RD Gateway OTP Provider

Secure access to Microsoft Remote Desktop Gateway with multi-factor authentication (MFA)

SecureMFA_RDS_OTP Provider is an authentication module for Microsoft Remote Desktop Gateway servers which allows providing multi-factor authentication for RDS Farms and Remote Desktop Service access using OTP passcodes. The provider uses the TOTP Algorithm to generate secrets. Technical specifications can be found in RFC6238. Using this MFA provider, users must enter a one-time passcode generated on their phones via authenticator applications like Microsoft Authenticator, Google Authenticator, Symantec VIP, etc., to complete the second-factor authentication login. This module fully replaces native RD Gateway Client Authentication Policies (CAP) with OTP codes and fully integrates with native RD Gateway Resource Authorization Policies (RAP) for access and control management. More details on how RD Gateway API works can be found in MSDN Article.

Features

  • Unlicensed version

  • OTP passcodes for 2 user accounts

  • OTP data storage in MS SQL service

  • Integrates with native Microsoft RD Gateway resource authorization policies (RAP)

  • OTP user accounts deactivation

  • Logs in Windows Applications Log

  • Supported on Windows 2016 / 2019 / 2022 servers

  • Web Portal which allows to initiate RDP connection using a web browser

  • Licensed version (additional features)

  • OTP passcodes for unlimited user accounts

  • OTP account lockout

  • QR code secrets decryption with AES 256-bit encryption

Deploy SecureMfa RD Gateway OTP Provider into Microsoft RD Gateway Server

Prerequisites

  • Functional Microsoft RD Gateway Service on WIndows 2016/2019

  • Client device connecting via RD Gateway must have RDP client which supports remote desktop protocol with inbuild support for RD Gateway pluggable authentication (like Microsoft Windows RDP client 8.1 and above)

Preparation steps

Before you can start using production version with unique OTP codes using “sMFARDGAuthenticationProvider” in your MS RD Gateway farm you must read information of MFA-OTP provider which allows to self-enrol users with QR codes using "SecureMFA OTP Web Portal". Product deployment requires to complete bellow steps. All commands must be executed in elevated PowerShell (PS) command prompt.

1) Deploy latest “sMFARDGAuthenticationProvider” PowerShell module from Microsoft PSGallery using bellow PS command:

Install-Module -Name SecureMFA_RDS_OTP -Repository PSGallery -Scope AllUsers

NOTE: As of April 2020, the PowerShell Gallery no longer supports lower than 1.2 TLS protocol. Hence if your servers don’t have GPO changes to reflect this requirement you may need manually to enforce TLS 1.2 for PowerShell session by using bellow command

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

If your RD Gateway server doesn’t have access to the Internet you can pull PowerShell module from Windows client which has Internet access using bellow PS command:

Find-Module -Name "SecureMFA_RDS_OTP" -Repository "PSGallery" | Save-Module -Path "C:\"


Copy C:\SecureMFA_RDS_OTP and "C:\SecureMFA" folders from client’s computer into RD Gateway server “C:\Program Files\WindowsPowerShell\Modules\” folder.

SecureMfaOtp adapter installation

Before a "sMFARDGAuthenticationProvider" will be invoked by MS RD Gateway server, it must be registered in the system. with PowerShell command which performs the necessary installation actions including installation in the GAC, and registration of authentication provider into RD Gatweway service.

Deployment steps on RD Gateway Server

1) Register COM extension with bellow PowerShell command.

Install-SecureMFA_COM_Extensions

2) Deploy SecureMFA RD Gateway Authentication Provider

IMPORTANT: Installation will create a sample Client Authentication Policy (CAP) and Resource Authorization Policy (RAP). You can delete and replace policies with your own rules. CAP policy only is used for session timeout and mapping restriction policies like disabling network disk or drivers mapping from a client device etc. All aspects of the authentication process are controlled by “sMFARDGAuthenticationProvider”. All authorization rules to the resource are handled by native RD Gateway RAP engine.

  • Demo verson minimum istalation parameters wouldbe as bellow

Install-SecureMFA_RDG_OTP_AuthenticationProvider -anchordnsname "adatum.labnet" -sqlserver "asqlaol1.adatum.labnet,1433" -sqldbname "SecureMfaOTP" -sqlintegratedsecurity $true

NOTE: For a free version you only need to provide "sqlserver" server settings . If you will buy a license for unlimited users you will need to provide "anchordnsname" , "serialkey" and "subscriptionid" information to unlock licensed provider features. If you are not running your ADFS servers using service account and you cannot use SQL integrated security to access database, you need to use following parametrs : '-sqlintegratedsecurity = $false ' , '-sqluseraccount="user" ' and ' -sqluserpassword = "MyPassword" ' using relevant information.

3) Deploy RD Gateway OTP Authentication Portal

Install-SecureMFA_RDG_WebPortal -GatewayHostname rdgateway.adatum.labnet

NOTE: "RD Gateway OTP Authentication Portal" is only one index.html file which by default is installed into IIS root directory "C:\inetpub\wwwroot". It can be modified with a custom CSS theme or deleted if not in use. The file can be modified and its content used with any corporate web server.

Deployment steps on SQL Server

OTP database must exist with service account access provisioned to it before installing Provider

  • Database creation

Open bellow SQL query and modify FILENAME location to reflect your SQL server storage configuration. Open the script in SQL manager connected to SQL Cluster and execute it. This will create a new SQL database for “SecureMFA_RDS_OTP Provider”.

sql_Create_Database_SecureMfaOTP.txt

  • Access to database provisioning

When using integrated SQL security you will need to grant read and write access for “SecureMFAOTP” database. Access needs to be granted for the service or computer account under which RD Gateway service runs. Below is an example of how to create a read and write access to a computer’s (ardsgtwl01$) Network Service account in ADATUM domain using SQL query.

USE [SecureMFAOTP];

CREATE LOGIN [ADATUM\ardsgtwl01$] FROM WINDOWS WITH DEFAULT_DATABASE=[SecureMFAOTP];

CREATE USER [ADATUM\ardsgtwl01$] FOR LOGIN [ADATUM\ardsgtwl01$];

USE [SecureMFAOTP];

EXEC sp_addrolemember db_datareader, [ADATUM\ardsgtwl01$];

EXEC sp_addrolemember db_datawriter, [ADATUM\ardsgtwl01$];

You can create a local SQL account for access if integrated SQL security is not an option. You still need to provision read and write access to "SecureMFAOTP" database for the local SQL account.

Verification

When RD Gateway is successfully configured to use a custom authentication provider, the below event will be created in the Windows Event log:

Event ID: 1002

Log Name: Microsoft-Windows-TerminalServices-Gateway/Admin

Event Message: The user authentication plug-in "SecureMFARdgAuthenticationProvider" has been configured. The configuration will take effect after the RD Gateway service is restarted.

Limitations

  • You cannot configure an RD Gateway server to simultaneously use both native authentication and SecureMFA RD Gateway OTP authentication provider.

Application

The easiest way to test access using OTP via RD gateway is to navigate into "SecreMFA RD Gateway Web Portal" which was deployed in previous steps on RD Gateway server.

https://[RDServer-FQDN]/index.html


You will see bellow portal which you can customise with your own CSS or background.jpg file.

After entering connection inforamtion and clicking "RDP COnnect" button you will get a custom RDP file , which you can select to open with "Remote Desktop Connection"

NOTE: If RG Gateway server is a standalone server (not domain joined) you must use SERVERHOSTNAME\USER when providing user details.

This will initiate a connection and on success authentication you will be prompted to enter account details for remote computer. Users sessions will be displayed in RD Gateway Manager.

Because SecureMFA RD Gateway OTP Authentication provider uses RD Gateway pluggable authentication technology it requires that connection is initiated via Portal or via powers shell command (see alternative way to connect). Otherwise if you will try to use gateway service with “sMFARDGAuthenticationProvider” installed you will get bellow error.


On failed OTP code the error will be displayed as bellow

If RD Gateway resource authorisation policies cannot find a rule for remote access, the error will look like bellow

Alternative way to connect

If you don't want to use a portal you can download PowerShell module which allows to initiate RDP connection with custom parameters.

Install-Module -Name SecureMFA_RDS -Repository PSGallery -Scope AllUsers

To invoke connection from PS command line execute

Invoke-xRDP -Server server01 -GatewayHostname mygateway.adatum.labnet -OTP 905338

OTP Account Creation for Users

RD Gateway OTP Provider enforces multi factor authentication to connection which passes RD Gateway to endpoint windows device using RDP protocol. User must have OTP Account which is required to complete first factor authentication and establish RD Gateway Session. User must enroll mobile device by scanning QR code with mobile application like Google's Authenticator Microsoft Authenticator, Symantec VIP and potentially in many other time-based authenticators which supports RFC6238 ( a Time-Based One-Time Password (TOTP) Algorithm).

RD Gateway OTP Provider doesn’t have ability to generate QR codes for enrolment , but you can enroll users by using one of the following options:

Option 1:

Install ADFS with OTP Provider and Web Portal for Users self-service OTP Enrolment. For more details click HERE.

Option 2:

Create OTP accounts in SQL database manually using “SecureMFA Tools” PS command - New-xOTP_User For more details click HERE

Deployment Video

Bellow video shows how quickly you can enable MFA authentication on MS RD Gateway Service

Logs

The below events in Windows Event log may be used to verify and troubleshoot SecureMfa RD Gateway OTP Provider :

Log Name: Microsoft-Windows-TerminalServices-Gateway/Admin

Log Name: Microsoft-Windows-TerminalServices-Gateway/Operational


  • Provider related logs are stored in Windows Application Event logs

Source: SecureMFA_SupportTools

Event ID 5550: Successful Configuration Events

Event ID 5551: Failed Configuration Events

Event ID 5552: Successful Provider Events

Event ID 5553: Failed Provider Events

Event ID 5554: Successful User Management Events

Event ID 5555: Failed User Management Events

Event ID 5556: Successful OTP Events

Event ID 5557: Failed OTP Events

License (AnchorDomain)

To license provider you have to choose “AnchorDomain” value. License is linked to your "anchordnsname" and it works only with OTP environment for which license was issued.

You can find anchor domain in Secrets table for SecureMfaOTP database. It is a value after @ under UPN column. This will be your UPN details for the user. For more details please see SecureMFA OTP Web Portal section.

Patching and Upgrades

Provider is highly integrated with MS Framework classes and uses Windows OS components to deliver functionality.

To keep up to date with latest security updates you must constantly update your Operating System and MS Framework components using Microsoft Security updates.

For any feature updates please upgrade a provider by pulling latest version from PowerShell Gallery by using bellow command:

Install-Module -Name SecureMFA_RDS_OTP -Repository PSGallery -Scope AllUsers -Froce

You’ll need to repeating all deployment steps as it was done for original installation.

Uninstallation

Execute below PS command on the RD Gateway Server to uninstall SecureMFA RD Gateway OTP Authentication provider:

Uninstall-SecureMFA_RDG_OTP_AuthenticationProvider