RD Gateway OTP Provider
Secure access to Microsoft Remote Desktop Gateway with multi-factor authentication (MFA)
SecureMFA_RDS_OTP Provider is authentication module for Microsoft Remote Desktop Gateway servers which allows to provide multi-factor authentication for RDS Farms and Remote Desktop Service access using OTP passcodes . Provider uses TOTP Algorithm to generate secrets. Technical specification can be found in RFC6238. Using this MFA provider users are required to enter a one time passcode, which is generated on their phones via authenticator applications like Microsoft Authenticator , Google Authenticator, Symantec VIP etc. to complete second factor authentication logon. This module fully replaces native RD Gateway Client Authentication Policies (CAP) with OTP codes and fully integrates with native RD Gateway Resource Authorization Policies (RAP) for access and control management. More details how RD Gateway API works can be found in MSDN Article.
OTP passcodes for 2 user accounts
OTP data storage in MS SQL service
Integrates with native Microsoft RD Gateway resource authorization policies (RAP)
OTP user accounts deactivation
Logs in Windows Applications Log
Supported on Windows 2016 or 2019 servers
Web Portal which allows to initiate RDP connection using a web browser
Licensed version (additional features)
OTP passcodes for unlimited user accounts
OTP account lockout
QR code secrets decryption with AES 256-bit encryption
Deploy SecureMfa RD Gateway OTP Provider into Microsoft RD Gateway Server
Functional Microsoft RD Gateway Service on WIndows 2016/2019
Client device connecting via RD Gateway must have RDP client which supports remote desktop protocol with inbuild support for RD Gateway pluggable authentication (like Microsoft Windows RDP client 8.1 and above)
Before you can start using production version with unique OTP codes using “sMFARDGAuthenticationProvider” in your MS RD Gateway farm you must read information of MFA-OTP provider which allows to self-enrol users with QR codes using "SecureMFA OTP Web Portal". Product deployment requires to complete bellow steps. All commands must be executed in elevated PowerShell (PS) command prompt.
1) Deploy latest “sMFARDGAuthenticationProvider” PowerShell module from Microsoft PSGallery using bellow PS command:
NOTE: As of April 2020, the PowerShell Gallery no longer supports lower than 1.2 TLS protocol. Hence if your servers don’t have GPO changes to reflect this requirement you may need manually to enforce TLS 1.2 for PowerShell session by using bellow command
If your RD Gateway server doesn’t have access to the Internet you can pull PowerShell module from Windows client which has Internet access using bellow PS command:
SecureMfaOtp adapter installation
Before a "sMFARDGAuthenticationProvider" will be invoked by MS RD Gateway server, it must be registered in the system. with PowerShell command which performs the necessary installation actions including installation in the GAC, and registration of authentication provider into RD Gatweway service.
Deployment steps on RD Gateway Server
1) Register COM extension with bellow PowerShell command.
2) Deploy SecureMFA RD Gateway Authentication Provider
IMPORTANT: Installation will create a sample Client Authentication Policy (CAP) and Resource Authorization Policy (RAP). You can delete and replace policies with your own rules. CAP policy only is used for session timeout and mapping restriction policies like disabling network disk or drivers mapping from a client device etc. All aspects of the authentication process are controlled by “sMFARDGAuthenticationProvider”. All authorization rules to the resource are handled by native RD Gateway RAP engine.
Demo verson minimum istalation parameters wouldbe as bellow
NOTE: For a free version you only need to provide "sqlserver" server settings . If you will buy a license for unlimited users you will need to provide "anchordnsname" , "serialkey" and "subscriptionid" information to unlock licensed provider features. If you are not running your ADFS servers using service account and you cannot use SQL integrated security to access database, you need to use following parametrs : '-sqlintegratedsecurity = $false ' , '-sqluseraccount="user" ' and ' -sqluserpassword = "MyPassword" ' using relevant information.
3) Deploy RD Gateway OTP Authentication Portal
NOTE: "RD Gateway OTP Authentication Portal" is only one index.html file which by default is installed into IIS root directory "C:\inetpub\wwwroot". It can be modified with a custom CSS theme or deleted if not in use. The file can be modified and its content used with any corporate web server.
Deployment steps on SQL Server
This step is only required when you access MS SQL server by using Netwrok Service account which runs RD Gateway service. You will need to grant read and write access for “SecureMFAOTP” database. Access needs to be granted for service or computer account under which RD Gateway service runs. Below is an example how to create a read and write access to computer’s (ardsgtwl01$) Netwrok Service account in ADATUM domain using SQL query.
You can create a local SQL account for access if integrated SQL security is not an option.
When RD Gateway is successfully configured to use a custom authentication provider, the below event will be created in the Windows Event log:
Event ID: 1002
Log Name: Microsoft-Windows-TerminalServices-Gateway/Admin
Event Message: The user authentication plug-in "SecureMFARdgAuthenticationProvider" has been configured. The configuration will take effect after the RD Gateway service is restarted.
You cannot configure an RD Gateway server to simultaneously use both native authentication and SecureMFA RD Gateway OTP authentication provider.
The easiest way to test access using OTP via RD gateway is to navigate into "SecreMFA RD Gateway Web Portal" which was deployed in previous steps on RD Gateway server.
You will see bellow portal which you can customise with your own CSS or background.jpg file.
After entering connection inforamtion and clicking "RDP COnnect" button you will get a custom RDP file , which you can select to open with "Remote Desktop Connection"
This will initiate a connection and on success authentication you will be prompted to enter account details for remote computer. Users sessions will be displayed in RD Gateway Manager.
Because SecureMFA RD Gateway OTP Authentication provider uses RD Gateway pluggable authentication technology it requires that connection is initiated via Portal or via powers shell command (see alternative way to connect). Otherwise if you will try to use gateway service with “sMFARDGAuthenticationProvider” installed you will get bellow error.
On failed OTP code the error will be displayed as bellow
If RD Gateway resource authorisation policies cannot find a rule for remote access, the error will look like bellow
Alternative way to connect
If you don't want to use a portal you can download PowerShell module which allows to initiate RDP connection with custom parameters.
To invoke connection from PS command line execute
OTP Account Creation for Users
RD Gateway OTP Provider enforces multi factor authentication to connection which passes RD Gateway to endpoint windows device using RDP protocol. User must have OTP Account which is required to complete first factor authentication and establish RD Gateway Session. User must enroll mobile device by scanning QR code with mobile application like Google's Authenticator Microsoft Authenticator, Symantec VIP and potentially in many other time-based authenticators which supports RFC6238 ( a Time-Based One-Time Password (TOTP) Algorithm).
RD Gateway OTP Provider doesn’t have ability to generate QR codes for enrolment , but you can enroll users by using one of the following options:
Install ADFS with OTP Provider and Web Portal for Users self-service OTP Enrolment. For more details click HERE.
Bellow video shows how quickly you can enable MFA authentication on MS RD Gateway Service
The below events in Windows Event log may be used to verify and troubleshoot SecureMfa RD Gateway OTP Provider :
Log Name: Microsoft-Windows-TerminalServices-Gateway/Admin
Log Name: Microsoft-Windows-TerminalServices-Gateway/Operational
Provider related logs are stored in Windows Application Event logs
To license provider you have to choose “AnchorDomain” value. License is linked to your "anchordnsname" and it works only with OTP environment for which license was issued.
You can find anchor domain in Secrets table for SecureMfaOTP database. It is a value after @ under UPN column. This will be your UPN details for the user. For more details please see SecureMFA OTP Web Portal section.
Patching and Upgrades
Provider is highly integrated with MS Framework classes and uses Windows OS components to deliver functionality.
To keep up to date with latest security updates you must constantly update your Operating System and MS Framework components using Microsoft Security updates.
For any feature updates please upgrade a provider by pulling latest version from PowerShell Gallery by using bellow command:
You’ll need to repeating all deployment steps as it was done for original installation.
Execute below PS command on the RD Gateway Server to uninstall SecureMFA RD Gateway OTP Authentication provider: