none
Remote Desktop Gateway Authentication Timeout Change

    Question

  • Hello,

    I am in the process of implementing RADIUS based two factor authentication for the RDS gateway.  Its a phone based 2nd factor authntication and it adds a considerable amount of time required to authenticate, sometimes up to 60-90 seconds.  However, it looks like when remote desktop client is open and says "Initiating Remote Connection..." if the user does not pick up the phone and authenticate in the next 30 seconds, the connection will time out even if the authentication was successfull.  Is there a way to change amount of time that the gateway and RDP clients are waiting for the authentication attempt to succeed?

    Our Environment:

    Windows 2008 R2 RD Gateway + ISA 2005 on Windows 2003

    Thank you.

    Friday, May 03, 2013 1:33 PM

Answers

  • I am in the process of implementing RADIUS based two factor authentication for the RDS gateway.  Its a phone based 2nd factor authntication and it adds a considerable amount of time required to authenticate, sometimes up to 60-90 seconds.  However, it looks like when remote desktop client is open and says "Initiating Remote Connection..." if the user does not pick up the phone and authenticate in the next 30 seconds, the connection will time out even if the authentication was successfull.  Is there a way to change amount of time that the gateway and RDP clients are waiting for the authentication attempt to succeed?


    No.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, May 08, 2013 6:25 AM
    Moderator

All replies

  • I am in the process of implementing RADIUS based two factor authentication for the RDS gateway.  Its a phone based 2nd factor authntication and it adds a considerable amount of time required to authenticate, sometimes up to 60-90 seconds.  However, it looks like when remote desktop client is open and says "Initiating Remote Connection..." if the user does not pick up the phone and authenticate in the next 30 seconds, the connection will time out even if the authentication was successfull.  Is there a way to change amount of time that the gateway and RDP clients are waiting for the authentication attempt to succeed?


    No.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, May 08, 2013 6:25 AM
    Moderator
  • Hello Sergey,

    I also need to configure 2FA with RDP at my Infrastructure.

    Can you please guide me and please let me know the prerequisites for the same.

    Or if possible can you please the steps or documents regarding the configuration.

    Thanks in advance.

    Kapil Thakkar

    Tuesday, April 01, 2014 11:31 AM
  • Is this still true in 2012 R2,  that there is no way to change the RDS Gateway's timeout (when waiting for the NPS response)?

    If so, that would seem to severely limit the deployment options for Azure MFA with RDS.    I hope Microsoft will consider a hotfix for this as it directly affects the usability of a second Microsoft product, Azure MFA.

    I’ve dug a little bit into TS Gateway-NPS interaction and this is my best guess as to how it works.

    Looking at the list of loaded modules in the TSGateways service, I see this DLL,  iashlpr.dll (IAS Helper COM Component 1.0 Type Library).  It contains functions like these (list below),  which I assume the Gateway service uses to call IAS asynchronously (but only up to a 30s wait).  

    Is there a registry key that could be used to control this behavior?

     

    ConfigureIas

    DoRequest

    DoRequestAsync

    GetOptionIas

    InitializeIas

    MemAllocIas

    MemReallocIas

    SetOptionIas

    ShutdownIas

     

    • Edited by Hugh Kelley MTRL Thursday, October 30, 2014 5:41 PM additional detail
    Friday, October 24, 2014 2:25 PM
  • I'm also running into an issue with this when implementing Azure MFA.  The 30 second time out is too short to actually get the phone call, listen to the entire message and then reply with the PIN.  That process takes about 40 seconds.  If the user doesn't bother listening to the message and immediately starts entering the PIN the authentication succeeds, but it does not leave much margin for error.  On top of that, it seems to take around 10+ seconds to get the phone call.  If there's any delay in getting the phone call, the user has no hope of authenticating before the timeout.

    I'd love to find a registry key which would allow a longer (60 sec?) timeout.

    Tuesday, November 25, 2014 6:38 PM
  • There is no registry key.

    I opened a case with Microsoft for this very issue.   They acknowledged that the issue is in the RDS side, not Azure.   The Gateway service seems to stop waiting for the NPS/CAP authentication after 30s.

    I encourage you to open a case as well so that they realize the scope and impact of this.   When closing my case, the engineer said:

    "According to the reports from product team, they told me that this issue does not have a large impact areas, they just receive fewer users’ feedback about this issue."

    If anybody else is having this issue, please make some noise.   The Remote Desktop solution (particularly the client-to-gateway interaction) needs to be flexible enough to allow us to set a timeout.



    Thursday, January 08, 2015 12:48 PM