none
RDS 2016 Deployment with azure MFA integration RRS feed

  • Question

  • Hello ALL,

    My plan is to deploy remote apps to be available externally with AZURE MFA.

    My current setup

    Windows Server 2016-1 RD- Session Host , Connection broker , RD Web access , RD Licensing , NPS with Azure extension

    Windows Server 2016 -2 RD - Gateway , NPS

    Windows Server 2012r2 -3 DC - Active directory which is synced with azure ad 

    I have configured servers using steps provided in technet articles .

    Self signed certificate has been created and installed on RD Gateway , RD Web and Connection broker

    Self signed certificate installed on the remote computer

    Radius configured on the NPS

    RD Gateway configured and NPS on the gateway server

    Currently I can access web apps internally and externally I can login but I don't receive a notification from the authenticator.

    When I try and connect to server 1 using a RDP client and I have specified to go through rd gateway I do receive a notification from the authenticator on my phone after approval it lets me on the server however without specifying RD Gateway server it let's me connect without any prompt on my phone .

    I enabled port forwarding to my RD Web server on the router

    opened port 443 on the WEB server in the firewall

    So my question is why don't i get notified by azure authenticator on my phone when I try and connect to rd web server remotely?

    Any help will be appreciated.

    Thanks ,

    Norbert
    Thursday, November 9, 2017 3:06 PM

Answers

  • Hi Norbert,

    Please verify that the name on the certificate matches that FQDN you have specified for RD Gateway and that the certificate is issued from a trusted public authority such as Comodo, DigiCert, Thawte, GlobalSign, GoDaddy, GeoTrust, etc.  With a certificate issued from a trusted public authority there is no need to import the certificate on the client PC.

    It is possible that the configuration of the RD Gateway server was changed so that a different certificate is now being used and/or network/DNS configuration has changed so that now the client isn't connecting directly to the RD Gateway server.  In other words, you may be thinking that the client is receiving the same certificate from the RDG as it was last week, but in reality it is getting a different one.

    If necessary you may capture the initial network traffic between client and RD Gateway server on the client PC using wireshark/netmon and examine certificate details.  The other thing is to double-check in RD Gateway Manager that proper certificate is assigned and look at the prompt that appears on the client PC when launching RemoteApp to confirm that the FQDN next to "Gateway server: <fqdn>" still matches what you expect.

    Thanks.

    -TP

    • Proposed as answer by Amy Wang_Moderator Thursday, November 16, 2017 9:48 AM
    • Marked as answer by NStanczak Friday, November 17, 2017 12:50 PM
    Tuesday, November 14, 2017 6:14 PM
    Moderator

All replies

  • Hi Norbert,

    When on internal network, by default the client will bypass the RD Gateway server and directly connect to the RDSH.  As a result the RD Gateway server isn't used, so no MFA.  When connecting from external, when you launch a RemoteApp/Desktop connection by clicking on icon on RDWeb page, the RD Gateway server should be contacted and you should get MFA.

    Please make sure that incoming TCP/UDP 3389 is blocked on your public firewall.  That way, external clients will not be able to bypass your RD Gateway server.

    If you want to force internal clients to use RD Gateway server, please uncheck Bypass RD Gateway server for local addresses in Server Manager RDS deployment properties -- RD Gateway tab.  Additionally you would need to block incoming TCP/UDP 3389 in wf.msc on your RDSH server so that someone wouldn't be able to manually directly connect via 3389.

    Thanks.

    -TP

    Thursday, November 9, 2017 3:24 PM
    Moderator
  • Thank you for your response and I appreciate your help  .I have managed to get this working last week  however today when I tried to login again remotely it won't let me open an remote app . I  have accessed our remote apps website but when I tried to launch an app i got a error message . 

    " This computer cannot verify the identity of the RD Gateway"sslcertificate"  .Its not safe to connect to servers that can't be identified. contact your network administrator for assistance ."

    What could be the reason that it cannot connect ?

    I have obtained and installed a trusted certificate from a trusted authority . I have also installed it on the remote computer which is trying to access the remote server .

    Thanks,

    Norbert



    • Edited by NStanczak Tuesday, November 14, 2017 3:20 PM
    Tuesday, November 14, 2017 2:15 PM
  • Hi Norbert,

    Please verify that the name on the certificate matches that FQDN you have specified for RD Gateway and that the certificate is issued from a trusted public authority such as Comodo, DigiCert, Thawte, GlobalSign, GoDaddy, GeoTrust, etc.  With a certificate issued from a trusted public authority there is no need to import the certificate on the client PC.

    It is possible that the configuration of the RD Gateway server was changed so that a different certificate is now being used and/or network/DNS configuration has changed so that now the client isn't connecting directly to the RD Gateway server.  In other words, you may be thinking that the client is receiving the same certificate from the RDG as it was last week, but in reality it is getting a different one.

    If necessary you may capture the initial network traffic between client and RD Gateway server on the client PC using wireshark/netmon and examine certificate details.  The other thing is to double-check in RD Gateway Manager that proper certificate is assigned and look at the prompt that appears on the client PC when launching RemoteApp to confirm that the FQDN next to "Gateway server: <fqdn>" still matches what you expect.

    Thanks.

    -TP

    • Proposed as answer by Amy Wang_Moderator Thursday, November 16, 2017 9:48 AM
    • Marked as answer by NStanczak Friday, November 17, 2017 12:50 PM
    Tuesday, November 14, 2017 6:14 PM
    Moderator
  • Hi,

    Is further assistance required?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 17, 2017 9:22 AM
    Moderator
  • Hello Amy ,

    My Remote apps are working now . The actual issue was that the certificate was conflicting with the one on the router as they were using the same port number .

    I have enable MFA authentication in Azure AD however we have office 365 email and now in order to login to the portal.office.com it will prompt for MFA as well . I would like to only enable MFA in remote apps . Is this possible ?  This is my last question .

    I really appreciate your help .

    Thanks ,

    Norbert

    Friday, November 17, 2017 12:59 PM