Implement Two-Factor Authentication
for Remote Desktop

Cloud ComputerSecurityMFA

categories

Create your first Cloud Computer Connect to your Cloud Computer Print from your Cloud Computer Scan from your Cloud Computer Transfer files to your Cloud Computer Enable multi monitors on the V2 Cloud Client Use Share View and see the screen of your users Redirect Webcams to use in your Cloud Computer Add users to an existing Cloud Computer Change hardware of your Cloud Computer Increase disk space on your Cloud Computer Manage backups of your Cloud Computer Add a new disk to your Cloud Computer Manually reboot or shut down your Cloud Computer Add users in bulk with a CSV file Join a Computer to a Domain Forward a port to your Cloud Computer Setup a secure FTP server in your Cloud Computer Install Office 365 on your Cloud Computer Reduce memory (RAM) usage of your Cloud Computer Attach Amazon S3 bucket to cloud computer Setup Gmail on my outlook client Setup Wolfram on your cloud computer Share your screen from your Desktop How to Fix Encryption Oracle remediation Toggle RDP Connection by Default in the V2 Cloud App How to create and use a Template/Workspace in V2 Cloud How to Disable Copy/Paste for All Users Change RDP port Remote Desktop Gateway How to Share Files Between Computers on Different Networks How to Access Windows Programs Remotely How to Setup Remote Desktop How to Keep Computer Running All the Time How to Access QuickBooks Desktops Remotely How to Use Quickbooks on Multiple Computers at the Same Time How to Setup a VPN
Back-up your files using Windows Shadow Copies Add an administrator to an account Share a drive between multiple computers Change folder access for different user group Join a Windows 10 Computer to AzureAD Configure Windows to reboot automatically on schedule Automatically sign off users after they have been disconnected for some time Change the Windows account username Change wallpaper for all users at once Download and install a language pack on Windows Change folder permissions on Windows 2016 Configure folder access for different user groups Run an application with administrator privileges Attach Amazon S3 bucket to cloud computer How To Install RDS CALs on Windows Server How To Optimize Video Performance on RDP How to Deploy Remote Desktop Connection Broker How to replicate a Domain Controller How to fix Blurry Fonts How to Synchronize the OS Password for Managed Users How to Use RDP to Connect to Windows Azure How to set up an SFTP Server in Windows How to restrict users access to certain files How to Map Network Drives with Group Policy (GPO) How to Keep Computer Running All the Time How to Recover Lost Files on Windows
How to Use V2 Cloud Using the Desktop App (Recommended) How to use V2 Cloud Using the Web Browser How to use Auto Login How to Keep Computer Running All the Time
Join a Windows Server computer to AzureAD Join a Windows 10 Computer to AzureAD Join a Computer to a Domain How to setup SSO in Azure AD(With V2 Cloud) How to Use V-Key with V2 Cloud How to replicate a Domain Controller How to Map Network Drives with Group Policy (GPO)
Run an application with administrator privileges Attach Amazon S3 bucket to cloud computer Setup Gmail on my outlook client Setup Wolfram on your cloud computer How to Publish a Windows Application on V2 Cloud How to use Auto Login RD Web Access! What is it and how to set it up How to Access Windows Programs Remotely How to Access QuickBooks Desktops Remotely How to Use Quickbooks on Multiple Computers at the Same Time
Cancel your subscription
Manage backups of your Cloud Computer Back-up your files using Windows Shadow Copies Recover a file from a snapshot How to Recover Lost Files on Windows
Use Share View and see the screen of your users Share a drive between multiple computers
Increase disk space on your Cloud Computer Manage backups of your Cloud Computer How To Restrict Access To USB Devices with GPO How to Setup Google File Stream How to move users’ profile data to a secondary disk How to Share Files Between Computers on Different Networks How to Recover Lost Files on Windows
Transfer files to your Cloud Computer Back-up your files using Windows Shadow Copies Add a new disk to your Cloud Computer Recover a file from a snapshot Share a drive between multiple computers Change folder access for different user group Setup a secure FTP server in your Cloud Computer Change folder permissions on Windows 2016 Disable drives redirection Configure folder access for different user groups How to set up an SFTP Server in Windows How to restrict users access to certain files How to Share Files Between Computers on Different Networks
Create your first Cloud Computer Connect to your Cloud Computer Print from your Cloud Computer Scan from your Cloud Computer Transfer files to your Cloud Computer Redirect Webcams to use in your Cloud Computer Add users to an existing Cloud Computer Manually reboot or shut down your Cloud Computer Install Office 365 on your Cloud Computer Setup Gmail on my outlook client RPi Zero Client Setup on Raspberry Pi 4
Change hardware of your Cloud Computer Increase disk space on your Cloud Computer Reduce memory (RAM) usage of your Cloud Computer How To Restrict Access To USB Devices with GPO
Forward a port to your Cloud Computer How to whitelist specific IP addresses
Enable Two Step Authentication Enforce user 2 step authentication for your users How to setup SSO in Azure AD (With V2 Cloud) How to Use V-Key with V2 Cloud
Join a Windows Server computer to AzureAD Join a Windows 10 Computer to AzureAD Join a Computer to a Domain Forward a port to your Cloud Computer Setup a secure FTP server in your Cloud Computer How to Fix Encryption Oracle remediation How To Authorize Specific Websites Only How to use OneLogin with V2 Cloud Toggle RDP Connection by Default in the V2 Cloud App How to Use V-Key with V2 Cloud How to Use JumpCloud SSO With V2 Cloud Change RDP port Remote Desktop Gateway How to create, open and configure RDP file How to setup Google SSO How To Open a Remote Desktop Session With Admin Rights How to Deploy Remote Desktop Connection Broker How to replicate a Domain Controller How to Use RDP to Connect to Windows Azure How to set up an SFTP Server in Windows How to Share Files Between Computers on Different Networks How to Access Windows Programs Remotely How to Access QuickBooks Desktops Remotely How to Setup a VPN
Install Office 365 on your Cloud Computer How to use Office 365 portal
Print from your Cloud Computer Scan from your Cloud Computer Redirect Webcams to use in your Cloud Computer Disable drives redirection
Enable Two Step Authentication Enforce user 2 step Authentication How to setup SSO in Azure AD(With V2 Cloud) How to use OKTA SSO with V2 Cloud How to Fix Encryption Oracle remediation How To Restrict Access To USB Devices with GPO How To Authorize Specific Websites Only How to use OneLogin with V2 Cloud How to Use V-Key with V2 Cloud How to Use JumpCloud SSO With V2 Cloud How to use Auto Login Remote Desktop Gateway How to setup Google SSO How to Reset Passwords for your Users How to use the Console View from your Dashboard How to whitelist specific IP addresses How to Synchronize the OS Password for Managed Users How to Setup a VPN
Join a Windows Server computer to AzureAD Join a Windows 10 Computer to AzureAD Setup a secure FTP server in your Cloud Computer How to create, open and configure RDP file RD Web Access! What is it and how to set it up How To Open a Remote Desktop Session With Admin Rights How to use the Console View from your Dashboard How To Install RDS CALs on Windows Server How to Deploy Remote Desktop Connection Broker How to replicate a Domain Controller How to set up an SFTP Server in Windows How to Fix: No Remote Desktop License Servers How to Setup a VPN
Add a new disk to your Cloud Computer How to Setup Google File Stream Increase disk space on your Cloud Computer How to Use Bucket Storage
Recover a file from a snapshot
Setup Wolfram on your cloud computer How to Setup Google File Stream How to use OneLogin with V2 Cloud How to Use V-Key with V2 Cloud How to Publish a Windows Application on V2 Cloud How to Use Quickbooks on Multiple Computers at the Same Time
Use Share View and see the screen of your users Add users to an existing Cloud Computer Add users in bulk with a CSV file Add an administrator to an account Change folder access for different user group Enforce user 2 step authentication for your users Automatically sign off users after they have been disconnected for some time Change the Windows account username Change wallpaper for all users at once Download and install a language pack on Windows Change folder permissions on Windows 2016 Configure folder access for different user groups How to Use V-Key with V2 Cloud How to create and use a Template/Workspace in V2 Cloud How to Disable Copy/Paste for All Users How to move users’ profile data to a secondary disk How to Map Network Drives with Group Policy (GPO) How to use VM pool
Enable multi monitors on the V2 Cloud Client RPi Zero Client Setup on Raspberry Pi 4
How to create, open and configure RDP file How To Open a Remote Desktop Session With Admin Rights How To Optimize Video Performance on RDP How to Change the RDP Port in Windows Remote Desktop Gateway What Is It and How To Set It Up How to Deploy Remote Desktop Connection Broker How to Synchronize the OS Password for Managed Users How to Use RDP to Connect to Windows Azure How to Fix: No Remote Desktop License Servers How to Setup Remote Desktop

Two-factor authentication ensures safer access to data, information, and applications. It acts as a second layer of security, taking a form that requires users only to be able to access data or other things using two levels of authentication. Generally, it consists of a password and an OTP code.

Organizations make use of two-factor authentication in different ways to meet their needs. However, many do not know the possibility or the procedural steps required to implement it on Remote Desktop. This article will give you simpler ways to implement it in your organization.

Method 1: Using the Azure Active Directory MFA Deployment (Official)

With the Azure Active Directory (AD) multi-factor authentication, organizations using remote desktops can add an additional layer of security over the password used to access RDS.

Things To Take Note Of

Before trying to implement the Azure AD MFA method in Remote Desktop, we have several things you need to know about:

How the Method Works

The method utilizes several components, including the Remote Desktop Gateway, Network Policy and Access Services, and Azure AD, all discussed under Prerequisites. It acts like the steps below:

  1. The RDG receives a request from a remote computer that wants to connect to a Remote Desktop session.
  2. The RDG acts as a RADIUS client and sends the request to the NPS extension installed on an NPS server.
  3. The first authentication (username/password) occurs.
  4. Other conditions specified in the NPS Connection Request and Network Policies, such as time of day and membership restriction, are verified.
  5. The NPS triggers the second authentication with Azure AD MFA.
  6. Azure AD MFA communicates with Azure AD, confirms the user, and performs the second authentication based on already-made settings.
  7. On successful completion, Azure AD MFA communicates back to the NPS extension.
  8. The NPS server sends a RADIUS Access-Accept message to the RDG server.
  9. Access granted.

Remote Desktop Does Not Allow OTP

Azure AD MFA allows different authentication methods such as SMS, phone call, and authenticator apps such as Microsoft Authenticator. However, since Remote Desktops don’t have the option to use a code, you need to use either a Phone Call or an Authenticator App notification.

Prerequisites

To successfully implement Azure AD MFA, you need the following:

  • Azure AD MFA License from any of the premium plans.
    Windows Server software >2008 R2 SP1 with the NPS role service installed.
  • Remote Desktop Services (RDS) infrastructure.
  • Azure Active Directory synched with on-premises Active Directory.
  • Network Policy and Access Services (NPS) role provides the RADIUS server and must be installed on the RDG and another member server or domain controller.
  • Azure Active Directory GUID ID to install the NPS extension.

How to Set Up the Multi Authentication

Based on the explanation above, you already know the basis of the implementation process, which we will illustrate below:

Configure the Multi-Factor Authentication

The first step is to plan, configure, and implement the Azure AD MFA service before other users register. The procedure is explained below:

Step #1: Note the prerequisite 

For a hybrid identity scenario (on-premises and cloud identity), deploy the Azure AD connect and synchronize user identities between the AD DS and Azure AD. 

For on-premises legacy application, deploy Azure AD Application Proxy. There is no prerequisite task for cloud-only identity.

Step #2: Choose the authentication method 

Remote Desktops don’t have the option to input codes. As a result, you need to use either a Phone Call or an Authenticator App notification.

Step #3: Plan Conditional Access policies

Choosing the group to apply the policy to MFA

  1. Sign in to the Azure portal (ensure you use an account with global administrator permissions) 
  2. Search and select the Azure AD 
  3. Navigate from Conditional Access to New Policy 
  4. Click on New Policy
  5. Fill in the Name 
  6. Select the current value under Users or Workload identities (Assignment)
  7. Select users and groups under What does this policy apply to?  
  8. Choose Select users and groups under Include 
  9. Tick the Users and Groups box
  10. Select the Azure AD group 

Configure the conditions for MFA

Here, you decide the conditions that trigger MFA. This can be directed to a particular application or the login process itself. We will be configuring MFA for access to RD for the remote desktop. 

  1. Home > Contoso > Security > Conditional Access 
  2. Select grant under Access control 
  3. Select the current value under Grant 
  4. Select Grant access
  5. Choose to Require multi-factor authentication

Configure the conditions for MFA

  1. Under Enable policy select On

Install and configure the NPS extension

Configure the conditions for MFA

  1. Sign in to the Azure portal
  2. Navigate to Azure Active Directory
  3. Check for Tenant ID under Overview and copy

Install the NPS extension

You should install the NPS extension on a server with the NPS role installed, not on the RDG server.

  1. Download the NPS extension
  2. Copy to the NPS server
  3. Follow the instructions to install the extension
  4. Click close on completion

Configure certificates for use with the NPS extension

  1. Open the NPS extension and provide your Azure AD Admin credentials and the tenant ID you copied.
  2. On the NPS server running the NPS Extension, open Windows PowerShell prompt as an administrator.
  3. Type the command “cd ‘c:\Program Files\Microsoft\AzureMfa\Config'”
  4. Press Enter.
  5. Type the command .\AzureMfaNpsExtnConfigSetup.ps1 (this will install the Azure AD PowerShell if it is not installed).
  6. Sign in using your Azure AD admin credentials and password.
  7. Paste the Tenant ID

8. Press Enter and wait till the script creates a self-signed certificate.

Configure NPS extension on RDG

This configuration will allow the RDG to communicate with the NPS server, as we said.

Configure Remote Desktop Gateway connection authorization policies to use the central store

Do the following on the RD Gateway server:

  1. Open Server Manager.
  2. Navigate Menu>Tools>Remote Desktop Services>Remote Desktop Gateway Manager.
  3. Right-click [Server Name] (Local)
  4. Click Properties.
  5. Select the RD CAP Store tab.
  6. Select the Central server running NPS.
  7. Enter the IP address or server name of the server where you installed the NPS extension in the “Enter a name or IP address for the server running NPS field.”

8. Click Add.

9. In the Shared Secret Dialog, type a known word in the “Enter a new shared secret” field.

10. Click on OK to close the dialog box.

Configure RADIUS timeout value on Remote Desktop Gateway NPS

These steps ensure time for the user credential validation, two-step verification, etc. On the RDG server, do the following:

  1. Open Server Manager
  2. Navigate from Menu > Tools > Network Policy Server.
  3. Open the NPS (Local) console
  4. Expand RADIUS Clients and Servers > Remote RADIUS Server.

5. Open the TS GATEWAY SERVER GROUP (created when you configured the central server).
6. Select the IP address or name of the NPS server you configured to store RD CAPs.
7. Click Edit.

8. Click the Load Balancing tab.

9. Change the “Number of seconds without response before request is considered dropped field” to a value between 30 and 60 seconds. 

10. Change the “Number of seconds between requests when server is identified as unavailable” value to a number higher than or equal to that of the previous step.

11. Click OK two times to close the dialog boxes.

Verify Connection Request Policies

On the NPS Local Console,

  1. Navigate from RD Gateway > Policies
  2. Select Connection Request Policies.
  3. Double-click TS GATEWAY AUTHORIZATION POLICY.
  4. Click the Settings tab.
  5. Under Forwarding Connection Request, click Authentication
  6. Click on “forward requests for authentication.”
  7. Click Cancel.

Configure NPS on the server with the NPS extension installed

This is important to allow the NPS server with the NPS extension to communicate with the NPS server on the RDG. On the NPS server with the NPS extension, do the following

Register server in Active Directory

  1. Open the server manager
  2. Navigate from Tools to Network Policy Server
  3. In the Network Policy Server console, right-click NPS (local)
  4. Click Register server in Active Directory
  5. Click OK twice
  6. Leave the console open for the next procedure

 

Create and configure the RADIUS client

This will configure the RDG as a RADIUS client on the NPS server. On the network policy server NPS (Local) console,

  1. Right-click RADIUS Clients
  2. Click New.
  3. Under name and address, input a name in the Friendly name field.
  4. Input the IP address or DNS of the Remote Desktop Gateway server in the address.
  5. Enter the Shared secret you used before.
  6. Click OK.

Configure Network Policy

This will allow the CAP on the NPS server to authorize valid connection requests. Do the following on the NPS server:

  1. Open the NPS (Local) console.
  2. Expand Policies.
  3. Click Network Policies.
  4. Right-click Connections to other access server.
  5. Click Duplicate Policy.
  6. Right-click Copy of Connections to other access servers.
  7. Click Properties.
  8. Under the Overview tab, enter a suitable name in Policy name.
  9. Check the Policy enabled box.
  10. Tick Grant access.
  11. Select Remote Desktop Gateway under Type of network access server (You can also leave it as Unspecified).
  12. Click the Constraints tab
  13. Check the Allow clients to connect without negotiating an authentication method box.
  14. On the Condition tab, you can also add some conditions that users who want to connect to the RD session must meet. However, this is optional.
  15. Click OK.
  16. Click No when prompted to view the corresponding Help topic.
  17. Check to ensure the policy is on top of the list, check the status is enabled, and the Access Type is “Grant Access.”

Method 2: Use third-party applications

An easier method to implement Two-factor Authentication in RD is to use third-party applications.

Common applications for such purposes include DUO, LoginTC, Rohos, etc. Each has unique methods for implementing 2FA. Nevertheless, they still have an elongated and complex implementation method.

Method 2: Use third-party applications

Remote Desktop is one of the common ways to interact with a remote computer using another one.

While it is a useful Windows feature, security can be problematic and implementing two-factor authentication is a very complex and capital-intensive procedure for average businesses.

Instead, businesses can invest in V2 Cloud, a virtual desktop solution with enhanced security.

We allow you to enable two-step authentication easily. Aside from that, by using V2 Cloud, you get access to a fully integrated Virtual Desktop solution with no hidden fees, complicated setups, or contracts while providing the best end-user experience and performance.

Why not use our risk-free 7-day trial, and experience the simplicity, scalability and power of V2 Cloud?

Back To Tutorials Menu