locked
Secure RD Gateway with PhoneFactor using Radius RRS feed

  • Question

  • I have followed the document "Secure RD Gateway with PhoneFactor using Radius" found on the PhoneFactor customer portal but I am unable to get it to work.

    I first set it all up without PF and it works but after making the modifications according to the document I am unable to reach my remote desktop.

    I have a Windows Server 2008R2 server alone in our DMZ acting as the gateway to remote desktops in our production LAN.

    Is it able to work using only the local SAM or does it require AD membership or LDAP bind? It does not specify in the document.

    The PF authentication works when I directly RDP into the server.

     I am asking this here because I saw that Microsoft had acquired PhoneFactor and I haven't found any better forum to approach.

    Thank you.


    • Edited by JJCain Monday, January 7, 2013 9:24 PM
    Monday, January 7, 2013 9:23 PM

Answers

  • I have gotten this working.

    A couple of items that need to be added to the PhoneFactor document for this application; there must be at least two servers, RD Gateway and PhoneFactor Agent on separate machines. It will not work if you put PF and RD Gateway on the same machine, even if you change the ports on NPS and/or PF.

    Also if using on servers joined to a domain the RD Gateway server must be a member of the domain group "RAS and IAS Servers"

    I originally wanted this to be on stand alone servers in the DMZ but because of the way that authentication gets passed the server that PF is on could not authenticate the username being passed to it from RDG even with an identical account set up on both servers.

    When I tried to set up stand alone I got an error like the following:

    With the RADIUS rejection that I first encountered:

    2013-01-17T17:10:43.656250Z|0|2804|2824|prfad|Event 3.

    2013-01-17T17:10:43.656250Z|0|2804|2824|prfad|Sock 0x00000000000000E4 2013-01-17T17:10:43.671875Z|0|2804|2824|pfrad|Code 2 - ACCESS_ACCEPT.

    2013-01-17T17:10:43.671875Z|0|2804|2992|pfrad|Calling pfAuthUser('REMOTE01\testuser', '', 1) 2013-01-17T17:10:43.671875Z|0|2804|2992|pfrad|authResult = 0 2013-01-17T17:10:43.671875Z|0|2804|2992|pfrad|rawCallStatus = 4294967195 2013-01-17T17:10:43.671875Z|0|2804|2992|pfrad|rawMessageStatus = 0 2013-01-17T17:10:43.671875Z|e|2804|2992|pfrad|Phonefactor auth failed.

    2013-01-17T17:10:43.671875Z|e|2804|2992|pfrad|sending ACCESS_REJECT for username REMOTE01\testuser

    Now in PF it has an option to set how users are authenticated, there are three choices: Case-sensitive string match, LDAP and Windows SID.

    If I had selected Case-sensitive string and set the users to be in the format of servername\username it might have worked but I didn't test that.

    My manager wanted to keep from having another place to manage usernames and passwords. Also there is not good method of changing passwords on the RD Gateway to allow users to manage their own.

    I also had an issue that I think occurred because of the fact that I installed PF while the server was alone and then after I joined them to the domain PF would not work. When PF installs it creates required Windows Firewall rules. But it only created them for the public profile and then after adding to the Domain there was no rule for PF in the Domain profile and I had to modify the rules to include the domain.

    Hope this helps someone else.

    • Marked as answer by JJCain Friday, January 18, 2013 6:12 PM
    Friday, January 18, 2013 6:12 PM

All replies

  • Hi,

    Thanks for your post.

    You need to join the RD gateway server to the domain, otherwise you cannot authenticate using domain users via RD gateway machine.

    Best Regards,
    Aiden

     


    Aiden Cao
    TechNet Community Support

    Wednesday, January 9, 2013 7:12 AM
  • Thanks for your reply but I am not trying to authenticate users against an AD. I want to use user accounts on the local machine.

    I think the issue is in PhoneFactor and not the RD Gateway set up. I was hoping that someone who is familiar with PhoneFactor would be able to help me.

     Thanks.

    Wednesday, January 9, 2013 2:05 PM
  • I have gotten this working.

    A couple of items that need to be added to the PhoneFactor document for this application; there must be at least two servers, RD Gateway and PhoneFactor Agent on separate machines. It will not work if you put PF and RD Gateway on the same machine, even if you change the ports on NPS and/or PF.

    Also if using on servers joined to a domain the RD Gateway server must be a member of the domain group "RAS and IAS Servers"

    I originally wanted this to be on stand alone servers in the DMZ but because of the way that authentication gets passed the server that PF is on could not authenticate the username being passed to it from RDG even with an identical account set up on both servers.

    When I tried to set up stand alone I got an error like the following:

    With the RADIUS rejection that I first encountered:

    2013-01-17T17:10:43.656250Z|0|2804|2824|prfad|Event 3.

    2013-01-17T17:10:43.656250Z|0|2804|2824|prfad|Sock 0x00000000000000E4 2013-01-17T17:10:43.671875Z|0|2804|2824|pfrad|Code 2 - ACCESS_ACCEPT.

    2013-01-17T17:10:43.671875Z|0|2804|2992|pfrad|Calling pfAuthUser('REMOTE01\testuser', '', 1) 2013-01-17T17:10:43.671875Z|0|2804|2992|pfrad|authResult = 0 2013-01-17T17:10:43.671875Z|0|2804|2992|pfrad|rawCallStatus = 4294967195 2013-01-17T17:10:43.671875Z|0|2804|2992|pfrad|rawMessageStatus = 0 2013-01-17T17:10:43.671875Z|e|2804|2992|pfrad|Phonefactor auth failed.

    2013-01-17T17:10:43.671875Z|e|2804|2992|pfrad|sending ACCESS_REJECT for username REMOTE01\testuser

    Now in PF it has an option to set how users are authenticated, there are three choices: Case-sensitive string match, LDAP and Windows SID.

    If I had selected Case-sensitive string and set the users to be in the format of servername\username it might have worked but I didn't test that.

    My manager wanted to keep from having another place to manage usernames and passwords. Also there is not good method of changing passwords on the RD Gateway to allow users to manage their own.

    I also had an issue that I think occurred because of the fact that I installed PF while the server was alone and then after I joined them to the domain PF would not work. When PF installs it creates required Windows Firewall rules. But it only created them for the public profile and then after adding to the Domain there was no rule for PF in the Domain profile and I had to modify the rules to include the domain.

    Hope this helps someone else.

    • Marked as answer by JJCain Friday, January 18, 2013 6:12 PM
    Friday, January 18, 2013 6:12 PM