Thursday, April 13, 2017

Securing RD Gateway with MFA using the new NPS Extension for Azure MFA!

Introduction
Back in 2014 I co-authored an article together with Kristin Griffin on how to secure RD Gateway with Azure MFA. This article was based on putting an Azure MFA Server (previously Phone Factor) in place in your on-premises environment (or Azure IaaS) to act as the MFA Server and enforce Multifactor Authentication for all session coming through RD Gateway. You can get the article here: Step By Step – Using Windows Server 2012 R2 RD Gateway with Azure Multifactor Authentication. Although this is a great solution and I have successfully implemented this for various customers, the big downside has always been the mandatory MFA Server. As part of the setup, a server in your Active Directory had to be installed running the Azure MFA Server component to be able to inject Azure MFA into the login sequence. Not only did you have to install and maintain this MFA Server, synching and managing users (and in most cases you would set up 2 servers to be HA), the other downside was that this was yet another MFA Provider for your end user. MFA server comes with a self-service portal to allow users to do their own enrollment and it can leverage the same Azure Authenticator App. However, if your end users used Azure MFA to secure e.g. Office365 or other SaaS services, that would be a different MFA provider, with a different Self Service signup sequence etc.

Introducing the NPS Extension for Azure MFA
So what has changed? A few days ago Microsoft announced the availability of the Azure MFA Extension for NPS (preview)! Read about the announcement where Alex Simons, Director of Program Management of the Microsoft Identity Division and Yossi Banai, Program Manager on the Azure Active Directory team talk about this new (preview) feature here:

Azure AD News: Azure MFA cloud based protection for on-premises VPNs is now in public preview!

Although the article specifically talks about securing a VPN, I figured the same would apply to secure Remote Desktop Gateway. And it turned out it does! In my lab I was able to successfully secure RD Gateway with Azure MFA using this new Extension for NPS! In this article I want to take you through the setup process and show the end result.

Prerequisites
There are a few prerequisites to use the NPS extension for Azure MFA, these are:

- License
For this to work you obviously need a license for Azure MFA. This is included with Azure AD Premium, EM+S, or it can be based on an Azure MFA subscription

- NPS Server
A Server is needed where the NPS role is installed. This needs to be at least Windows Server 2008 R2 SP1 and can be combined with other roles, however it cannot be combined with the RD Gateway role itself.

- Libraries
The below two libraries are needed on the NPS server, although Microsoft Guidance says the NPS Extension installer performs those installations if they are not in place, it doesn’t. Be sure to download and install these components prior to installing the NPS Extension.

1 Microsoft Visual Studio 2013 C++ Redistributable (X64)
2 Microsoft Azure Active Directory Module for Windows PowerShell version 1.1.166

- Azure Active Directory

Obviously Azure Active Directory has to be in place and users who need access, need to have been enabled to use MFA.

Installing
As mentioned in the introduction, I have written an article on securing RD Gateway with Azure MFA Server before. As you read though the installation & configuration process, you’ll see similarities with this article. That is not a coincidence, the same basic principles of RD Gateway, RD CAP, Radius Client, Remote Radius Servers et cetera all also apply on this setup.

Installing and configuring AAD & AAD Sync
Note, if you already have AAD & AAD Sync in place you can obviously skip this paragraph.
First things first, you need Azure Active Directory as a prerequisite. I won’t go over the entire process of setting up ADDS and AAD because there are many guides out there that explain this process very well. Basically you create a new AAD using the Azure Classic portal (or PowerShell), similar to below.
clip_image002[4]

With AAD in place, you can then start to sync your users from an on premises ADDS (or like in my case one that is running on Azure IaaS). To manage the AAD you can already use the New Azure Portal as shown below, although do be aware that this feature is still in preview in this portal. You can also use this portal to get a link to the most recent version or Microsoft Azure Active Directory Connect that you need to be able to sync users from ADDS to AAD.
clip_image004[4]

Again, I won’t go into great detail explaining the installation & best practices of installing AAD Connect, if you need detailed guidance on that part, check Connect Active Directory with Azure Active Directory. Basically what you do is run the installer on a server that is part of your ADDS domain and the only thing you will have to provide are the credentials of an AAD account and an ADDS connect with the appropriate permissions to access both domains.
clip_image006[4]

Once you have successfully finished the setup of AAD Connect and the initial synchronization took place, the portal will reflect this as shown below.
clip_image008[4]

With the initial synchronization complete, you can now start to assign Azure MFA to your users. To do this, open the All Users section in the Azure Portal and click on the Multi-Factor Authentication link.
clip_image010[4]

That will take you to the Azure MFA Management Portal. In the screenshot below you can see the steps to enable and enforce Azure MFA for my test user called rdstestmfa.
clip_image012[4]


Installing and configuring the NPS Extension for Azure MFA
Now that we have AAD and AAD Sync in place, lets drill down into the actual installation of the NPS Extension for Azure MFA! The first step is to download the latest version of the installer, which can be found here: NPS Extension for Azure MFA.

The NPS Extension needs to be installed on a (virtual) server that is part of the ADDS domain and that is able to reach the RD Gateway. In my case I used an ou-of-the-box Windows Server 2016 VM in Azure IaaS, but it can be anything from Windows Server 2008 R2 SP1 or above. Before installing the Extension, 3 other requirements need to be place.

1. The NPS Server role needs to be installed. Open Server Manager and add the role called Network Policy and Access Services.
clip_image014[4]

2. The library Microsoft Visual Studio 2013 C++ Redistributable (X64) needs to be installed. Microsoft documentation says this library is installed automatically as part of the NPS Extension installer, the current Preview version 0.9.0.1 does however not do this yet. You can get the download here

3. The Microsoft Azure Active Directory Module for Windows PowerShell version 1.1.166 needs to be installed. Again, Microsoft documentation says this module is installed automatically as part of the NPS Extension installer, but the current Preview version 0.9.0.1 does not do this yet. You can get that download here

Now that we have the prerequisites in place, we can start the NPS Extension installer. The setup is very straight forward, just hit Install and wait for the process to finish.
clip_image015[4]


After the installation is finished, the Extension components are placed in the folder C:\Program Files\Microsoft\AzureMfa\

Now open a new PowerShell Prompt (with elevated permissions) and change the directory to C:\Program Files\Microsoft\AzureMfa\Config and run the PowerShell script called AzureMfaNpsExtnConfigSetup.ps1. The output should look similar to below.
clip_image017[4]


While the PowerShell Script runs it will prompt you for the ID of your Azure AD tenant, you can find that in the Azure Portal, in the properties of your AAD domain.
clip_image018[4]


The PowerShell script will prompt you to authenticate to AAD with appropriate permissions. The PowerShell script then performs the following actions (source).

- Create a self-signed certificate.
- Associate the public key of the certificate to the service principal on Azure AD.
- Store the cert in the local machine cert store.
- Grant access to the certificate’s private key to Network User.
- Restart the NPS.

This completes the installation of the NPS Extension. The final step is to connect RD Gateway to this NPS Extension to get Azure MFA into the authentication process.

It’s important to realize that installing the NPS Extension causes all authentications processed by this NPS server to go through Azure MFA. There is no way to make exceptions for specific users.

Configuring RD Gateway
With the installation of the NPS Extension complete, it’s now time to configure RD Gateway. As mentioned before, this process is very similar to what Kristin Griffin and I explained here. The first step is to configure RD Gateway to use a Central Server running NPS. To do so, open RD Gateway Manager, right click the server name, and select Properties. Now select the RD CAP Store tab, select the Central Server running NPS option and enter the IP address of the NPS Server where you previously installed the NPS Extension. Also provide a shared key and store this somewhere safe.
clip_image019[4]


Now open NPS on the RD Gateway Server (not on the NPS Server that contains the NPS Extension, we’ll do that later).

Open the Remote RADIUS Server Groups and open the TS GATEWAY SERVER GROUP. Enter the IP Address of the NPS Server running the extension as a RADIUS Server, edit it and make sure the timeout settings match what is shown below.
clip_image021[4]


Now go to the RADIUS clients tab and create a new radius client with a friendly name, the IP address of the NPS Server running the Extension and enter the same shared secret you used before.
clip_image023[4]

Next, we need to configure two Connection Request Policies in NPS, one to forward requests to the Remote RADIUS Server Group (which is set to forward to NPS server running the extension), and the other to receive requests coming from MFA server (to be handled locally).

The easiest way to do this is to use the existing policy that was created when you created an RD CAP in RD Gateway. In NPS, expand the Policies section in the left side of the screen and then select Connection Request Policies. You should see a policy already created there, called TS GATEWAY AUTHORIZATION POLICY. Copy that Policy twice and rename those copies to “MFA Server Request No Forward” and “MFA Server Request Forward”.

Now edit the MFA Server Request No Forward and set the following settings, where Client IPv4 Address is the IP Address of the NPS Server running the NPS Extension. Make sure you also enable this policy.
clip_image025[4]

Now edit the MFA Server Request Forward and set the following settings, so that this rule forwards to the TS SERVER GATEWAY GROUP. Again, make sure you also enable this policy.clip_image027[4]

And lastly, disable existing TS GATEWAY AUTHORIZATION POLICY, and set the processing order of the rules as shown below.
clip_image029[4]

Configuring NPS ServerIt’s now time to configure the NPS Server running the extension to make sure it can send and receive RADIUS requests too. Open NPS on the NPS Server (not on the RD Gateway Server we did that before).

Open the Remote RADIUS Server Groups and create a new group called RDGW. Enter the IP Address of the RD Gateway as a RADIUS Server, edit it and make sure the timeout settings match what is shown below.
clip_image031[4]

Now go to the RADIUS clients tab and create a new radius client with a friendly name, the IP address of the RD Gateway Server and enter the shared secret you used before.
clip_image032[4]


Go to the Connection Request Policies tab and create a new Policy called To RDGW and use the source Remote Desktop Gateway. Set the condition to Virtual (VPN) and configure it to forward requests to the Remote Radius Group called RDGW that we created before. Make sure the policy is enabled. Below is was the Policy should look like.
clip_image034[4]


Create another Policy called From RDGW and again use the source Remote Desktop Gateway. Set the condition to Client IPv4 Address and enter the IP address of the RD Gateway server. Configure it to handle request locally. Make sure the policy is enabled. Below is was the Policy should look like.
clip_image036[4]

Preparing the user account for Azure MFA
Since our test user called rdstestmfa@rdsgurus.com is new to the organization, we first need to make sure that our test user is successfully configured to use Azure MFA. If your users are already configured for Azure MFA, you can obviously skip this step.

An easy way to do this is to logon to portal.office.com and sign in with the account. Since our test account was enforced to use Azure MFA, the portal will prompt us to configure MFA before we can continue. Click Set it up now to start that process.clip_image038[4]

In this case I chose Mobile App as the authentication method, downloaded the Azure Authenticator App for iOS and used that to scan the QR image on the portal. The Azure Authenticator App is available for Android, iOS of Windows Phone.clip_image040[4]

Click Done. To complete the verification, Azure MFA will now send an MFA request to the configured phone number of the user account.
clip_image042[4]

The user account is now ready to use for our RD Gateway setup! If you want more detailed information on the Azure MFA Service, you can find that here: What is Azure Multi-Factor Authentication?

Testing the functionality
It’s now finally time to take a look at the end result!

You can basically use any RDP Client that has support for RD Gateway. For this scenario we’ll use the RD Web Access page. We log on to RD Web Access with our rdstestmfa@rdsgurus.com account and open the Desktop. In this case we used a Full Desktop Scenario, but these could also have been RemoteApps. The RDP Client will be launched showing the state Initiating Remote Connections.clip_image044[4]

A few seconds later, the NPS Extension will be triggered to send Azure MFA a request to prompt our user for two-factor authentication.
clip_image046[4]

After pressing Verify on the Phone and without the user having to interact with the computer, the status changes to Loading the virtual machine.
clip_image048[4]


And the desktop is then launched.
clip_image050[4]

The end result is a great and seamless experience for the end user. Similar to using Azure MFA Server, but this time NPS directly contacting Azure MFA! This is a great improvement!

Eventlogs
When troubleshooting this setup, there are several Eventlogs that could come in handy.

The RD Gateway role logs event in the location:
Application and Services Logs > Microsoft > Windows > Terminal Services Gateway
Below is an example of the event that shows that end user met the requirements of the RD CAP.
clip_image051[4]

The NPS Service role logs event in the location:
Custom Views > Server Roles > Network Policy and Access Services
Below is an example of NPS Granting access to a user. You can also check the Windows Security log for Auditing events.
clip_image052[4]

And finally, the NPS Extension role logs event in the location:
Application and Services Logs > Microsoft > AzureMfa
clip_image054[4]

Additionally, you can also use the Azure MFA Portal to create reports on the usage of Azure MFA.
clip_image056[4]

Conclusion
This article ended up to become >2500 words, but I hope you find it valuable. To reiterate on what is explained in the instruction; MFA Server is this is a great solution. The big downside however has always been the mandatory MFA Server, and in most cases you would set up 2 of them to be HA. The other downside is that this was yet another MFA Provider for your end user. With the introduction of the NPS Extension for Azure MFA these downsides are now gone! You can now secure your RDS environment with Azure MFA without the need for MFA Server and a separate MFA Provider. I really believe this is a game changer not only for this scenario, but also for all other scenarios like VPN’s, websites et cetera where Azure MFA Server is currently in place. Great job by Microsoft and looking forward to this Extension becoming GA!

58 comments:

  1. Great write-up thank you. I was planning to implement the on-premises auth server when this hit public preview. Do you have any idea when this might go GA?

    ReplyDelete
    Replies
    1. Thanks David, glad you like it! Unfortunately I have not seen estimates on a GA date for this feature, I'm guessing it will be announced on the Enterprise Mobility Blog.

      Delete
  2. I have tried to implement this on a test environment but everytime I try to introduce the NPS server I get the Remote Desktop Gateway is unavailable. Any thoughts on where this might be going wrong?

    ReplyDelete
    Replies
    1. Hi,

      In most cases this is due to misconfigurations on either NPS Servers (network Policies, Radius Clients etc). I would suggest to examine event logs. If you can't pinpoint the error, feel free to send me an email, happy to assist you.

      Delete
  3. Hi Freek,
    Thanks very much for documenting this. I’m very new to RDGW. Just wondering what is the reason for sending the RADIUS requests backwards and forwards between the MFA-NPS and the RDGW-NPS. I set it up by just telling RDGW to use a central NPS server, installing the MFA extension on the central NPS and created a Network Policy on the central NPS server. This seems to be working correctly.

    On a side note, I’m pretty confused about how the whole RDWA/RDGW authentication process works. I’ve got the RDGW in a perimeter (DMZ) network joined to the perimeter forest. I tried creating a one way forest trust to the internal domain where the central NPS server and users are, but needed a two-way trust to get it working. I used selective auth on the trust and only allowed the RDS computer account to authenticate to the internal domain. All seems to be working ok.

    Since RDGW uses RADIUS why is domain-join required?

    I can see (in Wireshark) that the RDGW does Kerberos auth against the internal domain, hence the need for the trust. Ok so why do we need radius.

    How do kerbers and RADIUS work together?
    How do credentials get from the RDWA into the rdp file and then into the RDGW.

    Any info you can point me to would be much appreciated! Very detailed documentation seems to be lacking. As does documentation on perimeter deployments.

    Finally, this MFA NPS extension is great because it simplifies the deployment but at the moment it looks like you still need a dedicated NPS server because the extension applies in all cases so if you already have a general purpose NPS RADIUS server you probably don’t want to suddenly push all authentication through MFA. Hopefully this will be manageable in via connection policies in a future release.

    Thanks again.

    Cheers,
    Rhys

    ReplyDelete
  4. Hello, i have problems. When the mfa extensions is disabled everything works fine. I have found the following error on the nps server

    NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended

    What do i wrong?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. My installation works, but I do have this same erorr - did you find a solution?

      Delete
    3. The error:

      NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended

      Can be safely ignored, its' a warning that should not affect the functionality

      Delete
  5. Replies
    1. Hello, i have still the issue. I also try a w2012R2 and w2106 setup. Both the same error.

      Delete
  6. This comment has been removed by the author.

    ReplyDelete
  7. I'll have a kook tomorrow if I remember but I think that error may be unrelated to the issue you're having. From memory I was still getting that error even after I had everything working. The error is a bit ambiguous, it's an error not a warning however it ends with a recommendation not a requirement. Confusing.

    Take a look in your security event logs, you may find something interesting from NPS.

    Cheers,
    Rhys

    ReplyDelete
  8. I can confirm that MFA is working in my lab setup and I'm still seeing that error. At this stage I'd put it down to the fact that this is very much a 'preview' version of the NPS MFA plugin.

    ReplyDelete
    Replies
    1. Hello, do you have used the same config(Connection request polices, etc) as Freek describes in this blog?

      Delete
  9. No, not exactly (see my long comment further up). Have you had a look in your security event log? Also check your NPS log files. Location of these can be found under accounting settings in NPS.
    I normally set NPS to use IAS legacy log format then parse the log lines with this: http:// iso.csusb.edu/tools/nps-log-interpreter

    Cheers,
    Rhys

    ReplyDelete
  10. Thank you very much for a great write up.
    Can you confirm if this works if the RDGW and NPS roles are on the same server?

    ReplyDelete
  11. Hi, I implemented like described and I got it working. It didn't work at first, but I think a step is missing in the writeup. When creating the RDGW Radius Server Group on the MFA NPS server, I needed to configure the shared secret. It is not described here.

    ReplyDelete
  12. Hi,

    Just a question on Rds gateway version required. Will this work on 2008 server? Old OS I know, but a client is still using it.

    ReplyDelete
  13. This is great and very useful. I've got it setup and working for RDG and also Linux servers using PAM_RADIUS and SSS.


    One observation though, in Event log for AzureMFa\AuthZ\AuthZAdminCh, for each login I get an Event ID 4 Critical stating that


    "NPS Extension for Azure MFFA: Radius request is missing NAS Identifier and Nas IPAddress attribute. Populating atleast one of these fields is recommnded"


    ReplyDelete
    Replies
    1. The error:

      NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended

      Can be safely ignored, its' a warning that should not affect the functionality

      Delete
  14. Fatastic article, our RD Gateway services provide RDP to all kinds of servers and workstations. is there a way to only enable MFA with specific servers, or users

    ReplyDelete
  15. Great article but I get the below error. Any ideas?

    On running the PowerShell Script .\AzureMfaNpsExtnConfigSetup.ps1 I get the below error;



    New-MsolServicePrincipalCredential-AppPrincipalId981f26a1-7f43-403b-a875-f8b09b8cd720 -Typeas ymmetric -Usage verify -Value $certBase64
    returns

    New-MsolServicePrincipalCredential:Service principal was not found.At line:1char:1+New-MsolServicePrincipalCredential-AppPrincipalId981f26a1-7f43-403b...+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+CategoryInfo:OperationStopped:(:)[New-MsolServicePrincipalCredential],MicrosoftOnlineException+FullyQualifiedErrorId:Microsoft.Online.Administration.Automation.ServicePrincipalNotFoundException,Microsoft.O nline.Administration.Automation.NewServicePrincipalCredential


    I have discovered that 981f26a1-7f43-403b-a875-f8b09b8cd720 is the guid for Azure Multi-Factor Auth Client.

    I have tried running the command Get-MsolServicePrincipal but this does NOT list Azure Multi-Factor Auth Client as a service principal.

    ReplyDelete
  16. See my comment on your MS post, it looks like you are missing the Azure Powershell module.

    ReplyDelete
  17. Great article!

    I am implementing this for Cisco ASA VPN and am planning to put the NPS Extension for MFA directly on the NPS server that is doing the RADIUS authentication for the ASA VPN. Is there a way to setup conditional access in Azure so that I can require MFA for VPN access without requiring MFA for all AAD authentication? Also, is there a way to turn off (or temporarily bypass) MFA for specific users so they will not be required to do MFA for connection to the VPN?

    Thanks!

    ReplyDelete
    Replies
    1. Did you find anything on conditional access only for MFA for VPN access

      Delete
  18. Hi Freek Berson,

    Its a great article. So elaborated that even an MFA novice like me could follow this and configured successfully. Its working quite good.

    I have one question, The Remote Desktops are only working with mobileApp - Receive Notifications for verification and Authentication Phone - Callme options. The remaining text and code ones are not working. The RDGateway straightaway rejects the request that you are not authorized. Is that how its designed or am I missing something.

    Once again thanks for the details article.

    Srinivas

    ReplyDelete
    Replies
    1. it does not support all MFA methods. One way SMS will not work since RDP client application doesnt give you prompt to enter it. So, either go with Phone call or Mobile app, since it doesnt have dependency on RDP client.

      Delete
  19. We have gone through all the steps, but we are getting the following message logged over and over on the NPS server where the NPS extension is installed.

    NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User NORFOLK\user5 with response state Discard, ignoring request.

    Anyone else experienced that?

    ReplyDelete
    Replies
    1. Same issue here, did you manage to resolve it?

      Delete
  20. I believe this is happening because RDP accepts only the mobile app requests or the Call options. None of the SMS or code generated by mobile app works for it.

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. This comment has been removed by the author.

    ReplyDelete
  23. This comment has been removed by the author.

    ReplyDelete

  24. I work at Microsoft boii v-halmic@microsoft.com

    Setting up RDS with NPS Extension to use Cloud based MFA, not on premise MFA Server

    This article left out two important steps. You have to make a Network Policy on the NPS server that is alone (not on the RD Gateway server). You have to make a policy to allow access.

    Also every time you create a RADIUS client or Server on both servers you have to setup a shared secret on the authentication/accounting tab. His article doesn't emphasize this. You setup the shared secrets in 5 places.

    On RD Gateway server when you configure the Central Network Policy Server. Its Server Manager -> Tools -> Remote Desktop Services -> Remote Gateway
    On RD Gateway server when you configure the Radius Client
    On RD Gateway server when you configure the Radius Server
    On the NPS server (that’s alone, no RD Gateway) when you configure the Radius Client
    On the NPS server (that’s alone, no RD Gateway) when you configure the Radius server

    Also the Friendly names don't matter at all.




    Step 1 Setting up RDS (by itself, no MFA/RADIUS)


    To setup RDS to use MFA

    1. First setup the following
    a. RD Connection Broker
    b. RD Gateway
    c. RD Licensing Manager
    d. RD Session Host
    e. RD Web Access

    This link shows you how to configure all 5 components.
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure

    Here are some troubleshooting steps:


    When you go to test this make sure you go to Start-> Run -> MSTSC and on go to the advanced tab and use the RD Gateway. Also make sure you use the FQDN on the Advanced tab and General tab.


    You have to export the RD Gateway SSL Certificate that you make and install it on the Windows 10 workstation Current User Trusted root store (If the customer has 4 identical certificates and you don't know which one is the Gateway cert, just get all 4)
    1. On the Gateway server, Windows Key + R -> Run -> MMC -> File - Add -> Certificates -> Local Computer -> Right click certificate -> Export
    2. On the Windows 10 workstation, Windows Key + R -> Run -> MMC -> File - Add -> Certificates -> My user account -> Right click certificate -> Trusted Root Certificate store -> Import

    ReplyDelete

  25. Be aware the Two Places you configure this solution:
    1. Server Manager -> Remote Desktop Services -> Overview -> Tasks -> Edit Deployment
    2. Server Manager -> Tools -> Remote Desktop Services -> Remote Desktop Gateway

    To configure RDS without MFA/RADIUS In the Gateway manager you have to have a CAP and a RAP or it won't work. You have to have one of each. It is not in the documentation. Also when you go to Gateway Manager -> Policies -> Connection Authorization Policies -> Configure Central RD CAP properties you want the radial button to be on Local Server running NPS. (Later after you verify RDS is working successfully thru the gateway you will come change this to Central Server running NPS and put in the MFA server IP. )

    If you get certificate errors when you try to RDP this indicates you don't have the Gateway SSL cert installed on your client workstation properly

    This is where you make the RDS certificates: Server Manager -> Remote Desktop Services -> Overview -> Tasks -> Edit Deployment, make sure the status on all 4 say ok. You have to highlight each one and hit apply. Go down the list and hit apply for all 4. This is a known issue.

    Also turn off your firewall for every computer in the solution till you get it working:

    If you get this an error about your user account is not listed in the RD Gateway permission list or you specified the remote computer in NetBIOS format but the RD Gateway is expecting FQDN or IP set your Resource Authorization Policy in NPS to all computers. NPS -> Policies -> Resource Authorization Policies -> Double Click Policy -> Network Resources -> bottom radial button


    Once you setup RDS successfully test it a few ways. Go to RD Web access and connect to a published app like calculator. Verify you can connect to a session host in your collection
    thru MSTSC with the RD Gateway enabled on the Advanced Tab. Then setup RADIUS/MFA/NPS.








    Step 2 Setting up on premise MFA server/RADIUS/NPS

    2a. How to download and install MFA server from the Azure portal
    http://www.deployazure.com/security/identity/azure-multi-factor-authentication-server-with-remote-desktop-gateway-part-1/

    2b. How to configure MFA server to work with Radius requests
    https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-rdg


    Here are some troubleshooting steps:

    1. There is a test user button available
    2. Always choose phone call for testing (there are certain ways that don't work, one way text, two way text, sms etc)


    3. Make sure the Connection Request Policies are enabled and the From MFA policy HAS to be on TOP. Sometimes customers copy a disabled policy.

    6. In NPS, the Central Radial button should be selected and it should be the IP of your MFA server. This can be confusing. If you just want RDS with no RADIUS and MFA then select the top radial. And make sure you have a CAP and a RAP. You have to have one of each for just RDS with no MFA.

    8. There are MFA Server logs when you get stuck in the GUI on the bottom. MultiFactorAuthSvc is the main log and there is a MultiFactorAuth_RADIUS log available. You read the logs from the bottom up. Google the errors in the logs along with the name MFA or PhoneFactor(company we bought)

    10. In NPS here you have to configure a RADIUS server and client. This can be confusing. Just know the MFA Server is both the client and server. The RADIUS Server is a group with the MFA server in it.

    ReplyDelete
  26. 12. When you make changes to NPS or RD Gateway restart the NPS services, it restarts both.

    13. On the MFA server under RADIUS Authentication on the clients/target tab, the client is RDS Gateway and Target is NPS server. This can be confusing. A lot of times it is the same server.

    14. Error: received response from server with invalid response authentication = just know this indicates wrong shared secret
    You setup the shared secrets in multiple places. Check to make sure they are all the same.
    NPS Snap In -> Radius -> Clients
    NPS Snap In -> Radius -> Server Group
    MFA Server-> Target/client tab (so there are two places here)
    Server manager - Tools -> RD Gateway - > CAP policy

    15. Use the FQDN when you RDP, Use the FQDN when you specify the RD Gateway name on the advanced tab and on the general tab. Use the FQDN everywhere.





    Step 3 (Optional) Setting up RDWeb url to be published thru ADFS Web Application Proxy or Azure Active Directory Application Proxy.

    The secret is you have to use 2 URLs, its RD Web and RPC and here is the link.
    https://technet.microsoft.com/library/dn765486.aspx


    v-halmic@microsoft.com

    ReplyDelete
  27. If you are setting up High Availability with 2 x NPS servers and 2 x RD Gateway, ensure you create 2 policies for 'MFA Server Request No Forward' and 'From RDGW' - one for each RADIUS client.

    ReplyDelete
    Replies
    1. Hi Paul,
      I am looking to do this but unsure of how to configure the "load balancing" settings on the Remote Radius Server Groups on the NPS servers with MFA extension.

      Have you set both Radius (RD Gateway) servers as "Priority 1" and "weight 50" within the Remote Radius Server Groups on the NPS servers with MFA extension?

      I am unclear as to whether the NPS server knows that the request has come from e.g Gateway1 and will return its response to Gateway1 or if it will try sending to either gateway1 or gateway2 if they are the same priority & weight?

      Any advice would be much appreciated.

      Delete
  28. Great guide, thanks.

    The one thing I struggled with was the authentication default option - if it's set to send you a code or similar, it bombs out. The default must be something you can authorize, such as using the app.

    Also the NPS server needs a NAP to authorize the users, otherwise the NPS plugin won't bother to send the request on to Azure.

    ReplyDelete

  29. Really nice blog.Thanks for sharing Azure blogs, and i am very happy
    Biztalk Online Training Hyderabad

    ReplyDelete
  30. This comment has been removed by the author.

    ReplyDelete
  31. Hello,

    I've tried this setup however, when i try to login the session times out.

    On the NPS server I'm getting "NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended"

    It seems like the request is being sent over and over again. (something like 100 times per second).

    Anyone have any idea where I went wrong?

    ReplyDelete
    Replies
    1. To add to this, from what I can figure out, one request comes to the RDG, however, when it hits the NPS services on the RDG server the spam has already begun, so something is happening which causes the RDG to send multiple requests to the NSP service?

      Delete
    2. The policies are configured as shown in the screenshots :(

      Delete
  32. Hi Freek,

    Great article, I have used it for one customer already and it is working like a dream!

    I have another customer wanting to use MFA in their RDS farm however they only want to enforce MFA for a group or remote users to save money on licencing.

    Is it possible to target MFA to an AD group? or if I do not enable MFA for some users in Azure will it block the connection request?

    ReplyDelete
    Replies
    1. Did you ever get an answer to this?

      Delete
    2. No unfortunately. Due to our high work load we didn't have time to continue R&D so we scrapped it. If you end up finding a solution I would love to know

      Delete
  33. This option feels super clunky to end users. Sure would be nice if there was a way to configure MFA on the initial web login to RDS farm. Users are familiar with that, and most of the apps that launch don't provide any kind of visual prompt that an MFA request is being sent.

    ReplyDelete
  34. Hello, we have a problem with MacOS remote desktop clients. All other clients (Windows, Android, iPhone, iPad) are working, but not the MacOS. I get an MFA request, but after that the screen hangs on connecting. When I disable the MFA extension, it's working also correct on a MacOS.
    Anyone the same problem?

    ReplyDelete
  35. Great write-up but is there any way to force MFA before logging into domain.com/RDweb?

    This article shows that once you launch the remote app, it then prompts for the MFA but what about doing it before even being presented with the RemoteApps?

    ReplyDelete
    Replies
    1. You can achieve this by configuring an application proxy in Azure AD (requires AD Premium P1 licence)

      Delete
  36. I followed the article but still now working. I get below error on MFA extension server.

    "Network Policy Server discarded the request for a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: NULL SID
    Account Name: VDI\TestSync
    Account Domain: -
    Fully Qualified Account Name: -

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    Called Station Identifier: UserAuthType:PW
    Calling Station Identifier: -

    NAS:
    NAS IPv4 Address: -
    NAS IPv6 Address: -
    NAS Identifier: -
    NAS Port-Type: Virtual
    NAS Port: -

    RADIUS Client:
    Client Friendly Name: -
    Client IP Address: -

    Authentication Details:
    Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
    Network Policy Name: -
    Authentication Provider: RADIUS Proxy
    Authentication Server: 16.10.1.7
    Authentication Type: -
    EAP Type: -
    Account Session Identifier: -
    Reason Code: 117
    Reason: The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond."

    ReplyDelete
  37. now MFA works but I get below error from RDG server.
    The RADIUS Proxy received a response from server 16.10.1.7 with an invalid authenticator.

    ReplyDelete