Implementing MFA in a RDS infrastructure

MFA authentication is the new way to increase Users authentication security. It allows to reduce passwords compromission risk.

Indeed, MFA require multiple forms of verification to prove your identity when signing into an application.

In this guide, we will see how to enable MFA for RDS users by using the Microsoft Authenticator app.

Network diagram

RDS MFA Diagram

Prerequisites

Licensing

No surprise with Microsoft nothing very clear about licensing, but it seems we need a P1 or P2 license.

Azure Licensing

Architecture

Not really clear neither but it seems we also need don't need a AD FS server : link.

Azure Licensing

Azure AD (part I)

Azure Portal | Azure Active Directory icon

Create a tenant

Azure Portal | Create a tenant Azure Portal | Select a tenant type Azure Portal | Configure your new directory Azure Portal | Create a tenant, validation passed

Activate Azure AD Premium P2 License

Azure Portal | Create a tenant, validation passed Azure Portal | Create a tenant, validation passed Azure Portal | Create a tenant, validation passed Azure Portal | Create a tenant, validation passed

Create a AD Connect User

From the Azure portal we will create a New user account which will be used to sync our local AD (std.local) server with Azure AD (std2.onmicrosoft.com).

Azure Portal | Create a new user Azure Portal | Create a new user Azure Portal | Create a new user Azure Portal | Create a new user Azure Portal | Create a new user Azure Portal | Create a new user Azure Portal | Create a new user Azure Portal | Create a new user Azure Portal | Create a new user Azure Portal | Create a new user

AD Server

AD Connect

Download

Now we need to install and configure AD Connect. This software is used to synchronize our AD local users to our AD Azure infrastructure.

This software needs to be installed once, on a AD server.

Azure Portal | Azure AD Connect Menu Azure Portal | Download Azure AD Connect

Installing AD Connect

Azure AD Connect | Welcome to Azure AD Connect Azure AD Connect | Express Settings Azure AD Connect | Install required components Azure AD Connect | Install required components Azure AD Connect | Install required components Azure AD Connect | Install required components Azure AD Connect | Install required components Azure AD Connect | Install required components Azure AD Connect | Install required components Azure AD Connect | Install required components Azure AD Connect | Install required components Azure AD Connect | Filter users and devices Azure AD Connect | Optional features Azure AD Connect | Ready to configure Azure AD Connect | Install required components

Add Primary Azure Domain to your local AD

Create RDS Users

Azure AD (part II)

Go back to Azure portal, to enable MFA.

Enable MFA

Azure Portal | Create a tenant, validation passed Azure Portal | Create a tenant, validation passed Azure Portal | Create a tenant, validation passed

NPS Server (part I)

We need a NPS server, it could be installed on the AD server but in this guide I will install it on a brand new virtual machine.

Disable IE Enhanced Security Configuration

I recommend to (temporarily) disable IE Enhanced Security because it can prevent the Azure authentication to work during the AzureMfaNpsExtnConfigSetup PowerShell script execution.

Installing NPS role

We can choose to install NPS role with PowerShell or via Graphical User Interface.

PowerShell

PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools

GUI

Server manager dashboard, Add Roles and Features

NPS Extension For Azure MFA

It's a module which allows to add cloud-based MFA capabilities. It will directly communicate with Azure AD infrastructure.

Installing

NPS Extension For Azure MFA Setup NPS Extension For Azure MFA Setup

AzureMfaNpsExtnConfigSetup.ps1 script

Now we need to execute the AzureMfaNpsExtnConfigSetup.ps1 PowerShell script in order to configure certificates which will be used by the NPS extension.

PS C:\Users\administrator.STD> cd 'c:\Program Files\Microsoft\AzureMfa\Config'
PS C:\Users\administrator.STD> .\AzureMfaNpsExtnConfigSetup.ps1

Windows Firewall

It seems that Windows (I tried on a Windows Server 2019) doesn't automatically open RADIUS ports. So, create a firewall rule to open incomming udp 1812, udp 1813, udp 1645, udp 1646.

PS C:\Users\administrator.STD> netsh advfirewall firewall add rule name="NPS" dir=in localport=1812,1813,1645,1646 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any

RDS Server

Run, Open, tsgateway.msc Run, Open, tsgateway.msc Run, Open, tsgateway.msc Run, Open, tsgateway.msc TS GATEWAY SERVER GROUP Properties, general tab Edit RADIUS Server, load balancing tab

NPS Server (part II)

Register server in Active Directory

Create Radius Client

Create Network Policy

RDS User

Android Device / Microsoft Authenticator App

Microsoft Authenticator is a Android and iOS phone app. It allows two factor authentication by using a phone.

Install the App from any store you want.

Check default sign-in method

We need to check that our default authentication method is Microsoft Authenticator otherwise MFA could send SMS to authenticate, which can't be used to allow RDS connection.

RDS Client

Install certificate

Troubleshooting

Sources

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :