Implementing MFA in a RDS infrastructure

MFA authentication is the new way to increase Users authentication security. It allows to reduce passwords compromission risk.

Indeed, MFA require multiple forms of verification to prove your identity when signing into an application.

In this guide, we will see how to enable MFA for RDS users by using the Microsoft Authenticator app.

Network diagram

Microsoft Azure AD, RDS and MFA Diagram

Prerequisites

Licensing

No surprise with Microsoft nothing very clear about licensing, but it seems we need a P1 or P2 license.

Azure AD MFA Licensing

Architecture

Not really clear neither but it seems we also need don't need a AD FS server : link.

Azure common scenario

Azure AD (part I)

Azure Portal | Azure Active Directory icon

Create a tenant

Azure Portal | Create a tenant Azure Portal | Select a tenant type Azure Portal | Configure your new directory Azure Portal | Create a tenant, validation passed

Activate Azure AD Premium P2 License

Azure Portal | licenses left pannel menu Azure Portal | Get a free trial Azure Portal | Activate Azure AD Premium P2 Azure Portal | Overview, Tenant information with Azure AD Premium P2 licence.

Create a AD Connect User

From the Azure portal we will create a New user account which will be used to sync our local AD (std.local) server with Azure AD (std2.onmicrosoft.com).

Azure Portal | Create a new user Azure Portal | Create a new user, set user name and Name Azure Portal | Create a new user, groups and roles. Azure Portal | Create a new user, group selection Azure Portal | Reset password. Azure Portal | Reset password window. Microsoft azure | sign in to continue to microsoft azure. Microsoft azure | update your password Azure Portal | Azure AD Connect left pannel menu Azure Portal | Download Azure AD Connect.

AD Server

AD Connect

Download

Now we need to install and configure AD Connect. This software is used to synchronize our AD local users to our AD Azure infrastructure.

This software needs to be installed once, on a AD server.

Azure Portal | Azure AD Connect Menu Azure Portal | Download Azure AD Connect

Installing AD Connect

Azure AD Connect Installation | Welcome to Azure AD Connect Azure AD Connect Installation | Express Settings Azure AD Connect Installation | Install required components Azure AD Connect Installation | User sign-in Azure AD Connect Installation | Connect to Azure AD. Azure AD Connect Installation | Connect your directories. Azure AD Connect Installation | AD forest account. Azure AD Connect Installation | Connect your directories. Azure AD Connect Installation | Azure AD sign-in configuration. Azure AD Connect Installation | Domain and OU filtering. Azure AD Connect Installation | Uniquely identifying your users. Azure AD Connect Installation | Filter users and devices. Azure AD Connect Installation | Optional features. Azure AD Connect Installation | Ready to configure. Azure AD Connect Installation | Configuration complete.

Add Primary Azure Domain to your local AD

Windows | Run domain.msc Active directory domain and trusts | properties. Active directory domain and trusts | Add UPN.

Create RDS Users

Windows | Run dsa.msc Active directory users and computers | Creating new user Active directory users and computers | New Object

Azure AD (part II)

Go back to Azure portal, to enable MFA.

Enable MFA

Azure Portal | Multi Factor authentication link Azure Portal | Enable MFA for user Azure Portal | enable multi-factor auth window.

NPS Server (part I)

We need a NPS server, it could be installed on the AD server but in this guide I will install it on a brand new virtual machine.

Disable IE Enhanced Security Configuration

I recommend to (temporarily) disable IE Enhanced Security because it can prevent the Azure authentication to work during the AzureMfaNpsExtnConfigSetup PowerShell script execution.

Windows Server | Server manager, IE Enhanced Security Configuration link. Windows Server | IE Enhanced Security Configuration window

Installing NPS role

We can choose to install NPS role with PowerShell or via Graphical User Interface.

PowerShell

PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools

GUI

Windows Server | Server manager dashboard, Add Roles and Features Add Roles and Features | Select installation type Add Roles and Features | Select destination server Add Roles and Features | Select server roles Add Roles and Features | Select features Add Roles and Features | Confirm installation selections

NPS Extension For Azure MFA

It's a module which allows to add cloud-based MFA capabilities. It will directly communicate with Azure AD infrastructure.

Installing

NPS Extension For Azure MFA Setup | step 1 NPS Extension For Azure MFA Setup |step 2

AzureMfaNpsExtnConfigSetup.ps1 script

Now we need to execute the AzureMfaNpsExtnConfigSetup.ps1 PowerShell script in order to configure certificates which will be used by the NPS extension.

PS C:\Users\administrator.STD> cd 'c:\Program Files\Microsoft\AzureMfa\Config'
PS C:\Users\administrator.STD> .\AzureMfaNpsExtnConfigSetup.ps1
AzureMfaNpsExtnConfigSetup.ps1 Azure AD | Sign in to your account Azure Portal | Overview menu, tenant id AzureMfaNpsExtnConfigSetup.ps1

Windows Firewall

It seems that Windows (I tried on a Windows Server 2019) doesn't automatically open RADIUS ports. So, create a firewall rule to open incomming udp 1812, udp 1813, udp 1645, udp 1646.

PS C:\Users\administrator.STD> netsh advfirewall firewall add rule name="NPS" dir=in localport=1812,1813,1645,1646 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any

RDS Server

Windows | Run, Open, tsgateway.msc Windows | RD Gateway Manager, properties menu Windows | RD Gateway Manager, RDS properties, RD CAP Store Windows | RD Gateway Manager, Shared secret Windows | Run, Open, nps.msc Windows | NPS console, Remote RADIUS server groups. TS GATEWAY SERVER GROUP Properties, general tab Edit RADIUS Server, load balancing tab NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions, Day and time restriction. NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions, Day and time restrictions. NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions, remove NAS port type. NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Settings, authentication.

NPS Server (part II)

Windows | Run, Open, nps.msc

Register server in Active Directory

NPS Console | Register server in active directory

Create Radius Client

NPS Console | RADIUS client, new. NPS Console | New RADIUS Client Settings

Create Network Policy

NPS Console | Network policies NPS Console | Network policies Properties NPS Console | RDG_CAP NPS Console | RDG_CAP Conditions NPS Console | RDG_CAP Constraints

RDS User

Android Device / Microsoft Authenticator App

Microsoft Authenticator is a Android and iOS phone app. It allows two factor authentication by using a phone.

Install the App from any store you want.

Azure AD | Sign In Azure AD | Enter Password Azure AD | Help us protect your account Azure AD | Keep your account secure Azure AD | Pair your account to the app by clicking this link

Check default sign-in method

We need to check that our default authentication method is Microsoft Authenticator otherwise MFA could send SMS to authenticate, which can't be used to allow RDS connection.

Microsoft mysignins login prompt Microsoft mysignins Security info

RDS Client

Windows | RDS Web interface, portal Windows | RDS Web interface, Remote App and Desktops

Install certificate

Remote Desktop Connection, This computer can't verify the identity Certificate Details Certicate Export Wizard | Welcome to the certificate export wizard Certicate Export Wizard | Cryptographic Message Syntax Standard Certicate Export Wizard | File to export Certicate Export Wizard | Completing the certificate export wizard Windows | Install certificate Certicate Import Wizard | Welcome to the certificate import wizard Certicate Import Wizard | Place all certificates in the following store Certicate Import Wizard | Select certificate store Certicate Import Wizard | Place all certificates in the following store Certicate Import Wizard | Completing the certificate impot wizard Windows | RDS Web interface, RDS app, Enter your credential Microsoft Authenticator | New Sign In Request

Troubleshooting

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :