Appendix: Configuring the TS Gateway OTP Scenario

Applies To: Windows Server 2008

This scenario discusses how to configure One Time Password (OTP) authentication with Terminal Services Gateway (TS Gateway). In this scenario, Network Policy Server (NPS) is used as a Remote Authentication Dial-In User Service (RADIUS) server to authenticate users on a Microsoft Internet Security and Acceleration (ISA) Server 2006-based edge server.

NPS enables you to provide local and remote network access services and to define and enforce policies for network access authentication, authorization, and client health. The NPS role service in Windows Server 2008 is the replacement for the Internet Authentication Service (IAS) in Windows Server 2003. Deploying NPS as a RADIUS server enables users with supported clients to authenticate on the edge server by using OTP authentication. After OTP authentication, users are allowed to cross the corporate perimeter and are authenticated again for access to corporate resources. Therefore, users need to provide two forms of credentials before they are allowed to connect to the corporate resource.

Note

If you use OTP for client authentication, this configuration does not allow you to digitally sign e-mail messages or easily share identities between different organizations.

The instructions for this scenario assume that you are already familiar with TS Gateway.

System configuration for this scenario

This example scenario uses the following configuration.

Computer Configuration

ISA Server

(“contoso-fw.contoso.com”)

  • The server is running Windows Server 2003.

  • The server is running ISA Server 2006.

  • The ISA Server contains a server certificate for www.contoso.com that is installed to the local computer certificate store.

  • The ISA Server 2006 Supportability Update package is installed from the following Web site: https://go.microsoft.com/fwlink/?LinkId=115136.

  • The server has the following name and IP addresses assigned:

    Name: contoso-fw.contoso.com

    Internal IP address: 192.168.1.1

    External IP address: 206.73.118.1

TS Gateway/TS Web Access server

(“www.contoso.com”)

  • The server is running Windows Server 2008.

  • The server is running the TS Gateway and TS Web Access role services, with the TS Web Access Web site accessible at https://www.contoso.com/ts.

  • TS Web Access is configured to populate its list of RemoteApp programs from the terminal server “contoso-ts.contoso.com”.

  • The server has the following name and IP address assigned:

    Name: www.contoso.com

    IP address: 192.168.1.2

NPS (RADIUS) server

(“contoso-otp.contoso.com”)

  • The server is running Windows Server 2008.

  • The server is running the NPS role service.

  • The server has the following name and IP address assigned:

    Name: contoso-otp.contoso.com

    Internal IP address: 192.168.1.3

Terminal Server

(“contoso-ts.contoso.com”)

  • The server is running Windows Server 2008.

  • The server is running the Terminal Server role service.

  • The terminal server has RemoteApp programs installed that are available through TS Web Access. The RemoteApp programs are configured to use TS Gateway. For more information about how to configure Terminal Services RemoteApp, see the “Terminal Services RemoteApp Step-by-Step Guide” (https://go.microsoft.com/fwlink/?LinkId=84895).

  • The server has the following name and IP address assigned:

    Name: contoso-ts.contoso.com

    IP address: 192.168.1.4

Client computer

(“client1”)

  • The client computer is running Windows Vista with Service Pack 1 (SP1).

  • The computer has the following configuration:

    Name: client1

    IP address: 206.73.118.2

Important

The OTP scenario is supported only for Remote Desktop Connection (RDC) 6.1 clients. RDC 6.1 is available in Windows Vista with SP1, Windows XP with Service Pack 3 (SP3), and Windows Server 2008.

Network topology

The following diagram illustrates the OTP scenario for TS Gateway.

Steps to configure OTP

To configure OTP in this scenario, you must perform the following steps:

  1. Configure the NPS (RADIUS) server.

  2. Set the Dial-in permission for the RADIUS user.

  3. Create a RADIUS client on the ISA Server.

  4. Create a Web listener on the ISA Server.

  5. Publish a Web site on the ISA Server by using the Web listener.

  6. Disable the HTTPOnly attribute on the ISA Server.

  7. Modify the Remote Desktop Protocol (.rdp) file that clients will use to connect.

  8. Set up the client computer.

  9. Test the configuration.

To configure the NPS (RADIUS) server

  1. Log on to the NPS server (“contoso-otp.contoso.com”) with an account that has Administrator privileges.

  2. Click Start, point to Administrative Tools, and then click Network Policy Server.

  3. In the console tree, expand RADIUS Clients and Servers, right-click RADIUS Clients, and then click New RADIUS Client.

  4. In the New RADIUS Client dialog box, do the following:

    1. In the Friendly name box, type the friendly name of the ISA Server, contoso-fw.

    2. In the Address (IP or DNS) box, type the fully qualified domain name of the ISA Server, contoso-fw.contoso.com.

    3. In the Vendor name list, accept the default setting of RADIUS Standard, and then click OK.

Note

For this scenario, you do not have to configure any settings in the Shared Secret section.

  1. In the console tree, expand Policies, and then click Network Policies.

  2. Under Policy Name, double-click Connections to other access servers.

  3. In the Connections to other access servers Properties dialog box, click the Constraints tab.

  4. In the Constraints column, click Authentication Methods.

  5. Select the Unencrypted authentication (PAP, SPAP) check box. Leave the other check boxes with their default values, and then click OK.

NPS uses Windows Authentication to authenticate users. To use the RADIUS service that is provided by NPS, users must have the Dial-in permission assigned. You can set this permission for domain users on a domain controller by using Active Directory Users and Computers, or for local users on a member server by using Local Users and Groups. In this example scenario, the Dial-in permission is set for a local user on the NPS server.

Note

The following procedure assumes that you have set up a local user account on the NPS server that you want to use for testing.

To set the Dial-in permission for the RADIUS user

  1. Log on to the NPS server ("contoso-otp.contoso.com") with an account that has Administrator privileges.

  2. Click Start, point to Administrative Tools, and then click Computer Management.

  3. In the console tree, expand Local Users and Groups, and then click Users.

  4. Right-click the user account that you want to modify, and then click Properties.

  5. Click the Dial-in tab.

  6. Under Network Access Permission, click Allow access, and then click OK.

To create a RADIUS client on the ISA Server

  1. Log on to the ISA Server ("contoso-fw.contoso.com") with an account that has Administrator privileges.

  2. Start ISA Server Management. To do this, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  3. In the console tree, expand the server name, expand Configuration, and then click General. (If you are running ISA Server 2006 Enterprise Edition, expand Arrays, expand the server name, expand Configuration, and then click General.)

  4. In the middle pane, under ISA Server Administration, click Specify RADIUS and LDAP Servers.

  5. On the RADIUS Servers tab, click Add.

  6. In the Server name box, type the name of the RADIUS server to use (in this case, contoso-otp.contoso.com), and then click OK.

  7. Click OK to close the Authentication Servers dialog box.

To create a Web listener on the ISA Server

  1. In the console tree of ISA Server Management, expand the server name, and then click Firewall Policy. (If you are running ISA Server 2006 Enterprise Edition, expand Arrays, expand the server name, and then click Firewall Policy.)

  2. In the right pane, click the Toolbox tab, and then click Network Objects.

  3. On the Network Objects toolbar, click New, and then click Web Listener.

    The New Web Listener Definition Wizard starts.

  4. In the Web listener name box, type OTP, and then click Next.

  5. On the Client Connection Security page, click Require SSL secured connections with clients, and then click Next.

  6. On the Web Listener IP Addresses page, do the following:

    1. Under Listen for incoming Web requests on these networks, select the External check box.

    2. Click Select IP Addresses.

    3. Under Listen for requests on, click Specified IP addresses on the ISA Server computer in the selected network.

    4. Under Available IP Addresses, click 206.73.118.1, click Add, and then click OK.

    5. Accept the default (selected) setting for the ISA Server will compress content sent to clients through this Web Listener if the clients requesting the content support compression check box.

    6. Click Next.

  7. On the Listener SSL Certificates page, do the following:

    1. Click Assign a certificate for each IP address.

    2. In the IP Address column, click 206.73.118.1, and then click Select Certificate.

    3. On the Select Certificate page, select the certificate that is issued to www.contoso.com, and then click Select.

    4. Click Next.

  8. On the Authentication Settings page, do the following:

    1. In the Select how clients will provide credentials to ISA Server list, click HTML Form Authentication.

    2. Under Select how ISA Server will validate client credentials, click RADIUS OTP, and then click Next.

  9. On the Single Sign On Settings page, clear the Enable SSO for Web sites published with this Web listener check box, and then click Next. (SSO is not relevant for this solution.)

  10. On the Completing the New Web Listener Wizard page, click Back to make any changes, or click Finish to complete the wizard.

To publish a Web site on the ISA Server by using the Web listener

  1. In the console tree of ISA Server Management, expand the server name, and then click Firewall Policy. (If you are running ISA Server 2006 Enterprise Edition, expand Arrays, expand the server name, and then click Firewall Policy.)

  2. In the right pane, click the Tasks tab, and then click Publish Web Sites.

    The New Web Publishing Rule Wizard starts.

  3. In the Web publishing rule name box, type Web Site Publishing, and then click Next.

  4. On the Select Rule Action page, under Action to take when rule conditions are met, click Allow, and then click Next.

  5. On the Publishing Type page, click Publish a single Web site or load balancer, and then click Next.

  6. On the Server Connection Security page, click Use SSL to connect to the published Web server or server farm, and then click Next.

  7. On the Internal Publishing Details page, in the Internal site name box, type www.contoso.com, and then click Next.

  8. On the Internal Publishing Details page, click Next. (Leave the Path (optional) box empty, and the Forward the original host header instead of the actual one specified in the Internal site name field on the previous page check box cleared.)

  9. On the Public Name Details page, do the following:

    1. In the Accept requests for list, ensure that This domain name (type below) is selected.

    2. In the Public name box, type www.contoso.com, and then click Next.

  10. On the Select Web Listener page, in the Web listener list, click OTP, and then click Next. (This is the Web listener that you created in the previous procedure.)

  11. On the Authentication Delegation page, in the Select the method used by ISA Server to authenticate to the published Web server list, click No delegation, but client may authenticate directly, and then click Next.

  12. On the User Sets page, under This rule applies to requests from the following user sets, ensure that All Authenticated Users is listed, and then click Next.

  13. On the Completing the New Web Publishing Rule Wizard page, click Back to make any changes, or click Finish to complete the wizard.

  14. Click Apply to update the configuration. (If you are running ISA Server 2006 Enterprise Edition, you can check the status by using the Configuration tab that is available when you click Monitoring in the console tree.)

To disable the HTTPOnly attribute on the ISA Server

  1. Copy and paste the following script into a text editor such as Notepad. On the ISA Server, save the file to the C:\ directory as DisableHttpOnlyAuthCookies.vbs.

Important

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose.

Note

This script is also available at the following Web site: https://go.microsoft.com/fwlink/?LinkId=115137

    If Not WScript.Arguments.Named.Exists("WebListener") Then
        WScript.Echo "WebListener not defined"
        WScript.Quit(1)
    End If
    
    Set fpcRoot = CreateObject("FPC.Root")
    Set fpcArray = fpcRoot.GetContainingArray()
    Set fpcWebListener = fpcArray.RuleElements.WebListeners(WScript.Arguments.Named("WebListener"))
    Set fpcWebListenerVps = fpcWebListener.VendorParametersSets
    
    On Error Resume Next
    Set fpcCookieAuthVps = fpcWebListenerVps.Item("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
    If Err.number = 0 Then
        CookieAuthVpsExists = True
    Else
        CookieAuthVpsExists = False
    End If
    Err.Clear
    On Error GoTo 0
    
    If Not CookieAuthVpsExists Then
        WScript.Echo "Cookie auth VPS settings not defined, HTTP only cookies are ON by default"
    Else
        WScript.Echo "HTTP only cookies: " & (fpcCookieAuthVps.Value("HttpOnlyCookie") = True)
    End If
    
    If WScript.Arguments.Named.Exists("Value") Then
        If Not CookieAuthVpsExists Then
            Set fpcCookieAuthVps = fpcWebListenerVps.Add("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
        End If
        fpcCookieAuthVps.Value("HttpOnlyCookie") = (StrComp(WScript.Arguments.Named("Value"), "True", 1) = 0)
        fpcArray.Save
        WScript.Echo "HTTP only cookies set to " & (fpcCookieAuthVps.Value("HttpOnlyCookie") = True)
    End If
  1. From a command prompt, run the following command from the C:\ directory:

    cscript DisableHttpOnlyAuthCookies.vbs /WebListener:OTP /Value:False

    You should see the following output:

    HTTP only cookies: True

    HTTP only cookies set to False

To modify the RDP file that clients will use to connect

  1. Log on to the terminal server ("contoso-ts.contoso.com") with an account that has Administrator privileges.

  2. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager.

  3. In the Overview pane of TS RemoteApp Manager, next to RDP Settings, click Change.

  4. On the Custom RDP Settings tab, type or copy the following RDP settings into the Custom RDP settings box:

    pre-authentication server address: s: https://www.contoso.com/ts

    require pre-authentication:i:1

  5. When you have finished adding the settings, click Apply.

To set up the client computer

  1. Log on to the client computer (“client1”).

  2. From an elevated command prompt, type the following commands, pressing ENTER after each command:

    cd c:\windows\system32\drivers\etc

    edit hosts

  3. Add the following line to the Hosts file:

    206.73.118.1 www.contoso.com

  4. Save the Hosts file.

Note

Typically, you would not have to modify the Hosts file, as the address would be resolvable through DNS.

To test the configuration from the client computer

  1. Open Internet Explorer and specify https://www.contoso.com/ts as the address.

    You will be redirected to the OTP logon page on the ISA Server.

  2. Type the user name in the format **contoso-otp\**user.

Note

If the user is a domain user and the RADIUS server is a member of the domain, you do not have to specify a domain name. However, because in this procedure the test user is a local user on the RADIUS server, you must specify the computer name where the account exists.

  1. Enter the user’s password.

    The ISA Server will pass the credentials to the NPS server for authentication. If successful, the client will be redirected to the Web site and retrieve the TS Web Access page.