Export (0) Print
Expand All
0 out of 3 rated this helpful - Rate this topic

Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS

Published: May 20, 2013

Updated: February 10, 2014

The following document will assist in deploying Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS.

RD Gateway must be configured to send RADIUS authentication to a Azure Multi-Factor Authentication Server. Once RD Gateway has been installed, configured and is working, go into the RD Gateway properties. Go to the RD CAP Store tab and change it to use a Central server running NPS instead of Local server running NPS. Add one or more Azure Multi-Factor Authentication Servers as RADIUS servers and specify a shared secret for each server.

RD Gateway uses NPS to send the RADIUS request to Azure Multi-Factor Authentication. A timeout must be changed prevent the RD Gateway from timing out before Azure Multi-Factor Authentication’s authentication has completed. Use the following procedure to configure NPS.

  1. In NPS, expand the RADIUS Clients and Server menu in the left column and click on Remote RADIUS Server Groups. Go into the properties of the TS GATEWAY SERVER GROUP. Edit the RADIUS Server(s) displayed and go to the Load Balancing tab. Change the “Number of seconds without response before request is considered dropped” and the “Number of seconds between requests when server is identified as unavailable” to 30-60 seconds. Click on the Authentication/Account tab and ensure that the RADIUS ports specified match the ports that the Multi-Factor Authentication Server will be listening on.

  2. NPS must also be configured to receive RADIUS authentications back from a Azure Multi-Factor Authentication Server. Click on RADIUS Clients in the left menu. Add the Azure Multi-Factor Authentication Server as a RADIUS client. Choose a Friendly name and specify a shared secret.

  3. Expand the Policies section in the left navigation and click on Connection Request Policies. It should contain a Connection Request Policy called TS GATEWAY AUTHORIZATION POLICY that was created when RD Gateway was configured.

  4. Copy this policy to create a new one. In the new policy, add a condition that matches the Client Friendly Name with the Friendly name set for the Azure Multi-Factor Authentication Server RADIUS client. Change the Authentication Provider to Local Computer. This policy ensures that when a RADIUS request is received from the Azure Multi-Factor Authentication Server, the authentication occurs locally instead of sending a RADIUS request back to the Azure Multi-Factor Authentication Server which would result in a loop condition.

The Azure Multi-Factor Authentication Server is configured as a RADIUS proxy between RD Gateway and NPS. . It should be installed on a domain-joined server that is separate from the RD Gateway server. Use the following procedure to configure the Azure Multi-Factor Authentication Server.

  1. Open the Azure Multi-Factor Authentication Server and click the RADIUS Authentication icon. Check the Enable RADIUS authentication checkbox.

  2. On the Clients tab, ensure the ports match what is configured in NPS and click the Add… button. Add the RD Gateway server IP address, application name (optional) and a shared secret. The shared secret will need to be the same on both the Azure Multi-Factor Authentication Server and RD Gateway.

  3. Click the Target tab and choose the RADIUS server(s) radio button.

  4. Click the Add… button. Enter the IP address, shared secret and ports of the NPS server. The shared secret must match the one setup in the RADIUS client section of the NPS server.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

Show:
© 2014 Microsoft. All rights reserved.