Forum Discussion
Users from a trusted domain cannot connect to remote desktop gateway
Im guessing this is the reason:
After May 8, 2023, when number matching is enabled for all users, anyone who performs a RADIUS connection with NPS extension version 1.2.2216.1 or later will be prompted to sign in with a TOTP method instead.
Users must have a TOTP authentication method registered to see this behavior. Without a TOTP method registered, users continue to see Approve/Deny.
Prior to the release of NPS extension version 1.2.2216.1 after May 8, 2023, organizations that run earlier versions of NPS extension can modify the registry to require users to enter a TOTP. For more information, see NPS extension.
Hey Mattias1305,
Yes and no 🙂
The issue described above has been "fixed" by using local group on the server instead of AD groups (for gateway rules). Of course in local groups I set domain groups of the trusted domain.
In the meantime we moved to Win 2022 and I didn't had to do that, it worked like a charm directly even with trusted groups.
Good luck !
Vincent
Im glad you fixed it. We worked it out also, it was the "StrongAuthMethods" in Entra AD that had defaulted to "PhoneAppOTP" instead of the previous "PhoneAppNotification". Obviously the OTP will never work with standard rdp-file connection since you cant input the OTP anywhere.
We found a way to change the default values in Entra through powershell. Since May 8th 2023 the PhoneAppOTP seems to be the standard when users enroll MFA.
Now we have another known problem and it is the NPS maxing out the CPU and memory due to some kind of loop when the secondary auth gets sent to Entra. I guess you didn't encounter this?