ADSelfService Plus in action
How to enable multi-factor authentication for Microsoft Remote Desktop Gateway using ADSelfService Plus
Microsoft's Remote Desktop Gateway (RD Gateway) helps enterprise users connect to their internal resources like Windows desktops and applications hosted in Microsoft Azure from an external network beyond the corporate firewall. RD Gateway secures connections to these resources through an encrypted SSL tunnel and uses the IIS service to authenticate users trying to establish a connection.
Since RD Gateway provides users on public networks access to sensitive resources hosted within organizations, it only makes sense to add layers of security to RD Gateway access through multi-factor authentication (MFA). RD Gateway is equipped to leverage the RADIUS protocol and integrate with third-party MFA solutions like ManageEngine ADSelfService Plus for additional security. ManageEngine ADSelfService Plus helps organizations configure a customized MFA service that secures RD Gateway's remote endpoint access. Here is how MFA can be configured for RD Gateway using ADSelfService Plus.
- The Professional Edition of ADSelfService Plus must be downloaded and installed.
- A Windows Server configured for RADIUS authentication (Windows Server 2008 R2 and above) with the Network Policy and Access Services (NPS) role enabled.
- The NPS server must be registered in Active Directory.
- HTTPS must be enabled in ADSelfService Plus (Admin → Product Settings → Connection).
- In Active Directory, set the Network Access Permission for users to Control access through NPS Network Policy in their Dial-in properties.
- In ADSelfService Plus, the Access URL you have configured in Admin → Product Settings → Connection → Configure Access URL will be used by the NPS extension to communicate with the ADSelfService Plus server. Make sure you have updated the Access URL before installing the NPS extension.
- In the Windows NPS server, where the NPS extension is going to be installed, set the Authentication settings of the Connection Request Policy to Authenticate requests on this server.
- Configure a Network Policy in the Windows NPS server.
If you are using an untrusted certificate in ADSelfService Plus to enable HTTPS, you must disable the Restrict user access when there is an invalid SSL certificate option in Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Customization > Advanced.
Step 1: ADSelfService Plus configuration
I) Enable the required authenticators
The following two authentication methods are supported:
You can learn how to enable these authentication methods by following the links above.
- When you enable Push Notification Authentication or Fingerprint/Face ID Authentication, make sure the ADSelfService Plus server is reachable by the users through the Internet from their mobile devices.
- RADIUS authentication timeout should be set to at least 60 seconds in the RD Gateway server's RADIUS authentication configuration settings.
II) Enable MFA in ADSelfService Plus
- Log in to ADSelfService Plus as an admin.
- Go to Configuration → Self-Service → Multi-Factor Authentication → MFA for Endpoints.
- Select a policy from the Choose the Policy drop-down. This policy will determine for which users MFA for RD Gateway login will be enabled. Learn more about creating an OU- or group-based policy.
- In the MFA for VPN Login section, check the box next to Select the authenticators required. Choose the number of authentication factors to be enforced. Select the authentication methods to be used. The authentication methods listed can also be rearranged by dragging and dropping until you have them in the order you need.
- Click Save Settings.
III) Install the NPS extension
- Log in to ADSelfService Plus as an admin, and go to Configuration → Self-Service → Multi-Factor Authentication > MFA for Endpoints. Download the NPS extension using the link provided in the Notes section.
- Copy the extension file (ADSSPNPSExtension.zip) to the Windows NPS server. Ensure this is not the RD Gateway server. Extract the ZIP file and choose a location to save its contents.
- Open Windows PowerShell as an administrator and navigate to the folder where the ZIP file’s content is located.
- Execute the following command:
- After installation, you will be prompted to restart the NPS (IAS) Windows service. Proceed with the restart.
where, the operation can by install, uninstall, or update.
Install: installs the NPS extension plugin.
Uninstall: uninstalls the NPS extension plugin.
Update: updates the extension to newer versions and configuration data.
IV) Advanced settings
Refer to Advanced Settings to configure RD Gateway MFA session limits. It will also explain how to bypass MFA if ADSelfService Plus is not reachable or if the user is not enrolled.
V) Enabling MFA for RD Gateway based on connection request policies and network policies
If you have configured connection request policies or network policies in your RADIUS server, you can enforce MFA for RD Gateway login to certain users based on those policies. To do this:
- Open the Registry Editor (type regedit in the Run dialog box).
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\ADSelfService Plus NPS Extension.
- Take a backup of the registry key before editing it.
- Only the built-in administrator group in the computer will have privileges to edit this key.
- Double-click on the CRPolicies or NetworkPolicies based on the policy you want to configure.
- Enter the name of the policy in the Value Data field. If there are multiple policies, use a semicolon to separate them.
- Click OK.
Step 2: RD Gateway configuration
Once you've configured MFA in ADSelfService Plus, you'll be able to configure your RD Gateway to use ADSelfService Plus for the second factor of authentication.
- Open RD Gateway Manager.
- Right-click on the RD server in the left sidebar and click Properties
- In the pop-up window that appears, go to RD CAP Store.
- Select Central server running NPS.
- Enter the IP address of your NPS Server where the ADSelfService Plus extension is installed and click Add.
- Enter the shared secret that was configured in the RD Gateway's RADIUS client section of the NPS server and click OK.
- Select Apply and OK.
- Next, open the Network Policy Server manager.
- Go to RADIUS Clients and Servers → Remote RADIUS Server.
- Right-click on TS GATEWAY SERVER GROUP and select Properties.
- In the window that appears, select your RADIUS server and click Edit.
- In the Edit RADIUS Server window that appears, go to Load Balancing.
- Set the timeout setting as less than or equal to the time set using the Keep the VPN MFA session valid for __ minutes option under Configuration → Self-Service → Multi-factor Authentication → Advanced Settings in ADSelfService Plus.
- Click Apply and OK.
- Go to Policies > Connection Request Policies.
- In the section that appears, right-click TS GATEWAY AUTHORIZATION POLICY and click Properties.
- Go to Settings.
- Select Authentication and ensure that it’s set to forward requests to the remote RADIUS server.
Benefits of using ADSelfService Plus:
Aside from password management, ADSelfService Plus also offers:
2Ensure user adoption
3Get detailed reports
Enforce endpoint MFA and use different sets of authentication techniques for different users based on domain, OU, and group memberships.
Ensure user adoption:
Automate user enrollment for MFA by importing domain information of users through CSV files or force enrollment using login scripts.
Get detailed reports:
Gain comprehensive insights on user activities such as identity verification failures and login attempts, and find users with weak passwords.
Use authentication techniques like fingerprint authentication, push notification authentication, YubiKey, and QR-code-based authentication to help users prove their identity with minimal effort.
Secure remote access through Microsoft Remote Desktop Gateway with MFAGet Your Free Trial Fully functional 30-day trial