none
RD Gateway with NPS and Azure MFA RRS feed

  • Question

  • Hello everyone,

    I am tring to setup RDG with MFA on Windows 2016. I have followed countless instructions and cannot seem to get the NPS part work. I can log int the remote desktop without issue however it never authenticateswith Azure. When I look that the logs for NPS I see absolutley nothing, when I check the logs for the NPS extension its the same nothing. I just cant figure out what part I am doing wrong and there be nothing in the logs. Let me know if anyoe has some suggestions.

    Saturday, August 3, 2019 7:33 PM

Answers

  • I logged into rdweb and used the connect to remote PC. I originally had Bypass checked but have since unchecked it. What have I done wrong here?

    For the moment, DO NOT use Connect to a remote PC tab--launch a published RemoteApp via the icon, or, if the session collection doesn't have any RemoteApps published, use the full desktop icon that will show up instead.

    Since you have Bypass unchecked in the RDS deployment properties your connection should use the RD Gateway server and thus trigger the MFA.

    On RDWeb server, open IIS Manager.  In left pane, navigate to and select Default Web Site\ RDWeb\ Pages\.  In middle pane, double-click Application Settings and set DefaultTSGateway to the FQDN of your RD Gateway server.

    -TP

    • Marked as answer by garabed111 Friday, August 9, 2019 7:29 PM
    Wednesday, August 7, 2019 3:09 AM
    Moderator

All replies

  • HI
    There is a document for your reference first:
    https://social.technet.microsoft.com/Forums/en-US/fd0cf9fa-68f8-4c00-b5a7-f8374164207c/window-server-2016-as-jump-serverbox-best-practice-and-rdp-logging?forum=winserversecurity

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, August 5, 2019 5:59 AM
    Moderator
  • These look to all refer to MFA on Premise. I am not using on Premise MFA.
    Monday, August 5, 2019 4:16 PM
  • Hi,

    Have you confirmed that RD Gateway is being used for the connection?  For example, connect via RDWeb and then open RD Gateway Manager and check to see if the connection is there under Monitoring.  By default Monitoring doesn't auto refresh so you need to refresh it manually to see most current information.  If the connection is not shown in RD Gateway Manager, please verify that you have Bypass RD Gateway server for local addresses unchecked in RDS Deployment Properties RD Gateway tab.  Additionally you would want to only allow incoming 3389 from the RD Gateway's ip address on your broker and session hosts to prevent people from bypassing your RDG.

    -TP

    Monday, August 5, 2019 4:35 PM
    Moderator
  • TP,

    Thanks for your response. I unchecked the Bypass RD Gateway, then logged into the RDWeb portal. When I check monitoring, it does not show that I am logged in? Where am I logging into if not there?


    G

    Wednesday, August 7, 2019 2:38 AM
  • TP,

    Thanks for your response. I unchecked the Bypass RD Gateway, then logged into the RDWeb portal. When I check monitoring, it does not show that I am logged in? Where am I logging into if not there?


    G

    Hi,

    Are you launching one of the published RemoteApps or the published desktop icon for the collection?  Or, are you using the "Connect to a remote PC" tab?  There is an additional configuration step to allow Connect to a remote PC tab to work with RDG.

    Please note, you don't use RD Gateway just to log on and view the icons on RDWeb.  RD Gateway is used when you make a connection using one of the published icons for the collection.

    To answer your last question, if you have Bypass checked the Remote Desktop client will attempt to bypass the RD Gateway server and connect directly to the broker and session hosts.  If the connection bypasses RDG then no MFA is triggered since use of RDG is what requires MFA.  RDWeb doesn't required MFA in your configuration, in case you are wondering.  It's okay that there is no MFA for RDWeb since it is just a publishing mechanism for the .rdp files/icons and doesn't handle the RDP traffic.

    Thanks.

    -TP

    Wednesday, August 7, 2019 2:49 AM
    Moderator
  • I logged into rdweb and used the connect to remote PC. I originally had Bypass checked but have since unchecked it. What have I done wrong here?

    G

    Wednesday, August 7, 2019 2:59 AM
  • I logged into rdweb and used the connect to remote PC. I originally had Bypass checked but have since unchecked it. What have I done wrong here?

    For the moment, DO NOT use Connect to a remote PC tab--launch a published RemoteApp via the icon, or, if the session collection doesn't have any RemoteApps published, use the full desktop icon that will show up instead.

    Since you have Bypass unchecked in the RDS deployment properties your connection should use the RD Gateway server and thus trigger the MFA.

    On RDWeb server, open IIS Manager.  In left pane, navigate to and select Default Web Site\ RDWeb\ Pages\.  In middle pane, double-click Application Settings and set DefaultTSGateway to the FQDN of your RD Gateway server.

    -TP

    • Marked as answer by garabed111 Friday, August 9, 2019 7:29 PM
    Wednesday, August 7, 2019 3:09 AM
    Moderator
  • Well that definatly changed something when I tried connecting to the calculator I got a message I am not authorized.
    Wednesday, August 7, 2019 3:27 AM
  • TP,

    Just wanted to thank you for your guidance.

    Anyone trying to get this working I followed the documentation found below. I tried a few instructions after failing the first time but ultimately ended up going back to the original setup and the few tips found above. 

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg



    Friday, August 9, 2019 7:29 PM
  • HI
    Thanks for your sharing.I am glad to hear that your issue is solved.

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 2, 2019 5:44 AM
    Moderator