Implementing MFA in a RDS infrastructure

Last updated: Nov 28, 2020

MFA authentication is the new way to increase Users authentication security. It allows to reduce passwords compromission risk.

Indeed, MFA require multiple forms of verification to prove your identity when signing into an application.

In this guide, we will see how to enable MFA for RDS users by using the Microsoft Authenticator app.

Network diagram

Links to know

Azure portal : https://portal.azure.com/
MFA user test : https://aka.ms/mfasetup/
User sign-in parameters : https://mysignins.microsoft.com/

Prerequisites

Licensing

No surprise with Microsoft nothing very clear about licensing, but it seems we need a P1 or P2 license.

Architecture

We need :
- Azure AD infrastructure (I used the commercial trial to set it up).
- AD server with AD Connect to synchronise users.
- NPS server as authentication bridge between Azure AD and local Active Directory.
- RDS server a classic remote computer server with Web Access, Gateway and Connection Broker.

Not really clear neither but it seems we ~~also need~~ don't need a AD FS server : link.

Azure AD (part I)

From the Azure portal, go to Azure Active Directory :

Azure Portal | Azure Active Directory icon

Create a tenant

If you don't have one yet, create a new tenant :

Select Azure Active Directory :

Configure your new directory :

Azure Portal | Configure your new directory

Once validation passed, click create :

Azure Portal | Create a tenant, validation passed

Activate Azure AD Premium P2 License

From left panel, click Licenses :

Azure Portal | licenses left pannel menu

Then Get a free trial :

And Activate a Azure AD Premium P2 license :

Azure Portal | Activate Azure AD Premium P2

After few minutes you should see your Azure AD Premium P2 license :

Azure Portal | Overview, Tenant information with Azure AD Premium P2 licence.

Create a AD Connect User

From the Azure portal we will create a New user account which will be used to sync our local AD (std.local) server with Azure AD (std2.onmicrosoft.com).

Specify User name and a Name :

Azure Portal | Create a new user, set user name and Name

On the same page, specify a Role by clicking on User :

Azure Portal | Create a new user, groups and roles.

Select Global administrator and click Select :

Azure Portal | Create a new user, group selection

Now we can click on Create :

Go back to All Users view, select AD Connect user and click Reset password :

Click Reset password :

Microsoft azure | sign in to continue to microsoft azure.

Note the temporary password :

Go to https://portal.azure.com, and connect with the user ids :

Azure Portal | Azure AD Connect left pannel menu

And set a secure password :

AD Server

AD Connect

Download

Now we need to install and configure AD Connect. This software is used to synchronize our AD local users to our AD Azure infrastructure.

This software needs to be installed once, on a AD server.

Connect to Azure portal and go to Azure AD Connect :

Click on the Download Azure AD Connect link :

Installing AD Connect

Run the .exe from you Active Directory server. Accept the license and click on Continue :

Azure AD Connect Installation | Welcome to Azure AD Connect

You can choose express settings or Customize if you want to specify custom parameters :

Azure AD Connect Installation | Express Settings

Then click on Install :

Azure AD Connect Installation | Install required components

Select Password Hash Synchronization :

Azure AD Connect Installation | User sign-in

Use the ids previously created :

Azure AD Connect Installation | Connect to Azure AD.

Click on Add Directory :

Azure AD Connect Installation | Connect your directories.

Type local AD administrator ids :

Azure AD Connect Installation | AD forest account.

Once done, click on Next :

Check Continue without matching UPN :

Azure AD Connect Installation | Azure AD sign-in configuration.

Synchronize specific OUs or synchronize all :

Azure AD Connect Installation | Domain and OU filtering.

Click Next :

Azure AD Connect Installation | Uniquely identifying your users.

Select to Synchronize all users and devices :

Azure AD Connect Installation | Filter users and devices.

Select Password hash :

Azure AD Connect Installation | Optional features.

Finally, check Start the synchronization… and run Install :

Azure AD Connect Installation | Ready to configure.

After few seconds it's done :

Azure AD Connect Installation | Configuration complete.

Add Primary Azure Domain to your local AD

Open Active Directory Domains and Trusts management console :

Right-click to Active Directory Domains and Trusts :

Active directory domain and trusts | properties.

Add your Primary Azure Domain :

Active directory domain and trusts | Add UPN.

Create RDS Users

Open Active Directory Users and Computers management console :

Create a New User :

Active directory users and computers | Creating new user

Select the Primary Azure Domain :

Active directory users and computers | New Object

Azure AD (part II)

Go back to Azure portal, to enable MFA.

Enable MFA

From All users menu, click on Multi-Factor Authentication :

Azure Portal | Multi Factor authentication link

Select users you want to enable for Multi-Factor Authentication, and click enable :

Confirm by clicking enable multi-factor auth :

Azure Portal | enable multi-factor auth window.

NPS Server (part I)

We need a NPS server, it could be installed on the AD server but in this guide I will install it on a brand new virtual machine.

Disable IE Enhanced Security Configuration

I recommend to (temporarily) disable IE Enhanced Security because it can prevent the Azure authentication to work during the AzureMfaNpsExtnConfigSetup PowerShell script execution.

From the Server Manager Dashboard :

Windows Server | Server manager, IE Enhanced Security Configuration link.

Turn off Security for administrators :

Windows Server | IE Enhanced Security Configuration window

Installing NPS role

We can choose to install NPS role with PowerShell or via Graphical User Interface.

PowerShell

The one command line PowerShell :

PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools

GUI

From Server manager dashboard, Add Roles and Features :

Windows Server | Server manager dashboard, Add Roles and Features

Select Role-based or feature-based installation :

Add Roles and Features | Select installation type

Select server :

Add Roles and Features | Select destination server

Select Network Policy Server role :

Add Roles and Features | Select server roles

♫No Feature, No Feature, No Feature for me♫ :

Add Roles and Features | Select features

Check Restart destination server and click on Install :

Add Roles and Features | Confirm installation selections

NPS Extension For Azure MFA

It's a module which allows to add cloud-based MFA capabilities. It will directly communicate with Azure AD infrastructure.

Installing

Download and install NPS Extension For Azure MFA :

NPS Extension For Azure MFA Setup | step 1

That's it :

NPS Extension For Azure MFA Setup |step 2

AzureMfaNpsExtnConfigSetup.ps1 script

Now we need to execute the AzureMfaNpsExtnConfigSetup.ps1 PowerShell script in order to configure certificates which will be used by the NPS extension.

From a PowerShell admin console :

PS C:\Users\administrator.STD> cd 'c:\Program Files\Microsoft\AzureMfa\Config'

PS C:\Users\administrator.STD> .\AzureMfaNpsExtnConfigSetup.ps1

Install NuGet provider if asked :

When prompted for, identify yourself with a tenant administrator account, we can use for example our ad connect account previously created :

Get your Tenant ID from the Azure AD portal :

Paste the Tenant ID to the PowerShell admin console :

Windows Firewall

It seems that Windows (I tried on a Windows Server 2019) doesn't automatically open RADIUS ports. So, create a firewall rule to open incomming udp 1812, udp 1813, udp 1645, udp 1646.

You can do it with this command :

PS C:\Users\administrator.STD> netsh advfirewall firewall add rule name="NPS" dir=in localport=1812,1813,1645,1646 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any

RDS Server

Open the Remote Desktop Gateway Manager :

Right click on RDS (local), then Properties :

Windows | RD Gateway Manager, properties menu

In the RD CAP Store tab, select Central server running NPS, then Add your NPS Server :

Windows | RD Gateway Manager, RDS properties, RD CAP Store

Enter a password, it will be shared between RDS and NPS servers :

Windows | RD Gateway Manager, Shared secret

Open NPS management console :

From the NPS management console, expand RADIUS Clients and Servers, select Remote RADIUS Server Groups, then do a right click on TS GATEWAY SERVER GROUP and Properties :

Windows | NPS console, Remote RADIUS server groups.

Select the NPS server and then click Edit :

TS GATEWAY SERVER GROUP Properties, general tab

Modify values in Load Balancing tab :

Still from the NPS management console, expand Policies > Connection Request Policies, then do a right click on TS GATEWAY AUTHORIZATION POLICY and Properties :

NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties

From Conditions tab, Add a nonrestrictive rule :

NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions

Select Day and Time Restrictions and click Add :

NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions, Day and time restriction.

Permit every time and validate with OK :

NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions, Day and time restrictions.

Remove NAS Port Type condition :

NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Conditions, remove NAS port type.

Now from Settings tab, click Authentication and check that RADIUS client is configured to Forward requests to the following… :

NPS Console | TS GATEWAY AUTHORIZATION POLICY, properties, Settings, authentication.

NPS Server (part II)

Open NPS management console :

Register server in Active Directory

Register NPS Server in Active Directory. Do a right click on NPS (Local), and then click Register server in Active Directory :

Click OK twice :

Network Policy Server window asking to authorize this computer to read users dial-in

Network Policy Server window prevents that the computer is now authorized to read users dial-in properties

Create Radius Client

Still from NPS management console, right-click RADIUS Clients and click New to create a RADIUS Client :

From New RADIUS Client window, provide a Friendly Name (anything you want), and the IP or DNS name of our RDS. Also enter the same secret that you used before (on our RDS). Finally click OK to validate :

NPS Console | New RADIUS Client Settings

Create Network Policy

Now expand Policies > Network Policies. Right click Connections to other access servers policy and select Duplicate Policy :

Right click Copy of Connections to other access servers, and click Properties :

NPS Console | Network policies Properties

In Policy Window, configure a Policy name, enable policy and Grant access :

In Conditions tab check that you have a nonrestrictive condition :

In Constraints tab check Allow clients to connect without negotiating an authentication method :

Click No :

connection request policy window asking to view help topic

RDS User

Android Device / Microsoft Authenticator App

Microsoft Authenticator is a Android and iOS phone app. It allows two factor authentication by using a phone.

Install the App from any store you want.

From the smartphone device, go to https://login.microsoftonline.com/ :

Enter password :

Tap Next :

Tap Next :

Tap Pair your account to the app :

Azure AD | Pair your account to the app by clicking this link

Check default sign-in method

We need to check that our default authentication method is Microsoft Authenticator otherwise MFA could send SMS to authenticate, which can't be used to allow RDS connection.