I have been asked a few questions recently around RDS 2012 Web services and two factor authentication.
The good news is there are products out there which will allow you to add Two factor or One Time Password (OTP) solutions to your RDS environments. So all those high security organisations, yes you can secure and tie down access to RDS using two factor or OTP .
Have a look at the following links:
Duo Security: https://www.duosecurity.com/microsoft
Scorpion software: http://www.scorpionsoft.com/docs/authanvil/rdwebaccess
Ryan Mangan's IT Blog 
You can use built in IPsec for 2 factor certificate authentication over required ports of farm hosts, or simply the gateway/webhost.
I contacted Duo Security today and was told server 2012 is not supported.
It might not be supported at present but it does work.
I contacted DuoSecurity today and server 2012 is not supported!
It might not be supported but it does work Nick.
Apologies for the double post above.
Are you running this Ryan?
As I have RD Gateway and Web on one server I’m only going to be able to install one component, probably Duo-RDGateway.
It’s a shame I can’t put both Duo products on the one server.
last question!
What workaround did you use?
On setup I get the message ‘This application is not supported on Windows Server 2012 or later’
Thanks
Very straight forward and open source soluation: https://github.com/sbeh/RDP-OTP
Basically: It changes your password on every login, encrypts (RSA) and encodes (QR) the new password and uploads it to any web space you like. You use your smartphone then to decode and decrypt the new password.
Ryan,
Did you have any issues with your TS Resource Authorization Policies get removed, when you run the Duo Security setup? The gateway will allow connection to any server from any user. The user still needs the permission to log onto the server, but there is no control over who has access to what.
Thanks for you time, Rene
I’m simply using Entrust client certificates as a form of 2-factor authentication. User goes to rdweb login page, iis asks for a client cert, user unlocks entrust client cert with password and selects entrust client cert, iis does a crl check on client cert and if ok, presents the login page.
Is this not a form of 2-factor authentication?
But then you only have Two-Factor Authorization for the IIS login page. If you save the .RDP file you can connect to the RD Gateway without login into the Web Page.
you can configure 2 factor through the gateway.
Please tell me how this can be done.
This sounds similar to a problem we have. A provider configured a MS RDS solution involving VASCO Digipass OTP. (Identikey Auth Server, IAS Web Administration, Vasco Password Synch Manager, LDAP Synch tool). The idea is that you use 2 factor authentication to connect via the MS Gateway then logon on to the remote server or direct to a PC using your internal credentials. The weakness discovered is that if you save the .RDP file you can connect direct without going through the OTP 2 factor authentication… The provider tells us that is an MS issue/incompatibility with Vasco, and refuses to fix it without further payment (an original thought since they recommended and provided both). I think there must be some form of misconfiguration here. There is an additional wrinkle where the LDAP synch only occurs when the user password is changed after the VASCO token is connected to the userid. Any pointers gratefully received…
Did you get this sorted ?
Ryan