ADFS 4.0 and Azure MFA with Remote Desktop Gateway RRS feed

  • Question

  • Hey, I have deployed a ADFS 4.0 (Server 2016) Farm (with upgraded farm level) and have connected it to Azure MFA successfully (following: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa?f=255&MSPPError=-2147217396).  Now that I have this working, I am trying to configure it to protect Remote Desktop Gateway with MFA (I have been following this guide: https://technet.microsoft.com/en-us/library/dn765486.aspx).

    I have got this working protecting RD Web Access, but it doesn't seem to work using RD Gateway via the native mstsc client. This also is presenting a major problem as it breaks the ability to add RemoteApp Workspaces via the Control panel, breaks the ability to use the RD Client on iOS and Android to add RemoteApp workspaces, and breaks ability connect via RD Gateway to Windows machines using mstsc.exe.  Looking at how it works, it seems that all connections must originate from RD Web Access web page via Internet Explorer browser?  Is that correct?  Currently, our users use mobile devices and mstsc.exe clients almost exclusively to access resources using RD Gateway and RD Web Access via IE does not meet all the needs.

    Has anyone been able to make this work using these other clients besides RD Web via IE? If so, any thoughts on what I might be missing?  Thanks!

    Thursday, December 1, 2016 12:11 AM

All replies

  • Has anyone tried to protect RD Gateway with Azure MFA?
    Thursday, January 12, 2017 2:24 PM
  • Still no one using Azure MFA with RDGW? Anyone at MSFT?
    Monday, April 10, 2017 3:21 PM
  • Hi bcehr, did you ever get any further with this? I am now  trying to determine whether to use ADFS (which we already use for O365 access) + Azure MFA, or NPS + Azure MFA to provide 2 factor authentication for our RD Gateway/RDS Farm. I can see drawbacks to both approaches. 
    Saturday, May 19, 2018 6:47 AM
  • RDS is a mess right now when it comes to federated logon, which is essentially anything encapsulating AAD/ADFS logons.

    The new HTLM5 client capability supports neither the Azure AD Application Proxy or the AD FS Web Application Proxy, which is mind-boggling. It's not all darkness tho, RDS MI, in preview, is the key to solving this (or so it seems), since it aims to bridge the gap between legacy logon (RDS) versus modern (conditional access/MFA etc).. I see light.. distant light (in preview).


    Thursday, May 24, 2018 11:07 PM
  • Leon, sorry for the delay, but yeah I agree with Mylo, a lot of RDS is a mess right now in regards to Azure AD and other modern technologies. Hopefully everything is fixed with the dream of RDmi.

    I never could get this to work in a reasonable way based on the methods of the originally linked URL. I eventually did find a reasonable solution with the Azure MFA NPS Extension. It's far from perfect because the user doesn't get any feedback that RD is waiting for MFA, and the timeout is very short. However, with some user training, we were able to get it rolled out. 

    Here is a link to the documentation we used to get it working: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg

    Tuesday, May 29, 2018 1:33 PM