locked
Certificate based authentication to the RD Gateway RRS feed

  • Question

  • The idea is to use a client certificate (computer or user) to authenticate to the RD Gateway and use a user/password to authenticate to the requested RD Host.

    However, out-of-the box it seems that only Smartcard logon is possible to the RD Gateway, not the use of a user or computer certificate stored on the client machine. Is this correct?

    Is there a way to change that behavior and ask for a user or computer certificate on the client?

    Thanks,
    Stefaan

    Friday, December 16, 2011 4:40 PM

Answers

  • Hi Stefaan,

    Certificate based authentication of client PCs or users is not supported.

    If the client PC is joined to the domain you may limit access to the RDG via the RD Connection Authorization Policy (RD CAP) to only computers that are in certain security groups.  For example, you create a group named RDG Authorized Computers, make the workstation computer accounts a member of this group, and configure the RD CAP to limit access to this group.

    With the above in place a user must a) be connecting to the RD Gateway from an authorized PC and b) be authorized to use the RD Gateway.

    -TP

    • Proposed as answer by Aaron.Parker Sunday, December 18, 2011 10:44 AM
    • Marked as answer by TP []MVP Tuesday, February 7, 2012 11:08 PM
    Saturday, December 17, 2011 10:11 PM

All replies

  • Hi Stefaan,

    Certificate based authentication of client PCs or users is not supported.

    If the client PC is joined to the domain you may limit access to the RDG via the RD Connection Authorization Policy (RD CAP) to only computers that are in certain security groups.  For example, you create a group named RDG Authorized Computers, make the workstation computer accounts a member of this group, and configure the RD CAP to limit access to this group.

    With the above in place a user must a) be connecting to the RD Gateway from an authorized PC and b) be authorized to use the RD Gateway.

    -TP

    • Proposed as answer by Aaron.Parker Sunday, December 18, 2011 10:44 AM
    • Marked as answer by TP []MVP Tuesday, February 7, 2012 11:08 PM
    Saturday, December 17, 2011 10:11 PM
  • Hi TP,

    it's a pity there is no simple solution in a partner scenario. With support for a certificate we would have the ability to very easily create a "closed user group" to access the RD Gateway.

    At which level is the group membership checked? I assume that the RD Gateway logon method specified in the RDP client must match the IIS authentication methods. Therefore I expect that the group memberschip specified in the RD CAP is checked at the RPC proxy level. Is that a correct assumption?

    Also, when specifying a computer security group in the RD CAP, how is the computer account authenticated? In the RDP client I don't see an option to configure that. So, does that work also when the domain joined client PC is physical outside the corporate firewall?

    Thanks,
    Stefaan

     

    Sunday, December 18, 2011 7:36 PM
  • I agree with @stefaan here.

    RDS Gateway should support mandatory client SSL/Certificate authentication at phase 1.

    Before you even get to Authorization policies in the RD CAP, you enforce bi-direction SSL/TLS Certificate-base authentication.

    Then, once you've filtered out all the punters, you can proceed on with additional group membership policies.

    This is an absolute minimal require, Especially if you plan to ever have a Microsoft TCP/IP stack accepting sockets from anonymous Internet clients without fronting them safely through a Layer4-7 switch like an F5 BIG-IP or A10 load balancer.

    Otherwise, hide the RDGW behind an IPSEC TUnnel + Firewall.

    Wednesday, April 15, 2020 4:12 AM