Implementing MFA in a RDS infrastructure

MFA authentication is the new way to increase Users authentication security. It allows to reduce passwords compromission risk.

Indeed, MFA require multiple forms of verification to prove your identity when signing into an application.

In this guide, we will see how to enable MFA for RDS users by using the Microsoft Authenticator app.

Network diagram

Microsoft Azure AD, RDS and MFA Diagram

Prerequisites

Licensing

No surprise with Microsoft nothing very clear about licensing, but it seems we need a P1 or P2 license.

Azure AD MFA Licensing

Architecture

  • We need :
    • Azure AD infrastructure (I used the commercial trial to set it up).
    • AD server with AD Connect to synchronise users.
    • NPS server as authentication bridge between Azure AD and local Active Directory.
    • RDS server a classic remote computer server with Web Access, Gateway and Connection Broker.

Not really clear neither but it seems we also need don't need a AD FS server : link.

Azure common scenario

Azure AD (part I)

Azure Portal | Azure Active Directory icon

Create a tenant

  • If you don't have one yet, create a new tenant :
Azure Portal | Create a tenant
  • Select Azure Active Directory :
Azure Portal | Select a tenant type
  • Configure your new directory :
Azure Portal | Configure your new directory
  • Once validation passed, click create :
Azure Portal | Create a tenant, validation passed

Activate Azure AD Premium P2 License

  • From left panel, click Licenses :
Azure Portal | licenses left pannel menu
  • Then Get a free trial :
Azure Portal | Get a free trial
  • And Activate a Azure AD Premium P2 license :
Azure Portal | Activate Azure AD Premium P2
  • After few minutes you should see your Azure AD Premium P2 license :
Azure Portal | Overview, Tenant information with Azure AD Premium P2 licence.

Create a AD Connect User

From the Azure portal we will create a New user account which will be used to sync our local AD (std.local) server with Azure AD (std2.onmicrosoft.com).

Azure Portal | Create a new user
  • Specify User name and a Name :
Azure Portal | Create a new user, set user name and Name
  • On the same page, specify a Role by clicking on User :
Azure Portal | Create a new user, groups and roles.
  • Select Global administrator and click Select :
Azure Portal | Create a new user, group selection
  • Now we can click on Create :
Azure Portal | Reset password.
  • Go back to All Users view, select AD Connect user and click Reset password :
Azure Portal | Reset password window.
  • Click Reset password :
Microsoft azure | sign in to continue to microsoft azure.
  • Note the temporary password :
Microsoft azure | update your password Azure Portal | Azure AD Connect left pannel menu
  • And set a secure password :
Azure Portal | Download Azure AD Connect.

AD Server

AD Connect

Download

Now we need to install and configure AD Connect. This software is used to synchronize our AD local users to our AD Azure infrastructure.

This software needs to be installed once, on a AD server.

Azure Portal | Azure AD Connect Menu
  • Click on the Download Azure AD Connect link :
Azure Portal | Download Azure AD Connect

Installing AD Connect

  • Run the .exe from you Active Directory server. Accept the license and click on Continue :
Azure AD Connect Installation | Welcome to Azure AD Connect
  • You can choose express settings or Customize if you want to specify custom parameters :
Azure AD Connect Installation | Express Settings
  • Then click on Install :
Azure AD Connect Installation | Install required components
  • Select Password Hash Synchronization :
Azure AD Connect Installation | User sign-in
  • Use the ids previously created :
Azure AD Connect Installation | Connect to Azure AD.
  • Click on Add Directory :
Azure AD Connect Installation | Connect your directories.
  • Type local AD administrator ids :
Azure AD Connect Installation | AD forest account.
  • Once done, click on Next :
Azure AD Connect Installation | Connect your directories.
  • Check Continue without matching UPN :
Azure AD Connect Installation | Azure AD sign-in configuration.
  • Synchronize specific OUs or synchronize all :
Azure AD Connect Installation | Domain and OU filtering.
  • Click Next :
Azure AD Connect Installation | Uniquely identifying your users.
  • Select to Synchronize all users and devices :
Azure AD Connect Installation | Filter users and devices.
  • Select Password hash :
Azure AD Connect Installation | Optional features.
  • Finally, check Start the synchronization… and run Install :
Azure AD Connect Installation | Ready to configure.
  • After few seconds it's done :
Azure AD Connect Installation | Configuration complete.

Add Primary Azure Domain to your local AD

  • Open Active Directory Domains and Trusts management console :
Windows | Run domain.msc
  • Right-click to Active Directory Domains and Trusts :
Active directory domain and trusts | properties.
  • Add your Primary Azure Domain :
Active directory domain and trusts | Add UPN.

Create RDS Users

  • Open Active Directory Users and Computers management console :
Windows | Run dsa.msc
  • Create a New User :
Active directory users and computers | Creating new user
  • Select the Primary Azure Domain :
Active directory users and computers | New Object

Azure AD (part II)

Go back to Azure portal, to enable MFA.

Enable MFA

  • From All users menu, click on Multi-Factor Authentication :
Azure Portal | Multi Factor authentication link
  • Select users you want to enable for Multi-Factor Authentication, and click enable :
Azure Portal | Enable MFA for user
  • Confirm by clicking enable multi-factor auth :
Azure Portal | enable multi-factor auth window.

NPS Server (part I)

We need a NPS server, it could be installed on the AD server but in this guide I will install it on a brand new virtual machine.

Disable IE Enhanced Security Configuration

I recommend to (temporarily) disable IE Enhanced Security because it can prevent the Azure authentication to work during the AzureMfaNpsExtnConfigSetup PowerShell script execution.

  • From the Server Manager Dashboard :
Windows Server | Server manager, IE Enhanced Security Configuration link.
  • Turn off Security for administrators :
Windows Server | IE Enhanced Security Configuration window

Installing NPS role

We can choose to install NPS role with PowerShell or via Graphical User Interface.

PowerShell

  • The one command line PowerShell :
PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools

GUI

  • From Server manager dashboard, Add Roles and Features :
Windows Server | Server manager dashboard, Add Roles and Features
  • Select Role-based or feature-based installation :
Add Roles and Features | Select installation type
  • Select server :
Add Roles and Features | Select destination server
  • Select Network Policy Server role :
Add Roles and Features | Select server roles
  • ♫No Feature, No Feature, No Feature for me♫ :
Add Roles and Features | Select features
  • Check Restart destination server and click on Install :
Add Roles and Features | Confirm installation selections

NPS Extension For Azure MFA

It's a module which allows to add cloud-based MFA capabilities. It will directly communicate with Azure AD infrastructure.

Installing

  • Download and install NPS Extension For Azure MFA :
NPS Extension For Azure MFA Setup | step 1
  • That's it :
NPS Extension For Azure MFA Setup |step 2

AzureMfaNpsExtnConfigSetup.ps1 script

Now we need to execute the AzureMfaNpsExtnConfigSetup.ps1 PowerShell script in order to configure certificates which will be used by the NPS extension.

  • From a PowerShell admin console :
PS C:\Users\administrator.STD> cd 'c:\Program Files\Microsoft\AzureMfa\Config'
PS C:\Users\administrator.STD> .\AzureMfaNpsExtnConfigSetup.ps1
  • Install NuGet provider if asked :
AzureMfaNpsExtnConfigSetup.ps1
  • When prompted for, identify yourself with a tenant administrator account, we can use for example our ad connect account previously created :
Azure AD | Sign in to your account
  • Get your Tenant ID from the Azure AD portal :
Azure Portal | Overview menu, tenant id
  • Paste the Tenant ID to the PowerShell admin console :
AzureMfaNpsExtnConfigSetup.ps1

Windows Firewall

It seems that Windows (I tried on a Windows Server 2019) doesn't automatically open RADIUS ports. So, create a firewall rule to open incomming udp 1812, udp 1813, udp 1645, udp 1646.

  • You can do it with this command :
PS C:\Users\administrator.STD> netsh advfirewall firewall add rule name="NPS" dir=in localport=1812,1813,1645,1646 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any

RDS Server

  • Open the Remote Desktop Gateway Manager :
Windows | Run, Open, tsgateway.msc
  • Right click on RDS (local), then Properties :
Windows | RD Gateway Manager, properties menu
  • In the RD CAP Store tab, select Central server running NPS, then Add your NPS Server :
Windows | RD Gateway Manager, RDS properties, RD CAP Store
  • Enter a password, it will be shared between RDS and NPS servers :
Windows | RD Gateway Manager, Shared secret
  • Open NPS management console :
Windows | Run, Open, nps.msc
  • From the NPS management console, expand RADIUS Clients and Servers, select Remote RADIUS Server Groups, then do a right click on TS GATEWAY SERVER GROUP and Properties :
Windows | NPS console, Remote RADIUS server groups.
  • Select the NPS server and then click Edit :
TS GATEWAY SERVER GROUP Properties, general tab
  • Modify values in Load Balancing tab :
Edit RADIUS Server, load balancing tab
  • Still from the NPS management console, expand Policies > Connection Request Policies, then do a right click on TS GATEWAY AUTHORIZATION POLICY and Properties :
NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties
  • From Conditions tab, Add a nonrestrictive rule :
NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions
  • Select Day and Time Restrictions and click Add :
NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions, Day and time restriction.
  • Permit every time and validate with OK :
NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions, Day and time restrictions.
  • Remove NAS Port Type condition :
NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions, remove NAS port type.
  • Now from Settings tab, click Authentication and check that RADIUS client is configured to Forward requests to the following… :
NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Settings, authentication.

NPS Server (part II)

  • Open NPS management console :
Windows | Run, Open, nps.msc

Register server in Active Directory

  • Register NPS Server in Active Directory. Do a right click on NPS (Local), and then click Register server in Active Directory :
NPS Console | Register server in active directory
  • Click OK twice :

Create Radius Client

  • Still from NPS management console, right-click RADIUS Clients and click New to create a RADIUS Client :
NPS Console | RADIUS client, new.
  • From New RADIUS Client window, provide a Friendly Name (anything you want), and the IP or DNS name of our RDS. Also enter the same secret that you used before (on our RDS). Finally click OK to validate :
NPS Console | New RADIUS Client Settings

Create Network Policy

  • Now expand Policies > Network Policies. Right click Connections to other access servers policy and select Duplicate Policy :
NPS Console | Network policies
  • Right click Copy of Connections to other access servers, and click Properties :
NPS Console | Network policies Properties
  • In Policy Window, configure a Policy name, enable policy and Grant access :
NPS Console | RDG_CAP
  • In Conditions tab check that you have a nonrestrictive condition :
NPS Console | RDG_CAP Conditions
  • In Constraints tab check Allow clients to connect without negotiating an authentication method :
NPS Console | RDG_CAP Constraints
  • Click No :

RDS User

Android Device / Microsoft Authenticator App

Microsoft Authenticator is a Android and iOS phone app. It allows two factor authentication by using a phone.

Install the App from any store you want.

Azure AD | Sign In
  • Enter password :
Azure AD | Enter Password
  • Tap Next :
Azure AD | Help us protect your account
  • Tap Next :
Azure AD | Keep your account secure
  • Tap Pair your account to the app :
Azure AD | Pair your account to the app by clicking this link

Check default sign-in method

We need to check that our default authentication method is Microsoft Authenticator otherwise MFA could send SMS to authenticate, which can't be used to allow RDS connection.

Microsoft mysignins login prompt
  • From Security info menu, check that Microsoft Authenticator is set as default sign-in method :
Microsoft mysignins Security info

RDS Client

  • Now connect to your RDS web server, and use your Azure AD ids :
Windows | RDS Web interface, portal
  • Click RDS shortcut :
Windows | RDS Web interface, Remote App and Desktops

Install certificate

  • If you got the message «This computer can't verify the identity of the RD Gateway», click View Certificate… :
Remote Desktop Connection, This computer can't verify the identity
  • Go to Details tab, and click Copy to File…
Certificate Details
  • Click Next :
Certicate Export Wizard | Welcome to the certificate export wizard
  • Check Include all certificates in the… :
Certicate Export Wizard | Cryptographic Message Syntax Standard
  • Export and save the Certificate :
Certicate Export Wizard | File to export
  • Click Finish :
Certicate Export Wizard | Completing the certificate export wizard
  • Right-click on the Certificate freshly exported and click Install Certificate :
Windows | Install certificate
  • Click Next :
Certicate Import Wizard | Welcome to the certificate import wizard
  • Select Place all certificates in the following store and Browse :
Certicate Import Wizard | Place all certificates in the following store
  • Select Trusted Root Certification Authorities store :
Certicate Import Wizard | Select certificate store
  • Click Next :
Certicate Import Wizard | Place all certificates in the following store
  • Click Finish :
Certicate Import Wizard | Completing the certificate impot wizard
  • Click Yes :
  • Enter your local domain credentials :
Windows | RDS Web interface, RDS app, Enter your credential
  • Check your Microsoft Authenticator app on your phone, if everything went fine, it will ask to approve connection :
Microsoft Authenticator | New Sign In Request

Troubleshooting

  • I receive SMS but my Microsoft Authenticator doesn't challenge me : Check default sign-in method
  • Event Viewer Logs to check in case of troubles :
    • RDS Server :
    • Windows RDS event viewer
    • NPS Server :
    • Windows NPS event viewer

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :