Two factor authentication for RDS 2012


I have been asked a few questions recently around RDS 2012 Web services and two factor authentication.

The good news is there are products out there which will allow you to add Two factor or One Time Password (OTP) solutions to your RDS environments. So all those high security organisations, yes you can secure and tie down access to RDS using two factor or OTP .

Have a look at the following links:

Duo Security:  https://www.duosecurity.com/microsoft

Scorpion software: http://www.scorpionsoft.com/docs/authanvil/rdwebaccess

Rohos: http://www.rohos.com/support/knowledge-base/access-your-remote-desktop-in-a-secure-way-by-usb-stick-2/

 

15 thoughts on “Two factor authentication for RDS 2012

Add yours

  1. You can use built in IPsec for 2 factor certificate authentication over required ports of farm hosts, or simply the gateway/webhost.

  2. Apologies for the double post above.
    Are you running this Ryan?
    As I have RD Gateway and Web on one server I’m only going to be able to install one component, probably Duo-RDGateway.
    It’s a shame I can’t put both Duo products on the one server.

  3. last question!
    What workaround did you use?
    On setup I get the message ‘This application is not supported on Windows Server 2012 or later’
    Thanks

  4. Very straight forward and open source soluation: https://github.com/sbeh/RDP-OTP

    Basically: It changes your password on every login, encrypts (RSA) and encodes (QR) the new password and uploads it to any web space you like. You use your smartphone then to decode and decrypt the new password.

  5. Ryan,

    Did you have any issues with your TS Resource Authorization Policies get removed, when you run the Duo Security setup? The gateway will allow connection to any server from any user. The user still needs the permission to log onto the server, but there is no control over who has access to what.

    Thanks for you time, Rene

  6. I’m simply using Entrust client certificates as a form of 2-factor authentication. User goes to rdweb login page, iis asks for a client cert, user unlocks entrust client cert with password and selects entrust client cert, iis does a crl check on client cert and if ok, presents the login page.

    Is this not a form of 2-factor authentication?

    1. But then you only have Two-Factor Authorization for the IIS login page. If you save the .RDP file you can connect to the RD Gateway without login into the Web Page.

  7. This sounds similar to a problem we have. A provider configured a MS RDS solution involving VASCO Digipass OTP. (Identikey Auth Server, IAS Web Administration, Vasco Password Synch Manager, LDAP Synch tool). The idea is that you use 2 factor authentication to connect via the MS Gateway then logon on to the remote server or direct to a PC using your internal credentials. The weakness discovered is that if you save the .RDP file you can connect direct without going through the OTP 2 factor authentication… The provider tells us that is an MS issue/incompatibility with Vasco, and refuses to fix it without further payment (an original thought since they recommended and provided both). I think there must be some form of misconfiguration here. There is an additional wrinkle where the LDAP synch only occurs when the user password is changed after the VASCO token is connected to the userid. Any pointers gratefully received…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: