How to Implement Two-Factor Authentication for Remote Desktop - V2 Cloud

Tech Tutorials

How to Implement Two-Factor Authentication for Remote Desktop

  • September 18, 2023
  • Author:

Background Image

Implement Two-Factor Authentication
for Remote Desktop

Two-factor authentication ensures safer access to data, information, and applications. It acts as a second layer of security, taking a form that requires users only to be able to access data or other things using two levels of authentication. Generally, it consists of a password and an OTP code.

Organizations make use of two-factor authentication in different ways to meet their needs. However, many do not know the possibility or the procedural steps required to implement it on Remote Desktop. This article will give you simpler ways to implement it in your organization.

Method 1: Using the Azure Active Directory MFA Deployment (Official)

With the Azure Active Directory (AD) multi-factor authentication, organizations using remote desktops can add an additional layer of security over the password used to access RDS.

Things To Take Note Of

Before trying to implement the Azure AD MFA method in Remote Desktop, we have several things you need to know about:

How the Method Works

The method utilizes several components, including the Remote Desktop Gateway, Network Policy and Access Services, and Azure AD, all discussed under Prerequisites. It acts like the steps below:

  1. The RDG receives a request from a remote computer that wants to connect to a Remote Desktop session.
  2. The RDG acts as a RADIUS client and sends the request to the NPS extension installed on an NPS server.
  3. The first authentication (username/password) occurs.
  4. Other conditions specified in the NPS Connection Request and Network Policies, such as time of day and membership restriction, are verified.
  5. The NPS triggers the second authentication with Azure AD MFA.
  6. Azure AD MFA communicates with Azure AD, confirms the user, and performs the second authentication based on already-made settings.
  7. On successful completion, Azure AD MFA communicates back to the NPS extension.
  8. The NPS server sends a RADIUS Access-Accept message to the RDG server.
  9. Access granted.

Remote Desktop Does Not Allow OTP

Azure AD MFA allows different authentication methods such as SMS, phone call, and authenticator apps such as Microsoft Authenticator. However, since Remote Desktops don’t have the option to use a code, you need to use either a Phone Call or an Authenticator App notification.

Prerequisites

To successfully implement Azure AD MFA, you need the following:

  • Azure AD MFA License from any of the premium plans.
    Windows Server software >2008 R2 SP1 with the NPS role service installed.
  • Remote Desktop Services (RDS) infrastructure.
  • Azure Active Directory synched with on-premises Active Directory.
  • Network Policy and Access Services (NPS) role provides the RADIUS server and must be installed on the RDG and another member server or domain controller.
  • Azure Active Directory GUID ID to install the NPS extension.

How to Set Up the Multi Authentication

Based on the explanation above, you already know the basis of the implementation process, which we will illustrate below:

Configure the Multi-Factor Authentication

The first step is to plan, configure, and implement the Azure AD MFA service before other users register. The procedure is explained below:

Step #1: Note the prerequisite 

For a hybrid identity scenario (on-premises and cloud identity), deploy the Azure AD connect and synchronize user identities between the AD DS and Azure AD. 

For on-premises legacy application, deploy Azure AD Application Proxy. There is no prerequisite task for cloud-only identity.

Step #2: Choose the authentication method 

Remote Desktops don’t have the option to input codes. As a result, you need to use either a Phone Call or an Authenticator App notification.

Step #3: Plan Conditional Access policies

Choosing the group to apply the policy to MFA

  1. Sign in to the Azure portal (ensure you use an account with global administrator permissions) 
  2. Search and select the Azure AD 
  3. Navigate from Conditional Access to New Policy 
  4. Click on New Policy
  5. Fill in the Name 
  6. Select the current value under Users or Workload identities (Assignment)
  7. Select users and groups under What does this policy apply to?  
  8. Choose Select users and groups under Include 
  9. Tick the Users and Groups box
  10. Select the Azure AD group 

Configure the conditions for MFA

Here, you decide the conditions that trigger MFA. This can be directed to a particular application or the login process itself. We will be configuring MFA for access to RD for the remote desktop. 

  1. Home > Contoso > Security > Conditional Access 
  2. Select grant under Access control 
  3. Select the current value under Grant 
  4. Select Grant access
  5. Choose to Require multi-factor authentication

Configure the conditions for MFA

  1. Under Enable policy select On

Install and configure the NPS extension

Configure the conditions for MFA

  1. Sign in to the Azure portal
  2. Navigate to Azure Active Directory
  3. Check for Tenant ID under Overview and copy

Background Image

Install the NPS extension

You should install the NPS extension on a server with the NPS role installed, not on the RDG server.

  1. Download the NPS extension
  2. Copy to the NPS server
  3. Follow the instructions to install the extension
  4. Click close on completion

Configure certificates for use with the NPS extension

  1. Open the NPS extension and provide your Azure AD Admin credentials and the tenant ID you copied.
  2. On the NPS server running the NPS Extension, open Windows PowerShell prompt as an administrator.
  3. Type the command “cd ‘c:Program FilesMicrosoftAzureMfaConfig'"
  4. Press Enter.
  5. Type the command .AzureMfaNpsExtnConfigSetup.ps1 (this will install the Azure AD PowerShell if it is not installed).
  6. Sign in using your Azure AD admin credentials and password.
  7. Paste the Tenant ID

Background Image

8. Press Enter and wait till the script creates a self-signed certificate.

Background Image

Configure NPS extension on RDG

This configuration will allow the RDG to communicate with the NPS server, as we said.

Configure Remote Desktop Gateway connection authorization policies to use the central store

Do the following on the RD Gateway server:

  1. Open Server Manager.
  2. Navigate Menu>Tools>Remote Desktop Services>Remote Desktop Gateway Manager.
  3. Right-click (Local)
  4. Click Properties.
  5. Select the RD CAP Store tab.
  6. Select the Central server running NPS.
  7. Enter the IP address or server name of the server where you installed the NPS extension in the “Enter a name or IP address for the server running NPS field."

Background Image

8. Click Add.

9. In the Shared Secret Dialog, type a known word in the “Enter a new shared secret" field.

Background Image

10. Click on OK to close the dialog box.

Configure RADIUS timeout value on Remote Desktop Gateway NPS

These steps ensure time for the user credential validation, two-step verification, etc. On the RDG server, do the following:

  1. Open Server Manager
  2. Navigate from Menu > Tools > Network Policy Server.
  3. Open the NPS (Local) console
  4. Expand RADIUS Clients and Servers > Remote RADIUS Server.

Background Image

5. Open the TS GATEWAY SERVER GROUP (created when you configured the central server).
6. Select the IP address or name of the NPS server you configured to store RD CAPs.
7. Click Edit.

Background Image

8. Click the Load Balancing tab.

9. Change the “Number of seconds without response before request is considered dropped field" to a value between 30 and 60 seconds. 

10. Change the “Number of seconds between requests when server is identified as unavailable" value to a number higher than or equal to that of the previous step.

11. Click OK two times to close the dialog boxes.

Verify Connection Request Policies

On the NPS Local Console,

  1. Navigate from RD Gateway > Policies
  2. Select Connection Request Policies.
  3. Double-click TS GATEWAY AUTHORIZATION POLICY.
  4. Click the Settings tab.
  5. Under Forwarding Connection Request, click Authentication
  6. Click on “forward requests for authentication."
  7. Click Cancel.

Background Image

Configure NPS on the server with the NPS extension installed

This is important to allow the NPS server with the NPS extension to communicate with the NPS server on the RDG. On the NPS server with the NPS extension, do the following

Register server in Active Directory

  1. Open the server manager
  2. Navigate from Tools to Network Policy Server
  3. In the Network Policy Server console, right-click NPS (local)
  4. Click Register server in Active Directory
  5. Click OK twice
  6. Leave the console open for the next procedure

Create and configure the RADIUS client

This will configure the RDG as a RADIUS client on the NPS server. On the network policy server NPS (Local) console,

  1. Right-click RADIUS Clients
  2. Click New.
  3. Under name and address, input a name in the Friendly name field.
  4. Input the IP address or DNS of the Remote Desktop Gateway server in the address.
  5. Enter the Shared secret you used before.
  6. Click OK.

Configure Network Policy

This will allow the CAP on the NPS server to authorize valid connection requests. Do the following on the NPS server:

  1. Open the NPS (Local) console.
  2. Expand Policies.
  3. Click Network Policies.
  4. Right-click Connections to other access server.
  5. Click Duplicate Policy.
  6. Right-click Copy of Connections to other access servers.
  7. Click Properties.
  8. Under the Overview tab, enter a suitable name in Policy name.
  9. Check the Policy enabled box.
  10. Tick Grant access.
  11. Select Remote Desktop Gateway under Type of network access server (You can also leave it as Unspecified).
  12. Click the Constraints tab
  13. Check the Allow clients to connect without negotiating an authentication method box.
  14. On the Condition tab, you can also add some conditions that users who want to connect to the RD session must meet. However, this is optional.
  15. Click OK.
  16. Click No when prompted to view the corresponding Help topic.
  17. Check to ensure the policy is on top of the list, check the status is enabled, and the Access Type is “Grant Access.”

Method 2: Use third-party applications

An easier method to implement Two-factor Authentication in RD is to use third-party applications.

Common applications for such purposes include DUO, LoginTC, Rohos, etc. Each has unique methods for implementing 2FA. Nevertheless, they still have an elongated and complex implementation method.

Method 2: Use third-party applications

Remote Desktop is one of the common ways to interact with a remote computer using another one.

While it is a useful Windows feature, security can be problematic and implementing two-factor authentication is a very complex and capital-intensive procedure for average businesses.

Instead, businesses can invest in V2 Cloud, a virtual desktop solution with enhanced security.

We allow you to enable two-step authentication easily. Aside from that, by using V2 Cloud, you get access to a fully integrated Virtual Desktop solution with no hidden fees, complicated setups, or contracts while providing the best end-user experience and performance.

Why not use our risk-free 7-day trial, and experience the simplicity, scalability and power of V2 Cloud?

Back To Tutorials Menu

Back to top

Let us help you find the solution that fits your business needs