Microsoft RD Web Access Applications
How to deploy MFA authentication for applications published with Microsoft RD Web Access using ADFS SecureMFA OTP Provider
Prerequisites
Working Microsoft RD Web Access infrastructure deployed on Windows 2019/2016 or later.
RD Web Access endpoint is accessible using HTTPS endpoint
Deploy Microsoft ADFS with SecureMFA Provider https://www.securemfa.com/downloads/mfa-otp#h.p_0CFeLwIix8Fa
On ADFS server add a sample configuration for Microsoft RD Web Access Relying Party Trust by running following PowerShell command: Add-ADFS_RelyingPartyTrust
Command adds Relying Party Trust (RP) configuration on ADFS server which is required for Microsoft RD Web Access to work with windows authentication and enforce MFA authentication when accessing published applications. Provide a valid HTTPS URL for your MS RD Web Access portal.””
Add-ADFS_RelyingPartyTrust -RP_WEBSITE_URL "https://RDWEB_FQDN/RDWeb/Pages/Default.aspx" -SampleRP RDWeb -Force
Please write down output information for “ADFS Issuer” , “ADFS Identifier” and “ADFS TokenSigning Thumbprint” which will be required for MS RD Web Access portal configuration.
Use following URLs for more information on SecureMFA OTP Provider and SecureMFA Tools
Deployment Steps
Deploy latest “SecureMFA” tools on PowerShell Module from Microsoft PSGallery on MS RD Web Access server by using bellow PS commands:
Install-Module -Name SecureMFA -Repository PSGallery -Scope AllUsers
Run bellow PowerShell command to add ADFS config into C:\Windows\Web\RDWeb\Pages\Web.Config. This action restores default RD Web configuration with ADFS settings. You will need to use output values from RP configuration step
Add-xRDWeb_ADFSConfig -RDP_WEBSITE_URL "https://ardswebl01.adatum.labnet/RDWeb/Pages/Default.aspx" -ADFS_ISSUER "https://adfs.adatum.labnet/adfs/ls/" -ADFS_SERVICE_IDENTIFIER "http://adfs.adatum.labnet/adfs/services/trust" -ADFS_SINGING_CERT_THUMBPRINT "B0F421A6F5E298175CE2369E4237A1FD4A619F82"
Deployment Video
Video shows deployment steps how Microsoft RD Web Access server can be linked to ADFS service for MFA authentication to Microsoft remote desktop services published applications or desktops. Free provider version (which runs for limited number of 24 users) can be downloaded from www.securemfa.com
This deployment allows to use Windows authentication and OTP tokens to provide MFA access for published RDP applications via Microsoft RD Web Access server.
Each connection is first pre-authorized by the ADFS and, if successful, the session is authenticated and authorized on the RD Web Access server itself.
All components of the MFA-OTP provider are hosted on-premise infrastructure and do not depend on 3rd party services in the cloud.