Remote Dekstop Connection using Azure MFA

Brass Contributor

Hello Everyone,

 

I am facing a little problem now. We are thinking to implement MFA to login in to our servers on-prem from internal network. Obviously we can use some third party tools such us DUO or AD Professional Plus. However from what I can see there is a possibility to use RD Gateway with NPS that will have MFA plugin on it. I just need to understand something correctly - am I right saying that I can handle all RDP traffic to all the servers through RD Gateway that will be redirecting authentication through NPS to Azure MFA or it is no go?

 

Regards,

Wojciech

 
 
 
 
8 Replies

@mrktos 

I currently have two servers setup as Jump Servers for RDP using Azure MFA on Premises.  My setup has one installation on each server and they act as a cluster staying in sync.  I believe you can achieve the same results using a server less approach by following the steps outlined here using the NPS extensions.  https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension 

 

This will allow you to the same results.  I hope this helps, I originally started administering MFA 6 years ago using PHONEFACTOR which evolved into Windows Azure Multi-Factor Authentication Server.  Our environment is PCI and this approach has worked well for us.

 

 

@BeAzurewe have exactly same topology so we use Jump Servers to connect to other servers. My question now is. Do you include NPS role on this Jump Servers? Can you share a little bit more with me how you have completed this setup?

 

Regards,

Wojciech

@mrktos 

I've found the NPS extension to work great at MFA-protecting all NPS requests. In addition to all RDP connections, we even have our cisco firewall and switches logins (RADIUS auth to the NPS server) protected with Azure AD+MFA now.

 

One key thing that I struggled with early on was trying to have the MFA NPS extension installed on the same server as the RDG (RD Gateway) server. Need to have RDG on its own server, and NPS w/ the extension on its own server, otherwise there are unresolvable auth issues that occur.

@PrestonMI can confirm I got this working today with NPS Extension - setup was straight forward. Thank you all for the support.

@mrktos does the Azure MFA with RDS work with SMS messages and phone calls 

if so can you share any pick of how it looks 

thanks 

 

Dear @Bhavnash ,

It works with Microsoft Authenticator App installed on your smartphone.

You will receive an approval popup each time to try to access a computer via RDS (published desktop or via the Microsoft Remote Desktop Connection tool with RD Gateway settings).

You will just need to select "approve" on your smartphone, then type your Microsoft Authenticator App code to open it.

 

Cheers,

 

thanks for the reply i tried it but my app get the request once approves it keeps on promting then does nothing it like the NPS server is not sending to approval request back the gateway server@SalahM13 

@PrestonMQuestion looking through the document from itnetowrks.com below. It suggests that the NPS run on an AD Server. have you seen anything to suggest that to be nessasary? I have our NPS on its own we have been using for Wireless and was thinking of implementing MFA for RDP, for the same server. Also, do you see any reason I could not use our NPS servers at our other sites the same way for wireless and MFA?

 

 

 

https://www.itnetworks.com.au/how-to-configure-mfa-for-rds/