Secure terminal Services (RDP) using Azure Multi-factor Authentication (MFA) – Part 2

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin

Hello Everyone,

In First article of this series we discussed the general concept of Azure Multi-Factor Authentication and how it’s work

In second part of this series we went more deeper in the technical aspects of the implementation of Azure MFA by taking an example of how to secure your remote desktop connection through Azure Multi-Factor authentication and we prepared the azure tenant and the Azure MFA provider.

In this part, we will continue our demo of integrating remote desktop connection (RDP) with Azure MFA by installing the Azure MFA server in the same server we need to secure it.

in this demo we have a server called Secure-Server with windows server 2008 r2 joined to the domain, we need to secure the remote desktop connection to it by installing the MFA server in it.

In this demo, I assumed that the MFA provider is already prepared, for more information read our previous article.

so let’s start the installation of the MFA:

Just to remind you, the below three snapshots show you how to download the MFA setup and generate the credentials which we explained in the previous article :

9

10

11

12

Now after the download of MFA completed, double click in the setup file, choose the installation path and click Next:

13

wait a seconds for the installation to complete:

14

once the installation finish click Finish:

15

A new Wizard will appear as below, Click Next:

16

Now enter the Email and Password credentials which we obtained before from the MFA provider, if you forget how to obtain it please read our previous post, if the credentials expired you can re-generate it again, once you fill the required information click Next:

21

Now, MFA server will try to communicate with Azure MFA Provider as below:

22

Ops, we received an error message as shown below ” Unable to communicate with the Multi-factor Authentication POP, The Multi-factor Authentication server could not be activated … etc“, this error is normal if you use an proxy to access internet, in this case you must verify three things if you use a proxy server:

1- Your proxy is set correctly in the server (in IE browser).
2- Run CMD as administrator, write the following command:
netsh winhttp import proxy source=ie
3-  MFA server must be able to communicate on port 443 outbound to the following:

  • https://pfd.phonefactor.net
  • https://pfd2.phonefactor.net
  • https://css.phonefactor.net

If outbound firewalls are restricted on port 443, the following IP address ranges will need to be opened:

IP Subnet Netmask IP Range
134.170.116.0/25 255.255.255.128 134.170.116.1 – 134.170.116.126
134.170.165.0/25 255.255.255.128 134.170.165.1 – 134.170.165.126
70.37.154.128/25 255.255.255.128 70.37.154.129 – 70.37.154.254

If you are not using Azure Multi-Factor Authentication Event Confirmation features and if users are not authenticating with the Multi-Factor Auth mobile apps from devices on the corporate network the IP ranges can be reduced to the following:

IP Subnet Netmask IP Range
134.170.116.72/29 255.255.255.248 134.170.116.72 – 134.170.116.79
134.170.165.72/29 255.255.255.248 134.170.165.72 – 134.170.165.79
70.37.154.200/29 255.255.255.248 70.37.154.201 – 70.37.154.206

23

After we set a proxy rules, I tried another time to activate the MFA as below:

24

finally, its verified successfully, Now the wizard will ask you to create new MFA group or choose existing one, since it’s first MFA server to be deployed, give any meaningful name for the new group as below, also note that the group used to manage more than MFA servers and enable replication between the servers if there is a need, Click Next:

25

Uncheck enable replication between servers option and click Next:

26

Now, you can select what application need to integrate it with Azure MFA, the last option is remote desktop, you can select it and click Next, but in our demo we will click cancel to configure the remote desktop from the MFA console, click Cancel.

27

Now, go to star menu and click on Multi-Factor Authentication Server icon:

28

Azure MFA server is loading as below:

29

After a while the console appear, this is the MFA server console that you can manage the MFA setup, in the status option it display that the server Secure-Server.demo.lab is online which is the same server we need to secure the RDP connection on it and the MFA server at the same time:

30

Also if you go to the Azure MFA provider manage page, click on Server Status option you will see the server is online as below:
31

Now back to the MFA server console, go to windows authentication, check “Enable Windows Authentication” option as below, then click Add button:
32

Choose the server name and terminal services as an application option, check the “Enable” option, now if you will apply all users in AD to use MFA check the “Require Multi-Factor Authentication user match” option, if not leave it uncheck as below, click OK:

33

The MFA is configured to secure the RDP in that server, it mentioned that the server need to be restarted to take the effect, click OK and wait before restart to continue the configuration:

34

As shown below, the server appear in the console:
35

Now go to Users icon to add the users you need to apply MFA authentication on them, click in Import from Active Directory button as below:

36

choose the users you need and click Import as below:

37

The users successfully imported as below, click OK:

38

the new users appear in the console, there is a warning icon beside each user, this warning because the user must enabled for MFA manual, by default when you import the user it will be not enabled for MFA automatically, double click in any user:

39

fill the required information as below:
-Country Code.
-Phone.
– choose MFA to be phone call, Text Message or mobile app … etc. we will choose for this demo a phone call option.
-check the enabled option.
Finally, Click Apply:

40

note after we check the enable option the warning icon disappear, do the same for all users you need:

41

after I prepared all users, the users appear in the console without the warning icon, to test the configuration choose any user and click the test button:

42

provide the password and click test:

43

wait a while:

44

Now, the user should receive a call, if he end the call the authentication will be refused because it will considered that another person try to use his/her credentials, if the user click (#) he/she confirm that he is the one trying to access the server:

45

After I clicked (#), the test completed as belwo:

46

Now, after I restarted the machine to take effect, I try to access the server remotely as below:

47

I tried to login with the administrator user:

48

Now the welcome page start:

49

during the login and within the welcome page  I received a call from Microsoft MFA, I answered the call and end it direct:

50 - Copy

Because I end the call and didn’t press the (#) key, the login process failed as below:
52

I tried to login again with the same user: 53

I received another call from Microsoft MFA, but this time I press (#) key:

54

Because I press the (#) key I confirmed for Microsoft that I am the same person who try to login now, so I successfully login to the server as below:

55 56

So in this article we tried to demonstrate how to install the MFA server and integrate it with the remote desktop connection (RPD).

In next part we will show you how to customize the MFA setup by using Fraud alert, changing the received call voice, generate a reports … etc.

Stay tuned 🙂

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn

 

 

 

 

12 Comments

  1. Hi Ahmed,
    Excellent write up of the topic. I wish I have read this before deploying MFA on premise on a W2k12 R2 server which I tried to add 2-step verification for RDP sessions. The Auth Config Wizard didn’t show the RemoteDesktop option – so does mean that MS won’t be supporting this option with this OS? Is there a workaround so that I can secure RDP with MFA on W2k12 R2?

    If my MFA is installed on a AD domain controller running W2k8 R2, will I need MFA server on all RDP servers in the AD domain?

    Pls advise.

    • Hello Calvin,

      for 2012 R2 as i know still not supported.

      for AD, yes every time you need to secure RDP you need to deploy the MFA.

    • Hello Calvin,

      Just to update this comment, I will release a new article regarding this maybe this week, stay tuned 🙂

  2. I can get this to work for the server that MFA is installed on no problem. How do I enable Multi-factor authentication on the remaining servers I RDP into in the domain? I’ve messed around with Center NPS with no luck… it is on my DC 2012 R2.

    • Hello Marc,

      Thank you for your comment, i will release a new article regarding this maybe this week, stay tuned 🙂

  3. Ahmad,

    We currently have Office 365 for our clients. We’ve synched up to Azure AD also. We’ve enabled ADFS and it works fine for the cloud.

    We also need MFA server on premise for terminal services. I noticed there are setups for MFA on premise and terminal services (such as your article),but I cannot get it to work. I’ve only seen the MFA on premise server providing intertwined with NPS, RDG, and RADIUS.

    question 1: does MFA on premise support server 2016 (as this is the flavor we are using) for RDS?
    question 2: do you have remote desktop gateway (RDG) setup in this article?

    • Hello Jay,

      Thanks for your comment, yes it supported and need GW and NPS to be installed, stay tuned i will publish an article very soon.

    • I set this up and the phone works fine. Nps is automatically installed on rdg server. I tested this out with on premise mfa. It works fine with rd web access internally and externally. Only thing, sms text does not prompt on launch of rd web access application. It does not prompt, but mfa does send sms text to the user’s phone. Seems the sms text prompt is happening on the broker machine and the users cannot see it. We are sticking to phone verification for now til we can get it sorted.

      S1: Remote app server
      S2: Rdg server+nps+rd web access
      S3: mfa
      S4: remoteapp broker

Leave a Reply

Your email address will not be published. Required fields are marked *