In my earlier articles, we defined a step by step find out how to secure the remote entry (RDP connection) utilizing Azure Multi-factor Authentication (MFA), at that time we mentioned that the similar procedure can only utilized to windows 2012 and earlier and it’s not supported to be applied to windows 2012 R2 and above.
You possibly can evaluation the earlier articles using under links:
Half 1: http://azuredummies.com/2016/02/05/secure-terminal-services-rdp-using-azure-multifactor-authentication-mfa-part-1/
Half 2: http://azuredummies.com/2016/02/06/secure-terminal-services-rdp-using-azure-multi-factor-authentication-mfa-part-2/
Part Three: http://azuredummies.com/2016/02/13/azure-active-directory-part-3-azure-ad-connect-installation-and-configuration/
At this time on this article we’ll stroll by means of the steps in easy methods to safe the RDP connection to windows 2012 R2 and above, I found many articles on the web that describe the procedure, i adopted a variety of them with no luck,
We found multiple public articles which described this deployment.Unfortunately, we adopted these articles nevertheless it never works, i collaborated with my colleague “Lucian Busoi” as a way to discover what are the missing steps in these articles, Lastly we discovered it and i will summarize all required steps in this article, Thanks Lucian for this help.
“Other Public Articles may Assumed that the missing steps something that the reader should know by default”
To simplify the state of affairs, let’s summarize what are the elements required for this deployment:
1- Windows 2012 R2/2016 machine which might be used to setup the MFA stand alone server which will probably be used for MFA authentication with MS back-end service.
2- Windows 2012 R2/2016 machine which can be used to put in and deploy the Gateway and NPS roles, to simplify the idea of this server let’s imagine that this server might be used as an intermediate between the target server and MFA server, when the consumer attempt to hook up with the target server using RDP, the visitors truly will attain the gateway server first, after gateway server confirm the area credentials it should forward the visitors to the MFA server to do the second factor Authentication, if MFA challenge Passed then the consumer shall be allowed to entry the target server.
3- The target Server(s) which you require to entry it thorough RDP, for example windows 2012 R2 or 2016 machines.
before start the Implementation, let’s first explain the concept, for the MFA server as we already know we’d like this machine n order to deploy the MFA server, deploying the MFA server is straightforward course of, in order to have the ability to obtain the MFA setup package deal from Azure portal, you should have a license that permit you to deploy the MFA stand alone server, it’s essential to have certainly one of the following licenses:
- Azure Multi-Factor Authentication
- Azure Lively Directory Premium
- Enterprise Mobility + Security
one necessary thing i observed that many purchasers tried to comply with MS article to deploy the MFA stand alone server as described in under article:
Some clients stuck in above article in the “Create a Multi-Factor Auth Provider” step as they don’t have this feature of their Azure Tenant even they have a legitimate license for MFA, at this point they cease deploying the MFA and begin complaining about this, HEADACHE !!
For those who don’t see the option to create the MFA provider, Then a default MFA supplier is already setup for Your tenant assuming that you’ve a legitimate license.
To entry the MFA provider, you have to comply with under steps:
login to https://portal.azure.com with international administrator consumer, then from the left pane select “Azure Active Directory” as under:
Then Click on ” Customers and Groups” choice as under:
Now, Be sure that to pick “All Users” choice, then click in “Multi-Factor Authentication” choice as under:
The MFA web page will appear as under, ensure to click on on the “Service Settings” choice, then in the bottom of the page click on on “Go to Portal” choice as under:
Word: if “Go to the portal” choice doesn’t seem, then this implies often that you simply don’t have a legitimate license for MFA stand alone deployment or you didn’t assign any consumer for an MFA license.
Finally, one can find the choice to download the MFA stand alone server as under:
In this article we’ll assume that the MFA server already deployed as we discussed this in particulars in my previous article as under:
For now, we’ve got an MFA stand alone server already deployed however not configured yet.
Let’s move to the second element which is the Gateway/NPS server, let’s go just a little deep from technical perspectives, the most essential question why this element is required on this deployment, to reply this question let’s try to understand the stream in GW/NPS with MFA:
i draw above diagram (Not skilled in drawing ? ) to exhibit the idea and the functionality of GW/NPS server, let’s summarize the stream as under utilizing the numbers in the diagram:
1- Consumer will making an attempt to access on-premises useful resource utilizing gateway, in this stage the consumer credential can be despatched to the gateway server.
2- Gateway will forward the request to the MFA server, till this stage the offered credentials by the consumer not validated yet.
Three- since the credentials still not validated, then the MFA server will ahead the request to the NPS server asking it to confirm the credentials earlier than shifting forward and start the MFA process.
Notice: in our demo, Gateway and NPS is the similar server.
4- Now, NPS will confirm the consumer credential using the native Lively listing, is dependent upon the response from local AD the NPS will respond to the MFA server, if the consumer credentials are right then the NPS will obtain and accept response from local AD, otherwise NPS will receive rject request from local AD which can deny the consumer to access the resource, noting that if the NPS received a reject message from native AD then the MFA won’t be processed and this make sense as no need to use second issue Auth if the credentials (first Factor Auth) are fallacious.
Word: once we are saying “Accept” or ” Reject” message this isn’t truly imply that AD ship Settle for or Reject message literally, we try to simplify the course of only.
5- in case of Settle for response from AD, NPS will send the request back to the MFA with Settle for Message.
6- MFA will perform the second factor authentication, it can challenge the use by MFA problem, for example it might name consumer telephone or send notification in Microsoft Auth App.
7- MFA will ship the result of MFA challenge to the RD Gateway again.
Eight- In case the MFA problem handed, then RD Gateway will evaluate the request towards Resource Authorization Policies (RAP) and examine if the consumer is allowed to entry the resource or not.
9- if the consumer is allowed to access the target useful resource, then RD Gateway will permit the consumer, in any other case the consumer will probably be rejected.
To summarize above, so as to the consumer to successfully entry the useful resource, three major circumstances must be met:
1- The Users credentials must be right and accepted by local lively listing.
2- Consumer should move the MFA Challenge.
Three- Consumer must be allowed to access the resource based mostly on the RAP insurance policies.
As we now understand the functions of each elements, let’s start the implementation, to try this i have under servers:
1- Windows 2016 machine for MFA deployment, IP: 192.168.zero.15
2- Windows 2016 for gateway and NPS deployment, IP: 192.168.zero.14
3- Goal useful resource, it might be windows 2016, 2012 R2, 2012.
Theoretically, earlier versions of target useful resource corresponding to windows 2008 R2 ought to work utilizing the procedure on this article, however i didn’t check this, no guarantee.
As mentioned before, the installation of MFA server is a simple process, and i already mentioned it in my previous posts, in case you are not familiar in the right way to install the MFA server please comply with my previous article:
Now, let’s go to the implementation of gateway/NPS server, to start with, the RD gateway is a windows Position whick means you possibly can deploy it without the need of any exterior package deal, You can deploy it using server manager, to do deploy these providers, open the “Add Roles and features Wizard” from server manager then click on Next in the first page as under:
Now, Choose “Role-based or feature-based installation” choice and click on Subsequent:
Choose the right server and click on Subsequent:
Select “Remote Desktop Services” choice solely and click next, Don’t choose the NPS from right here as will probably be added routinely by the wizard afterward:
Now, once you reach the Position Providers tab, choose “Remote Desktop Gateway” choice, new dialog field will appear asking you to install other associated roles/options including the NPS as under:
Click Add features to add all required features together with the NPS:
Now, maintain clicking Next till you reach the Position Providers tab again, make it possible for the “Network Policy Server” choice chosen then click Next:
End the wizard by click on Install and wait till the installation end:
The Installation of Gateway and NPS providers finished as under:
Till this step, we’ve two server, the first one is the MFA server and the Second one is the Gateway/NPS server, now let’s undergo the Configurations Part.
To start with, let’s configure the GW/NPS server, to try this, from server supervisor, launch the distant desktop gateway supervisor as under:
From RD Gateway console, proper click on the Server identify and choose Properties as under:
Now, click on on the “RD CAP Store” tab, then select “Central Server running NPS” choice, enter the IP (or the identify) of MFA server then click on Add button as under:
a brand new windows will appear asking you to enter a shared secret key, enter any key you need and click on OK:
Word: this shared secret key shall be used afterward on the MFA configuration, let’s name this in our minds GATEWAY SECRET KEY.
after including the MFA server successfully, click on OK:
Now, Open the NPS console from server supervisor as under:
Choose the “Remote Radius Server Groups”, then right click on on the “TS GATEWAY SERVER GROUP” and choose properties, or double click as under:
Make Positive that the IP of MFA server appears underneath the Basic Tab, select it and click on the Edit button as under:
Click on on load balancing tab, improve the highlighted values to keep away from any trip issues, i favor to set these values to 60 seconds or extra:
Now, let’s create a Radius shopper, to try this from the NPS console, proper click on on the RADIUS Shoppers choice and select New as under:
Make Positive to verify the “Enable this RADIUS client”, enter any pleasant identify you need, take into account that this identify ought to be used exactly in one other subsequent step, select any identify and write it down for afterward utilization, Additionally it’s worthwhile to fill the IP (or identify) of the MFA server and lastly choose a a brand new shared secret, Keep in mind that this secret key shall be used also in MFA configuration afterward, for that permit’s name this in our minds NPS SECRET KEY, once end click on OK button as under:
Now let’s create two insurance policies which might be consumer to forward and receive the requests from the MFA server, the easiest method to try this is to duplicate the Default policy “TS GATEWAY AUTHORIZATION POLICY” as under:
Now, Rename Each Policies precisely as appear under, make it possible for both insurance policies are enabled, the “Processing order” is very important right here:
Righ click on the first Coverage which known as “From MFA”, go to condition tab and click on Add button as under:
Choose Shopper Pleasant identify choice, then click on Add button as under:
This is will ask you about the identify of the Radius shopper, you SHOULD use the similar identify you used if you create the radius shopper in one in every of the previous steps, for those who keep in mind we used MFA as the identify of the radius shopper, so we should always use the similar identify right here as this can specify from which radius shopper the NPS will receive the requests:
Now in the similar coverage, go to the settings Tab, underneath Authentication request make certain to pick the “Authenticate Requests on this server” choice as under:
Beneath Accounting tab, be sure to remove the verify from “Forward accounting requests ….” choice as under:
Now, in the different policy which known as ” To MFA”, underneath the setting tab , confirm the the Authentication have the option to ahead the request to the TS GATEWAY SERVER GROUP as under:
Beneath Accounting, be sure that the ” Forward accounting requests …. ” is chosen as under:
Underneath Circumstances tab, you need to have only “NAS Port Type” as a condition as under:
Just to confirm above settings, each policies SHOULD have under configurations, click on in the first one and see under configurations:
Now click on the second Coverage and verify the configurations:
Now, we nonetheless have three steps to do earlier than finalize the configurations of GATEWAY/NPS, these two steps as per my search i didn’t discover it in any public article that are related to this matter, so we’d like to ensure to do under steps.
The first one, as we talked about in the move diagram of GW,NPS,AD and the MFA server in Step No. 8, we talked about that if the consumer respond to the MFA challenge efficiently, then MFA server will send the request again to the Gateway, Now Gateway will validate if the consumer is allowed to access the Goal useful resource based mostly on RAP policies, DO YOU REMEMBER THAT ?
if we open the RD Gateway console, underneath Useful resource Authorization Insurance policies (RAP) tab we won’t see any policy, that is by default, as the installation of gateway position solely won’t create any default RAP, so in case you missed this step no consumer can be allowed to access any inner resource even if the consumer reply to MFA problem successfully:
So we have to create a brand new coverage, the policy will define who is allowed to entry and what to access, to try this proper click on and choose “create New Policy utilizing the wizard for simplicity as under:
Choose “Create only a RD RAP” then click Subsequent as under:
Give the coverage and pleasant identify and click Subsequent:
Here, you’ll want to determine which group may have an access, i created a gaggle in my AD referred to as it “Home Users”, add the groups you must grant it an access then click Next:
Here, you have got an choice to determine which Resource(s) could be accessed by the groups you selected in earlier step, for simplicityi will permit the group to acc
Additionally you’ll be able to determine to permit the connection in particular ports, on this demo i’ll permit any port for simplicity as under:
Observe: In manufacturing environments, you must select the choices based mostly in your company requirements, choose above options as i did may be a safety considerations for others, BE CAREFUL !
Finally, click on Finish as under:
The Coverage ought to be completed successfully as under:
The brand new Policy will seem in the Gateway Console:
The second essential thing, by default the NPS may have a network coverage to deny all requests as under, this policy is enabled by default:
Double click on the coverage, you possibly can see that the coverage deny all connections and ignore consumer account dial in properties:
Every consumer in AD have a consumer account dial in property, this feature by default will maintain the NPS to take the choice to allow consumer to access or not as under snapshot from my AD:
Even should you attempt to change the choice from AD to Permit Entry, that is won’t impact as the default NPS policy is to disregard this value from AD.
Now we have to change the choice to be Grant Access as under, again should you missed this feature no customers will be capable of entry any resource by way of the gateway:
Now, you need to see that the coverage have a Grant Entry as an access sort as under:
The third necessary step, that we have to configure the RD Gateway certificates, I am utilizing public certificate and i feel you need to use a personal certificates from your inner CA but you have to ensure that the shopper machine trust the CA certificates, based mostly on my testing in the event you don’t configure the gateway certificates the connection to gateway externally won’t work, additionally should you determine to use the IP of GW as an alternative of the identify it won’t work also as we’ll see this in the teasing half.
to configure the certificate, open the gateway console, select the properties of the server identify as under:
Beneath the certificates Tab, choose the option to import the certificate and continue the course of, from under snapshot you’ll be able to discover that i’m utilizing a Public certificate issued by DigiCert, additionally you’ll be able to see that my certificates is a wild card so i can access the Gateway utilizing any identify finish with my domain identify in the format of: xxxxxx.JoTechLab.com, in case you don’t use a wild card certificates, then make it possible for the identify which will probably be used to publish the Gateway externally is included in the certificate SAN:
Now, the last item we need to do is to configure the MFA server, to try this launch the MFA console and Go to “Radius Authentication” tab as under, be sure that “Enable RADIUS Authentication” is checked, then click on in Add button:
As you’ll be able to see from under snapshot, the Auth and Accounting have particular ports, if there’s any network system that forestall these ports it’s essential permit them.
Add the IP of the Gateway Server, give any pleasant identify beside the Software Identify area, then enter the shared secret key, the key that SHOULD be used right here should match the one we configured in the gateway console (We referred to as GATEWAY SECRET KEY should you Keep in mind), finally click OK:
Now, from the target TAB, select RADIUS Server(s) choice and click Add as under:
You possibly can see that there is a Server timeout choice, i recommend to extend it to 45 seconds to keep away from any day trip in the MFA process, i forgot to do that in my lab.
Once more, Add the IP of the NPS server (in our case the similar IP of GW), enter the sahred Secret Key, once more this should match the secret key we utilized in the NPS configurations, when you keep in mind we referred to as it NPS SECRET KEY:
Now to check this, we have to configure a check consumer, to try this we need to add the consumer to the MFA console, there are a number of ways to try this, i choose the best one, Simply go to the customers Tab, then click on Import from Lively Directory:
Find the consumer and add it as under, in my instance i will add a consumer referred to as “Mohamad” then click on Import as under:
Now, choose the consumer from the MFA console and Click on Edit, be sure that the consumer have a legitimate telephone number, if the worth is wrong or empty you possibly can fill it from MFA instantly as often it’s imagined to import these information from native AD, fill the country code, Telephone quantity and the MFA Technique and lastly make certain to allow the consumer, Click Apply as under:
From MFA console and beneath Customers tab, verify that the consumer exist and configured as under:
Now the remaining part is the testing one, to test this i’ll access a goal server using RDP connection, the Personal IP of target server is 192.168.zero.10, from my machine which is situated externally from servers community, i’ll launch MSTSC /Admin, in the pc subject i’ll enter the Personal IP of the detestation server as under:
Now, from Advance Tab, click on the Settings button as under:
Choose “Use These RD Gateway Server Settings” choice, enter the Identify of the of the RD Gateway server that’s accessible externally as under then click on OK:
Here there’s a essential observe, based mostly on my testing you can’t enter the public IP of the gateway as a result of the connection will failed with certificate error as we discussed earlier in this article and as appears under, perhaps there’s one other strategy to configure it, but at the least this is what i discover in my lab:
You possibly can see that in my connection i used RG.JoTechLab.com which is point to the public IP of my Gateway server, as we mentioned before since i have a wild card certificates then this identify is covered by my certificate.
Now enter the Credentials then click on OK as under:
Based mostly on the Coverage that we created in previous steps, only the customers who are member of HOME Customers group will probably be allowed to access the gateway, the Consumer Mohamad already member of this group as under:
Now the connection began:
Finally, i received the MFA challenge in my cellular as under snapshot, it ask me to press the # key to continue:
once i responded to the MFA challenge efficiently the connection was allowed as under:
For instance if i didn’t reply to the MFA problem then the connection can be denied as under:
As a conclusion, on this article we coated the implementation of securing the RDP connection with Azure MFA using gateway/NPS server, in Next article we’ll talk about a quite common issues, Also we’ll talk about easy methods to troubleshoot the issues related to this deployment starting by reading the gateway and NPS logs ends with understanding the MFA logs.
Keep Tuned ?
Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies weblog. He also holds many certificates in office 365 and windows azure together with Creating Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA workplace 365.
Discover Ahmad at Fb and LinkedIn.