Friday, April 25, 2014

Using Windows Server 2012 R2 RD Gateway with Azure Multifactor Authentication

I co-authored an article on setting up Windows Server 2012 R2 RD Gateway secured with Two Factor Authentication using Azure Multifactor Authentication (MFA).

Read it here:



  1. Have you got this working when you have a separate RDS broker server? we are trying to do this but Azure MFA sends us two text messages as it authenticates with the broker server and then the session host server

  2. Yes, I have this running in multiple environments with multiple dedicated RD Connection Broker and RD Session Host servers. There should not be a second authentication request. Do you also het a second request when not using MFA? It might be related to certificated in the RDS environment.

  3. Hi Freek - Thank you for your response. We dont get the second request when not using MFA. All components are using a third party wildcard SSL certificate.

    It seems that the problem is that the client passes RAP in NPS then it goes to MFA for CAP and prompts us for a OTP and then it connects to the broker. When it has connected to the broker it repeats this process and goes back to MFA for CAP when connecting to the session host.

    It seems that once it has authenticated against the broker it should then trust that authentication and pass you through to the session host?

    Do you have idea what we have configured incorrectly?


  4. This comment has been removed by the author.

  5. Have you ever attempted this with another Multi-Factor vendor? I'm attempting to setup an RD Gateway environment using Symantec's multi-factor solution, and the logs on that server combined with a Wireshark trace make me believe that the RD Gateway server isn't forwarding the password attribute.