Azure Multi-Factor Authentication Server with Remote Desktop Gateway – Part 1

Remote Desktop Gateway is a great way to provide secure access to remote server resources across corporate firewalls and proxies. To provide additional levels of security this blog will show you how to integrate with Azure Multi-Factor Authentication (MFA) Server.

In this first part, we will configure a two-way SMS, in Part 2 we will configure it to work with the Microsoft Authenticator Mobile App.

  1. Create an Azure Multi-Factor Authentication provider


  2. Click “MANAGE” to open up the configuration settings


  3. Click DOWNLOADS to download the MFA Server


  4. Click “Generate Activation Credentials” and record the details as they will be used later. Clock “Download” to begin the download


  5. Install and configure the Azure Multi-Factor Authentication Server on a separate server to your RDS Gateway



  6. Enter the Activation credentials you saved in previous step, if these do not work generate new credentials as they appear to only be valid for a short period of time.


  7. Continue with Configuration Wizard



    Replication between multiple MFA servers can be configured for HA

  8. We are going to use RADIUS to insert the MFA server in the authentication flow


  9. Enter in the details of your RDS Gateway / NPS server and shared secret. In this example the RDS Gateway is using a local NPS server.


  10. Configure RADIUS Target as RADIUS server, and enter the same details as previous step as the NPS server in our example will be a Client and a Target.





  11. Open MFA Server Console and finish configuration. Click “RADIUS Authentication


  12. Edit Client and enter application name “RDS Gateway“, select the option “Require Multi-Factor Authentication user match


  13. Click Users, and Import from Active Directory… Define your criteria to select users


  14. Edit user and enter their Phone number and Country Code, select Text Message – Two-Way – OTP and selectEnabled


  15. Select Test to check that it’s working before configuring the RD Gateway


  16. A Text Message will be sent to your phone, respond with the code and you will be notified that it was the test was successful


  17. Configure the RDS Gateway. Open RD Gateway Manager and right click server and go to properties. SelectRD CAP Store and change the option to Central server running NPS. Enter the IP of the MFA Server and configure the Shared Secret used earlier.


  18. Configure NPS Server. Open Network Policy Server > RADIUS Clients and Servers > Remote RADIUS Server Groups. Right Click TS GATEWAY SERVER GROUP and select Properties


    Add… the MFA Server


    Click Authentication/Accounting tab and enter the Shared secret


    Click Load Balancing tab and increase the timeout for response to 60 seconds


  19. Create RADIUS Client, choose friendly name MFA, and make not to use it later, enter IP and Shared Secret of MFA server.


  20. Configure Connection Request Policies. Right Click TS GATEWAY AUTHORIZATION POLICY and selectDuplicate Policy


    Rename the Duplicate Policy to “FROM MFA”, and select Policy enabled


    On Conditions tab, Client Friendly Name, and enter the name used above MFA


  21. Modify policy TS GATEWAY AUTHORIZATION POLICY, click Settings tab and change the Authenticationand Authorization to “Forward requests to the following remote RADIUS server group” and select TS GATEWAY SERVER GROUP



  22. Move the FROM MFA policy above TS GATEWAY AUTHORIZATION POLICY


  23. Now when connecting through the RD Gateway the connection will remain pending until the SMS is responded to with the code, at which point the connection is initiated.