tag:blogger.com,1999:blog-6293099363289106257.post5207833247948122957..comments2024-03-24T17:37:50.356+01:00Comments on The Microsoft Platform: Securing RD Gateway with MFA using the new NPS Extension for Azure MFA!Freek Bersonhttp://www.blogger.com/profile/12038184330882338623noreply@blogger.comBlogger58125tag:blogger.com,1999:blog-6293099363289106257.post-59089935234519285932018-06-16T19:56:49.633+02:002018-06-16T19:56:49.633+02:00now MFA works but I get below error from RDG serve...now MFA works but I get below error from RDG server. <br />The RADIUS Proxy received a response from server 16.10.1.7 with an invalid authenticator.Anonymoushttps://www.blogger.com/profile/02851494737658441063noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-1241934592003300022018-06-16T16:10:14.384+02:002018-06-16T16:10:14.384+02:00Sorry this error from RDG server.Sorry this error from RDG server.Anonymoushttps://www.blogger.com/profile/02851494737658441063noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-9545703805073522072018-06-16T16:09:24.213+02:002018-06-16T16:09:24.213+02:00I followed the article but still now working. I ge...I followed the article but still now working. I get below error on MFA extension server.<br /><br />"Network Policy Server discarded the request for a user.<br /><br />Contact the Network Policy Server administrator for more information.<br /><br />User:<br /> Security ID: NULL SID<br /> Account Name: VDI\TestSync<br /> Account Domain: -<br /> Fully Qualified Account Name: -<br /><br />Client Machine:<br /> Security ID: NULL SID<br /> Account Name: -<br /> Fully Qualified Account Name: -<br /> Called Station Identifier: UserAuthType:PW<br /> Calling Station Identifier: -<br /><br />NAS:<br /> NAS IPv4 Address: -<br /> NAS IPv6 Address: -<br /> NAS Identifier: -<br /> NAS Port-Type: Virtual<br /> NAS Port: -<br /><br />RADIUS Client:<br /> Client Friendly Name: -<br /> Client IP Address: -<br /><br />Authentication Details:<br /> Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY<br /> Network Policy Name: -<br /> Authentication Provider: RADIUS Proxy<br /> Authentication Server: 16.10.1.7<br /> Authentication Type: -<br /> EAP Type: -<br /> Account Session Identifier: -<br /> Reason Code: 117<br /> Reason: The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond." <br />Anonymoushttps://www.blogger.com/profile/02851494737658441063noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-58249362748455655272018-05-03T01:50:45.413+02:002018-05-03T01:50:45.413+02:00You can achieve this by configuring an application...You can achieve this by configuring an application proxy in Azure AD (requires AD Premium P1 licence) Anonymoushttps://www.blogger.com/profile/10507328295224376765noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-59763337964934985472018-05-02T22:16:58.818+02:002018-05-02T22:16:58.818+02:00Great write-up but is there any way to force MFA b...Great write-up but is there any way to force MFA before logging into domain.com/RDweb? <br /><br />This article shows that once you launch the remote app, it then prompts for the MFA but what about doing it before even being presented with the RemoteApps?Anonymoushttps://www.blogger.com/profile/02552665035003408879noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-7922214226035109832018-02-08T07:35:48.303+01:002018-02-08T07:35:48.303+01:00No unfortunately. Due to our high work load we did...No unfortunately. Due to our high work load we didn't have time to continue R&D so we scrapped it. If you end up finding a solution I would love to knowAnonymoushttps://www.blogger.com/profile/10507328295224376765noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-65131728549809651082018-02-07T13:17:49.662+01:002018-02-07T13:17:49.662+01:00Did you ever get an answer to this?Did you ever get an answer to this?figgy1978https://www.blogger.com/profile/16019941958251512320noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-8397490142313811132017-12-04T15:19:08.878+01:002017-12-04T15:19:08.878+01:00Hello, we have a problem with MacOS remote desktop...Hello, we have a problem with MacOS remote desktop clients. All other clients (Windows, Android, iPhone, iPad) are working, but not the MacOS. I get an MFA request, but after that the screen hangs on connecting. When I disable the MFA extension, it's working also correct on a MacOS. <br />Anyone the same problem?Anonymoushttps://www.blogger.com/profile/00262248751742691627noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-83392601933530162412017-10-19T20:10:52.472+02:002017-10-19T20:10:52.472+02:00This option feels super clunky to end users. Sure ...This option feels super clunky to end users. Sure would be nice if there was a way to configure MFA on the initial web login to RDS farm. Users are familiar with that, and most of the apps that launch don't provide any kind of visual prompt that an MFA request is being sent.Subversivehttps://www.blogger.com/profile/01100329455979107956noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-40019719690600530622017-09-13T00:44:51.760+02:002017-09-13T00:44:51.760+02:00Hi Freek,
Great article, I have used it for one c...Hi Freek,<br /><br />Great article, I have used it for one customer already and it is working like a dream!<br /><br />I have another customer wanting to use MFA in their RDS farm however they only want to enforce MFA for a group or remote users to save money on licencing. <br /><br />Is it possible to target MFA to an AD group? or if I do not enable MFA for some users in Azure will it block the connection request?Anonymoushttps://www.blogger.com/profile/10507328295224376765noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-82427791051477094622017-08-16T13:51:04.363+02:002017-08-16T13:51:04.363+02:00Same issue here, did you manage to resolve it?Same issue here, did you manage to resolve it?RobC_CTLhttps://www.blogger.com/profile/15439802807307926359noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-48873775923420613342017-08-16T12:44:27.597+02:002017-08-16T12:44:27.597+02:00The policies are configured as shown in the screen...The policies are configured as shown in the screenshots :(Anonymoushttps://www.blogger.com/profile/18175158251748810664noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-57731075290161138952017-08-14T12:21:43.148+02:002017-08-14T12:21:43.148+02:00To add to this, from what I can figure out, one re...To add to this, from what I can figure out, one request comes to the RDG, however, when it hits the NPS services on the RDG server the spam has already begun, so something is happening which causes the RDG to send multiple requests to the NSP service?Anonymoushttps://www.blogger.com/profile/18175158251748810664noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-82835521529030700562017-08-14T11:54:42.946+02:002017-08-14T11:54:42.946+02:00Hello,
I've tried this setup however, when i ...Hello,<br /><br />I've tried this setup however, when i try to login the session times out. <br /><br />On the NPS server I'm getting "NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended"<br /><br />It seems like the request is being sent over and over again. (something like 100 times per second).<br /><br />Anyone have any idea where I went wrong?Anonymoushttps://www.blogger.com/profile/18175158251748810664noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-82062019613011148302017-08-12T18:59:55.452+02:002017-08-12T18:59:55.452+02:00Hi Paul,
I am looking to do this but unsure of how...Hi Paul,<br />I am looking to do this but unsure of how to configure the "load balancing" settings on the Remote Radius Server Groups on the NPS servers with MFA extension. <br /><br />Have you set both Radius (RD Gateway) servers as "Priority 1" and "weight 50" within the Remote Radius Server Groups on the NPS servers with MFA extension?<br /><br />I am unclear as to whether the NPS server knows that the request has come from e.g Gateway1 and will return its response to Gateway1 or if it will try sending to either gateway1 or gateway2 if they are the same priority & weight?<br /><br />Any advice would be much appreciated.CloudTech72https://www.blogger.com/profile/06063904103035648232noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-28582490586297380922017-08-08T14:32:15.704+02:002017-08-08T14:32:15.704+02:00This comment has been removed by the author.Ole Petterhttps://www.blogger.com/profile/12769452836217293294noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-40377516321177546462017-08-08T08:06:28.055+02:002017-08-08T08:06:28.055+02:00Really nice blog.Thanks for sharing Azure blogs, a...<br />Really nice blog.Thanks for sharing Azure blogs, and i am very happy <br /><b><a href="https://onlineitguru.com/biztalk-online-training.html" title="Biztalk Online Training | Biztalk online Course <br />" rel="nofollow">Biztalk Online Training Hyderabad</a></b>Anonymoushttps://www.blogger.com/profile/09511482345588328385noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-64353049012439493722017-08-08T00:03:45.284+02:002017-08-08T00:03:45.284+02:00Great guide, thanks.
The one thing I struggled wi...Great guide, thanks.<br /><br />The one thing I struggled with was the authentication default option - if it's set to send you a code or similar, it bombs out. The default must be something you can authorize, such as using the app.<br /><br />Also the NPS server needs a NAP to authorize the users, otherwise the NPS plugin won't bother to send the request on to Azure.Anonymoushttps://www.blogger.com/profile/08685718599536160009noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-87163864981205670452017-07-30T11:26:00.498+02:002017-07-30T11:26:00.498+02:00If you are setting up High Availability with 2 x N...If you are setting up High Availability with 2 x NPS servers and 2 x RD Gateway, ensure you create 2 policies for 'MFA Server Request No Forward' and 'From RDGW' - one for each RADIUS client. PaulMhttps://www.blogger.com/profile/02068538137266853441noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-26157587047776097872017-07-28T17:52:19.181+02:002017-07-28T17:52:19.181+02:00Shout Out :-)Shout Out :-)Michael Hallhttps://www.blogger.com/profile/01000030590883397848noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-46190186737118226412017-07-28T17:29:36.051+02:002017-07-28T17:29:36.051+02:0012. When you make changes to NPS or RD Gateway res...12. When you make changes to NPS or RD Gateway restart the NPS services, it restarts both. <br /><br />13. On the MFA server under RADIUS Authentication on the clients/target tab, the client is RDS Gateway and Target is NPS server. This can be confusing. A lot of times it is the same server. <br /><br />14. Error: received response from server with invalid response authentication = just know this indicates wrong shared secret <br />You setup the shared secrets in multiple places. Check to make sure they are all the same. <br />NPS Snap In -> Radius -> Clients<br />NPS Snap In -> Radius -> Server Group<br />MFA Server-> Target/client tab (so there are two places here)<br />Server manager - Tools -> RD Gateway - > CAP policy<br /><br />15. Use the FQDN when you RDP, Use the FQDN when you specify the RD Gateway name on the advanced tab and on the general tab. Use the FQDN everywhere. <br /><br /><br /><br /><br /><br />Step 3 (Optional) Setting up RDWeb url to be published thru ADFS Web Application Proxy or Azure Active Directory Application Proxy. <br /><br />The secret is you have to use 2 URLs, its RD Web and RPC and here is the link. <br />https://technet.microsoft.com/library/dn765486.aspx<br /><br /><br />v-halmic@microsoft.comMichael Hallhttps://www.blogger.com/profile/01000030590883397848noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-38053264109823968272017-07-28T17:29:24.544+02:002017-07-28T17:29:24.544+02:00Be aware the Two Places you configure this solutio...<br />Be aware the Two Places you configure this solution: <br /> 1. Server Manager -> Remote Desktop Services -> Overview -> Tasks -> Edit Deployment<br /> 2. Server Manager -> Tools -> Remote Desktop Services -> Remote Desktop Gateway <br /><br />To configure RDS without MFA/RADIUS In the Gateway manager you have to have a CAP and a RAP or it won't work. You have to have one of each. It is not in the documentation. Also when you go to Gateway Manager -> Policies -> Connection Authorization Policies -> Configure Central RD CAP properties you want the radial button to be on Local Server running NPS. (Later after you verify RDS is working successfully thru the gateway you will come change this to Central Server running NPS and put in the MFA server IP. )<br /><br />If you get certificate errors when you try to RDP this indicates you don't have the Gateway SSL cert installed on your client workstation properly<br /> <br />This is where you make the RDS certificates: Server Manager -> Remote Desktop Services -> Overview -> Tasks -> Edit Deployment, make sure the status on all 4 say ok. You have to highlight each one and hit apply. Go down the list and hit apply for all 4. This is a known issue. <br /><br />Also turn off your firewall for every computer in the solution till you get it working: <br /><br />If you get this an error about your user account is not listed in the RD Gateway permission list or you specified the remote computer in NetBIOS format but the RD Gateway is expecting FQDN or IP set your Resource Authorization Policy in NPS to all computers. NPS -> Policies -> Resource Authorization Policies -> Double Click Policy -> Network Resources -> bottom radial button<br /><br /><br />Once you setup RDS successfully test it a few ways. Go to RD Web access and connect to a published app like calculator. Verify you can connect to a session host in your collection <br />thru MSTSC with the RD Gateway enabled on the Advanced Tab. Then setup RADIUS/MFA/NPS. <br /><br /><br /><br /><br /><br /><br /><br /><br />Step 2 Setting up on premise MFA server/RADIUS/NPS<br /><br />2a. How to download and install MFA server from the Azure portal<br />http://www.deployazure.com/security/identity/azure-multi-factor-authentication-server-with-remote-desktop-gateway-part-1/ <br /><br />2b. How to configure MFA server to work with Radius requests<br />https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-rdg<br /><br /><br />Here are some troubleshooting steps: <br /><br /> 1. There is a test user button available <br /> 2. Always choose phone call for testing (there are certain ways that don't work, one way text, two way text, sms etc) <br /><br /><br />3. Make sure the Connection Request Policies are enabled and the From MFA policy HAS to be on TOP. Sometimes customers copy a disabled policy. <br /><br />6. In NPS, the Central Radial button should be selected and it should be the IP of your MFA server. This can be confusing. If you just want RDS with no RADIUS and MFA then select the top radial. And make sure you have a CAP and a RAP. You have to have one of each for just RDS with no MFA. <br /><br />8. There are MFA Server logs when you get stuck in the GUI on the bottom. MultiFactorAuthSvc is the main log and there is a MultiFactorAuth_RADIUS log available. You read the logs from the bottom up. Google the errors in the logs along with the name MFA or PhoneFactor(company we bought) <br /> <br />10. In NPS here you have to configure a RADIUS server and client. This can be confusing. Just know the MFA Server is both the client and server. The RADIUS Server is a group with the MFA server in it. <br /> Michael Hallhttps://www.blogger.com/profile/01000030590883397848noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-87801744992903504182017-07-28T17:28:09.583+02:002017-07-28T17:28:09.583+02:00I work at Microsoft boii v-halmic@microsoft.com ...<br />I work at Microsoft boii v-halmic@microsoft.com <br /><br />Setting up RDS with NPS Extension to use Cloud based MFA, not on premise MFA Server<br /><br />This article left out two important steps. You have to make a Network Policy on the NPS server that is alone (not on the RD Gateway server). You have to make a policy to allow access.<br /><br />Also every time you create a RADIUS client or Server on both servers you have to setup a shared secret on the authentication/accounting tab. His article doesn't emphasize this. You setup the shared secrets in 5 places. <br /><br />On RD Gateway server when you configure the Central Network Policy Server. Its Server Manager -> Tools -> Remote Desktop Services -> Remote Gateway<br />On RD Gateway server when you configure the Radius Client<br />On RD Gateway server when you configure the Radius Server<br />On the NPS server (that’s alone, no RD Gateway) when you configure the Radius Client<br />On the NPS server (that’s alone, no RD Gateway) when you configure the Radius server<br /><br />Also the Friendly names don't matter at all. <br /><br /><br /><br /><br />Step 1 Setting up RDS (by itself, no MFA/RADIUS)<br /><br /><br />To setup RDS to use MFA<br /><br /> 1. First setup the following<br /> a. RD Connection Broker<br /> b. RD Gateway<br /> c. RD Licensing Manager<br /> d. RD Session Host<br /> e. RD Web Access<br /><br />This link shows you how to configure all 5 components. <br />https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure<br /><br />Here are some troubleshooting steps: <br /><br /><br />When you go to test this make sure you go to Start-> Run -> MSTSC and on go to the advanced tab and use the RD Gateway. Also make sure you use the FQDN on the Advanced tab and General tab. <br /><br /><br />You have to export the RD Gateway SSL Certificate that you make and install it on the Windows 10 workstation Current User Trusted root store (If the customer has 4 identical certificates and you don't know which one is the Gateway cert, just get all 4) <br /> 1. On the Gateway server, Windows Key + R -> Run -> MMC -> File - Add -> Certificates -> Local Computer -> Right click certificate -> Export<br /> 2. On the Windows 10 workstation, Windows Key + R -> Run -> MMC -> File - Add -> Certificates -> My user account -> Right click certificate -> Trusted Root Certificate store -> Import Michael Hallhttps://www.blogger.com/profile/01000030590883397848noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-69164971854274657722017-07-28T17:09:28.774+02:002017-07-28T17:09:28.774+02:00This comment has been removed by the author.Michael Hallhttps://www.blogger.com/profile/01000030590883397848noreply@blogger.comtag:blogger.com,1999:blog-6293099363289106257.post-17591374155083542212017-07-28T17:08:53.576+02:002017-07-28T17:08:53.576+02:00This comment has been removed by the author.Michael Hallhttps://www.blogger.com/profile/01000030590883397848noreply@blogger.com