Published by Ryan Mangan
Ryan Mangan works as the CTO at AppCURE based in the UK. AppCURE specialises in Application packaging, App migration and Application packaging/delivery automation.
Ryan is an end-user computing specialist with a great passion for Technology with a specific focus on Virtualisation and Cloud. A speaker and presenter, he has helped customers and technical communities with end-user computing solutions, ranging from small to global 30,000-user deployments.
He is the owner and author of ryanmangansitblog.com, where he posts articles about remote desktop services, VMware, Microsoft Azure, Parallels RAS, KEMP, Application Packaging and other products and technologies.
Ryan has been awarded VMware vExpert since 2014, has been a member of the NetApp United program since 2017, Parallels VIPP, and was awarded Technical Person of the Year in 2017 by KEMP Technologies.
Subject Matter Expert with Remote Desktop Services and Windows Virtual Desktop.
Ryan is the author of the Microsoft Ebook "Quickstart Guide to Windows Virtual Desktop" and the Ebook "A introduction to MSIX app attach"
View all posts by Ryan Mangan
You can use built in IPsec for 2 factor certificate authentication over required ports of farm hosts, or simply the gateway/webhost.
I contacted Duo Security today and was told server 2012 is not supported.
It might not be supported at present but it does work.
I contacted DuoSecurity today and server 2012 is not supported!
It might not be supported but it does work Nick.
Apologies for the double post above.
Are you running this Ryan?
As I have RD Gateway and Web on one server I’m only going to be able to install one component, probably Duo-RDGateway.
It’s a shame I can’t put both Duo products on the one server.
last question!
What workaround did you use?
On setup I get the message ‘This application is not supported on Windows Server 2012 or later’
Thanks
Very straight forward and open source soluation: https://github.com/sbeh/RDP-OTP
Basically: It changes your password on every login, encrypts (RSA) and encodes (QR) the new password and uploads it to any web space you like. You use your smartphone then to decode and decrypt the new password.
Ryan,
Did you have any issues with your TS Resource Authorization Policies get removed, when you run the Duo Security setup? The gateway will allow connection to any server from any user. The user still needs the permission to log onto the server, but there is no control over who has access to what.
Thanks for you time, Rene
I’m simply using Entrust client certificates as a form of 2-factor authentication. User goes to rdweb login page, iis asks for a client cert, user unlocks entrust client cert with password and selects entrust client cert, iis does a crl check on client cert and if ok, presents the login page.
Is this not a form of 2-factor authentication?
But then you only have Two-Factor Authorization for the IIS login page. If you save the .RDP file you can connect to the RD Gateway without login into the Web Page.
you can configure 2 factor through the gateway.
Please tell me how this can be done.
This sounds similar to a problem we have. A provider configured a MS RDS solution involving VASCO Digipass OTP. (Identikey Auth Server, IAS Web Administration, Vasco Password Synch Manager, LDAP Synch tool). The idea is that you use 2 factor authentication to connect via the MS Gateway then logon on to the remote server or direct to a PC using your internal credentials. The weakness discovered is that if you save the .RDP file you can connect direct without going through the OTP 2 factor authentication… The provider tells us that is an MS issue/incompatibility with Vasco, and refuses to fix it without further payment (an original thought since they recommended and provided both). I think there must be some form of misconfiguration here. There is an additional wrinkle where the LDAP synch only occurs when the user password is changed after the VASCO token is connected to the userid. Any pointers gratefully received…
Did you get this sorted ?
Ryan