Microsoft Rdp Mfa

Posted By admin  On 01.05.21



Clearly, exposing RDP access to the internet is a dangerous security practice. That’s why organizations need to safeguard their Windows RDP ports with MFA. Multi-factor authentication is the practice of requiring an additional authentication factor beyond credentials to gate access to resources such as systems. Although organizations. Microsoft RDS can be used to help secure on-premises deployments, cloud deployments, and remote services from various Microsoft partners (e.g., Citrix). Leveraging RDS to connect to on-premises systems enhances security by reducing the exposure of systems directly to the internet.

  1. Jul 01, 2017 6- MFA will perform the second factor authentication, it will challenge the use by MFA challenge, for example it may call user phone or send notification in Microsoft Auth App. 7- MFA will send the result of MFA challenge to the RD Gateway again.
  2. A: YES, Microsoft RDP (MFA) application is available to everyone in the Okta Integration. Q: What servers are supported by this feature? A: Windows Server 2016, 2012, 2012 R2 and 2008 R2. Q: Which MFA factors does this new feature support? A: all supported Okta MFA factors, except U2F tokens and Windows Hello.
  3. Click Add Application and enter Microsoft RDP (MFA) in the search box. On the General tab, assign any desired application label and then add the application. Select the Assignments tab. Assign the application to groups or individuals as required. Save your changes. Click Done when complete.

Contents

  • 3 Instruction

This document will guide you through the steps to secure the authentication of Microsoft Remote Desktop Services with PhenixID Server, delivering two-factor authentication using PhenixID One Touch.

  • PhenixID Server 3.2 or later installed.
  • One Touch authentication enabled:
    http://document.phenixid.net/m/87804/l/1081866-one-touch
  • Information about the user store, such as ip address/server name, port and userid/password for the connection.
  • Remote Desktop Services/Network Policy Server configured according to Microsoft recommendations and any specific requirements in your environment.

Overview

This document will guide you through the configuration steps to integrate two-factor authentication against Microsoft Remote Desktop Services.

It’s based on a scenario where PhenixID Server will be configured as RADIUS proxy and PhenixID One Touch will be used for the second factor. In this scenario, Active Directory will be used as LDAP user store.

PhenixID Server is platform independent and can be installed on both Linux and Windows. It works with all other LDAP user databases as well, like eDirectory, Sun One, Open LDAP etc.

Rdp

PhenixID Server configuration for use with RD Gateway/NPS

The RADIUS Proxy module in PhenixID, will be used in this configuration.
Start by following this document, to add proxy functionality to the installation:
http://document.phenixid.net/m/90910/l/1146949-how-to-setup-phenixid-mfa-server-as-a-ms-chapv2-proxy

In our example the proxy configuration will listen for incoming traffic from RD Gateway/NPS on port 1818 and port 1814 will be used to communicate back to NPS (ip 192.168.1.46):

Remote Desktop Services/Network Policy Server configuration

Start by setting up RD Gateway for 2FA, according to Microsoft recommendations and any specific requirements in your environment.

Configure the NPS to listen on the port set in PhenixID Server proxy:

NPS also needs to have the PhenixID Server as a RADIUS client, since traffic
will come back to NPS, after verification of the second factor:

Set the PhenixID Server to the “Remote RADIUS Server Group”:

Making sure to set the correct outgoing port, as well as increasing the value for the timeout.
Since we are now adding a second factor, we need to make sure that end users have the time needed to complete the login.
Port and timeout settings:

Now configure the “Connection Request Policies”.
Two policies are required, one from PhenixID Server and one to PhenixID Server.
The one used from MFA, must be above the policy to MFA.
Example of order and policies:

The condition ”Client Friendly Name” specifies the name of the RADIUS client set earlier.
Values for “Accounting Provider name” and “Authentication Provider Name”, should be set to the “Remote RADIUS Server Group” configured earlier.
The “Manipulation Attribute Rules” are set to remove the domain name, so that only the username itself is sent to PhenixID Server for validation.

Last step is to set the “Network Policy”, like this example:

Rdp

Now login to RDWeb and click on an application. It will start after the assignment in One Touch has been approved.

Troubleshooting

Log file for PhenixID Server is server.log located in /logs.
On the Windows side, investigate Event Viewer/Windows Logs/Security

MfaMicrosoft

Microsoft Rdp Mfa Login

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.
The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se