasshownin
Figure15.
Figure15:Changethepolicytoauthenticaterequestslocally.
6.SelectAccountingandmakesuretheForwardaccountingrequestscheckboxisnotchecked.ThenclickOK.Whenyou
aredone,yourpolicysettingsshouldshowuponthemaininterfaceasshowninFigure16.
12/18
1/23/2015
Figure16:OverviewoftheNPSpolicysettingsoftheFromMFApolicy
7.Makesurethatthispolicy(thecopyoftheoriginal)isorderedfirst,aheadoftheoriginalpolicy.
8.Youshouldnothavetomakeanychangestotheoriginalpolicybutdoublechecktomakesurethatitcontainssettingsas
showninFigure17.
Figure17:Makesuretheoriginalpolicyhasthesettingsoutlinedhere.
ConfigureMFAServer
NowyouneedtoconfiguretheMFAServersoftwarewithaRADIUStargetandclient.Followthesesteps:
1.OntheMFAserveropentheMultifactorAuthenticationServerandclicktheRADIUSAuthenticationicon.
2.ChecktheEnableRADIUSauthenticationcheckbox.
13/18
1/23/2015
3.OntheClientstab,clicktheAddbutton.
4.AddtheRDGateway/NPSserverIPaddress,andasharedsecret.Thesharedsecretneedstomatchtheoneaddedtothe
CentralCAPStoreconfigurationinRDGatewayManager.
5.ClicktheTargettabandchoosetheRADIUSserver(s)radiobutton.
6.ClickAddandentertheIPaddress,sharedsecretandportsoftheNPSserver.Thesharedsecretmustmatchtheoneconfigured
fortheRADIUSclientoftheNPSserver.
Testing
ToabletotestthescenarioyouneedtoaddaTestUsertoMFAandconfigureitwithanauthenticationmethod.Hereshowtodoit:
1.OntheMFAserveropentheMultiFactorAuthenticationServerandselecttheUsersicon.
2.ClicktheImportUsersfromActiveDirectorybutton.
3.Drilldowninthecontainerhierarchytotheuseraccountyouwanttotestwith,selecttheuseraccountandclickImport.
4.Doubleclickthenewlycreateduseraccount(asshowninFigure18).
Figure18:Configurethetestuserssettings.
5.OntheGeneraltab:
a.Enterthecountrycodeandthephonenumberofthecellphoneyouwillusetotestwith.
b.SelecttheTextMessageoption.ThenselectOTP+PINfromthecorrespondingdropdownmenutotheright.
c.EnteraPINorclicktheGeneratebuttontogenerateanewpincode.
6.SelecttheEnabledcheckbox,andclickApplytosavetheconfiguration.
Totestthescenarioperformthefollowingsteps:
1.FromyourtestclientdeviceopenInternetExplorerandbrowsetotheRDWebAccesswebsite,andloginwithatestaccount.
14/18
1/23/2015
2.OpenaRemoteApporRemoteDesktop.OntheclientthedialogshowninFigure19willremainopenuntilthetwofactor
authenticationhasbeencompleted:
Figure19:LaunchtheRDPsession
3.YouwillreceiveatextmessagefromMFAserverasshowninFigure20.
Figure20:YoushouldreceiveatextmessagefromMFAserver.
4.ReplytothetextbytypingtheOneTimePasswordintheinitialtextmessageandaddtheuniqueuserPINtotheendofyour
response.
5.Ifyoutypeinthecorrectinformationthemultifactorauthenticationwillcompletesuccessfullyandthesessionwillopen.
Troubleshooting
Whenwewereworkingwiththisinstallation,wedidnotsetthingsuprightthefirsttime(orthesecond).Sowehadtotroubleshoot
ourpilot.Unfortunatelywedidnotfindverymuchtohelpus.Theeventlogswereourfriendhowever.
Whenyoumakeasuccessfulconnection(completewithUDPchannelsthroughRDGateway),youwillget16eventlogentriesinthe
RDGatewayoperationaleventlog.Itislocatedat:
EventViewer/ApplicationsandServicesLogs/Microsooft/Windows/TerminalServicesGateway/Operational
These16entriescorrespondtothesuccessfulconnectionlikethis:
1.UsermetCAPpolicyrequirementsandcanconnecttoRDGateway
15/18
1/23/2015
2.UsermetRAPpolicyrequirementsandcanconnecttoRDConnectionBroker
3.TheuserconnectedtoRDConnectionBrokerusingHTTP
4.TheuserconnectedtoRDConnectionBrokerusingUDP
5.TheuserconnectedtoRDConnectionBrokerusingUDPProxy
6.TheuserconnectedtoRDConnectionBrokerusingUDP(secondchannel)
7.TheuserconnectedtoRDConnectionBrokerusingUDPProxy(secondchannel)
8.TheuserdisconnectedtoRDConnectionBrokerusingHTTP
9.TheuserdisconnectedtoRDConnectionBrokerusingUDP
10.TheuserdisconnectedtoRDConnectionBrokerusingUDP
11.UsermetRAPpolicyrequirementsandcanconnecttoRDSessionHost
12.TheuserconnectedtoRDSessionHostusingHTTP
13.TheuserconnectedtoRDSessionHostusingUDP
14.TheuserconnectedtoRDSessionHostusingUDPProxy
15.TheuserconnectedtoRDSessionHostusingUDP(secondchannel)
16.TheuserconnectedtoRDSessionHostusingUDPProxy(secondchannel)
WhatwefoundwasthatifyouhaveaproblemwithmisconfiguredpoliciesinNPS,youmostlikelywillgetaneventlogerroratstep
one.TheeventlogwillsaythatyoudidnotmeetCAPrequirementsevenifyoudo.
Ifyourunintothis,checkyourpolicies.Ifyouaresuretheyarecorrect,thenmakesureyourCAPworksifyouusealocalNPS
(switchtheRDGatewayCAPstoresettingbacktoLocal).IfitworkswhenyouchoosetheLocaloptionthenwerecommendyou
redoyourpolicies.RemovethepoliciesyouhaveeditedorcreatedinNPS.ThenredotheCentralCAPsettinginRDGateway
Manager(putitbacktoLocal,thenchangeitagaintoCentral).DoingthiswillrecreaterequiredstartingpiecesinNPS,andyoucan
recreateandeditpoliciesfromthere.
Q&A
Q:ArethereotherwaystoconfigurethecommunicationinNPSthatwillwork?
A:Yes,therearemultiplewaystosetupthecommunicationinNPSthatwillwork.Forexample,wegotthisworkingalsoby:
LeavingRDGatewaywithalocalNPSinsteadoffakingitout.
AddingtwoRADIUSclientsinNPS,onefortheRDGatewayserverandonefortheMFAserver.
ConfiguringtwoConnectionRequestPoliciestohandlecommunicationfromNPStoMFAserver(onebyfriendlynameand
theotherbyIPaddress).
ConfiguringtwoConnectionRequestPoliciestohandlecommunicationfromMFAservertoNPS(onebyfriendlynameand
theotherbyIPaddress).
Butthisconfigurationturnedouttobeprettytouchy.Wewereabletorepeatedlybreakthisinstallationandtheonlyrepairthatwould
workwastoundothepoliciesinNPSandstartover.
WearegoingtowalkthroughotherpossibleconfigurationscenariosinournextarticlewhenwetalkaboutRDGatewayandAzure
MFAhighavailabilityscenarios.
Q:WhydoIneedtochangethetimeoutsfortheRemoteRADIUSServerGroupinNPSfrom5secondsto3060seconds?
A:BecauseittakestimetoperformprimaryauthenticationwithRDGatewayandthentoperformtwofactorauthenticationbefore
returningaresponsetoRDG,theRADIUStimeoutsinNPSneedtobeincreasedto60seconds.
16/18
1/23/2015
Q:HowdoesAzureknowtobillmewhenIdeployAzureMFAonpremise?
A:YougetbilledthroughtheMultiFactorAuthProvidercreatedinAzure.TheMFAServerreportsthenumberofenabledusersto
theMFAcloudservice,whichreportsbillingtotheAzurecommercesystems.
Q:WhatpieceofAzureMFAtakescareofsendingthetextmessagestocellphones?
A:AllsecondfactorauthenticationsareperformedthroughtheMFAcloudservice.Thatserviceperformsthephonecalls,text
messagesandpushnotifications(mobileapp).WhenusingtheonpremiseMFAServer,theserverrequeststheauthenticationfrom
thecloudservice.
Q:WhenIgetaTXTmessagefromAzureMFAwithmyOTP,itcomesfromwhatseemstoberandomphonenumbers.Howare
userssupposedtoknowthatthisislegit?IsthereawaytoidentifythisotherthanthefriendlynameintheMFAsetup?
A:AzureusesmultipleSMSproviderstoday,eachwithapoolofnumbersthattheSMSmessagesaresentfrom.Microsoftisbringing
anSMSshortcodeintoproductionveryshortlyandthenmostoftheSMStrafficintheUSwillbesentfromthatshortcodesothere
willbesomeconsistencyinplacesoon.YoucanalsocustomizetheSMSmessagethatissentbygoingintoCompanySettingsSMS
Text.
Q:HowdoesanonpremiseAzureMFAservercommunicatewithAzureMFAcloudservices?
A:TheMFAServercommunicatestotheMFAcloudserviceoverport443outbound.Figure21showsahighlevelarchitecturethat
showstheMFAServeronpremises,AzureADandtheMFAcloudservice.
Figure21:MFAHighLevelarchitecture
OtherHelpfulArticles
GettingstartedwithWindowsAzureMultiFactorAuthentication
RADIUSAuthentication
17/18
1/23/2015
RemoteDesktopGatewayandAzureMultiFactorAuthenticationServerusingRADIUS
Summary
ThissetupisasimpleoneasingleRDGatewayandsingleonpremiseAzureMFAservergreatfortestingaconcept,butwhat
aboutamorerealworldsolution?Inupcomingarticleswewillshowyouhowtoconfigureahighlyavailablesolutionincluding
multipleRDGateways,multipleMFAServers.WewillalsoexplorevariousAzureMFAauthenticationmethodssuchasphonecall,
andmobileappoptions.CheckRDSGurus.comforupdates!
KristinGriffin&FreekBerson
23
Like
46
Tweet
89
0 Share
WorkingwithRDWebAccessinWindowsServer2012R2
RDSDeploymentPossibilities
KristinL.Griffin
ViewAllPosts
FreekBerson
ViewAllPosts
Copyright2013.CreatedbyRDSGurus.PoweredbyWordPress.
Blog
Reviews
Presentations
Scripts
HotfixesandWorkarounds
18/18

Step by Step - Using Windows Server 2012 R2 RD Gateway With Azure Multifactor Authentication - RDS Gurus

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Step by Step - Using Windows Server 2012 R2 RD Gateway With Azure Multifactor Authentication - RDS Gurus

Uploaded by

Copyright:

Available Formats

1/23/2015

You might also like