Azure Multi-Factor Authentication Server with Remote Desktop Gateway – Part 2

In Part1 we configured a 2-Way SMS second factor of authentication and configured Remote Desktop Gateway to use the MFA server. In Part 2 we will configure a Web Service endpoint for using the Azure Authenticator Mobile App.

Ensure you meet the requirements below:

  • You must be using v6.0 or higher of the Azure Multi-Factor Authentication Server
  • Mobile App Web Service must be installed on an Internet-facing web server running Microsoft® Internet Information Services (IIS) IIS 7.x or higher. For more information on IIS see IIS.NET.
  • Ensure ASP.NET v4.0.30319 is installed, registered and set to Allowed
  • Required role services include ASP.NET and IIS 6 Metabase Compatibility
  • Mobile App Web Service must be accessible via a public URL
  • Mobile App Web Service must be secured with an SSL certificate.
  • The Azure Multi-Factor Authentication Web Service SDK must be installed in IIS 7.x or higher on the server that the Azure Multi-Factor Authentication Server
  • The Azure Multi-Factor Authentication Web Service SDK must be secured with an SSL certificate.
  • Mobile App Web Service must be able to connect to the Azure Multi-Factor Authentication Web Service SDK over SSL
  • Mobile App Web Service must be able to authenticate to the Azure Multi-Factor Authentication Web Service SDK using the credentials of a service account that is a member of a security group called “PhoneFactor Admins”. This service account and group exist in Active Directory if the Azure Multi-Factor Authentication Server is running on a domain-joined server. This service account and group exist locally on the Azure Multi-Factor Authentication Server if it is not joined to a domain.
  1. Install the Web Service SDK



    Automatically create required group





  2. Install the Mobile App Web Service. Browse to C:\Program Files\Multi-Factor Authentication Server and run MultiFactorAuthenticationMobileAppWebServiceSetup64.msi (choose 32 bit installer if required)
  3. You could change the Virtual Directory to a short name as this will be used by end users, in this example the default MultiFactorAuthMobileAppWebService is used



  4. Create a Service Account in Active Directory and make sure the user is a member of the “PhoneFactor Admins” security group
  5. Browse to C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService and edit Web.config. Locate the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME and WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD keys and set the values to the username and password of the service account that is a member of the PhoneFactor Admins security group in the previous step
  6. Locate the
    ApplicationSettings pfpaws.Properties.Settings and change the value for pfpaws_pfwssdk_PfWsSdk and change the value from “https://www.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server server. (eg. https://mfa.merlus.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx)
  7. Configure the Mobile App Settings on the MFA Server


  8. Install the User Portal and Configure with the following settings. Allow Users to Log in, Allow user enrolment, Allow Users to activate mobile app


  9. Change the option for the user to Mobile App


  10. Click Mobile App Devices tabe and Generate Activation Code, or Log on to User Portal and Self Service activate



  11. Install the Azure Authenticator App on your mobile device and enter the Code and URL, or scan the QR Code
  12. After you have added the account to the mobile app and tested the authentication you will be asked to fill out additional security questions