After many years of trying to find a solution to have Okta MFA Push Authentication work on a Microsoft Remote Desktop Gateway environment, I've successfully implemented this using code from Github linked in this Tutorial. This is somewhat of what Azure or Duo integration for RDG Gateway does, however, as the Remote Desktop client doesn't. The following should be recorded in the System Plan: Windows Server and Remote Desktop User CALs keys, SSL and NPS shared secret passwords, remote desktop deployment options, Azure GUID, and NPS settings Setup and testing of Remote Desktop Services with MFA will require a minimum of 2-4 hours. The following should be recorded in the System Plan: Windows Server and Remote Desktop User CALs keys, SSL and NPS shared secret passwords, remote desktop deployment options, Azure GUID, and NPS settings Setup and testing of Remote Desktop Services with MFA will require a minimum of 2-4 hours. Jul 01, 2017 In my previous articles, we explained a step by step how to secure the remote access (RDP connection) using Azure Multi-factor Authentication (MFA), at that time we mentioned that the same procedure can only applied to windows 2012 and earlier and it’s not supported to be applied to windows 2012 R2 and above.

It offers MFA on all Windows and RDP logons, or for every RDP logon from outside the corporate network – including RD Gateway connections. A secure and complete on-premise MFA solution, where no internet access is needed.

Remote Desktop Download

Remote Desktop Gateway is a great way to provide secure access to remote server resources across corporate firewalls and proxies. To provide additional levels of security this blog will show you how to integrate with Azure Multi-Factor Authentication (MFA) Server.

Azure Remote Desktop Services

In this first part, we will configure a two-way SMS, in Part 2 we will configure it to work with the Microsoft Authenticator Mobile App.

Azure Mfa Remote Desktop Login

1. Create an Azure Multi-Factor Authentication provider
   

   
   

2. Click “MANAGE” to open up the configuration settings
   

   
   

3. 
   

4. Click “Generate Activation Credentials” and record the details as they will be used later. Clock “Download” to begin the download
   

   
   

5. Install and configure the Azure Multi-Factor Authentication Server on a separate server to your RDS Gateway
   

   
   

   
   

6. Enter the Activation credentials you saved in previous step, if these do not work generate new credentials as they appear to only be valid for a short period of time.
   

   
   

7. 
   

   
   

   Replication between multiple MFA servers can be configured for HA
   

8. We are going to use RADIUS to insert the MFA server in the authentication flow
   

   
   

9. Enter in the details of your RDS Gateway / NPS server and shared secret. In this example the RDS Gateway is using a local NPS server.
   

   
   

10. Configure RADIUS Target as RADIUS server, and enter the same details as previous step as the NPS server in our example will be a Client and a Target.
    

    
    

    
    

    
    

    
    

11. Open MFA Server Console and finish configuration. Click “RADIUS Authentication”
    

    
    

12. Edit Client and enter application name “RDS Gateway“, select the option “Require Multi-Factor Authentication user match”
    

    
    

13. Click Users, and Import from Active Directory… Define your criteria to select users
    

    
    

14. Edit user and enter their Phone number and Country Code, select Text Message – Two-Way – OTP and selectEnabled
    

    
    

15. Select Test to check that it’s working before configuring the RD Gateway
    

    
    

16. A Text Message will be sent to your phone, respond with the code and you will be notified that it was the test was successful
    

    
    

17. Configure the RDS Gateway. Open RD Gateway Manager and right click server and go to properties. SelectRD CAP Store and change the option to Central server running NPS. Enter the IP of the MFA Server and configure the Shared Secret used earlier.
    

    
    

18. Configure NPS Server. Open Network Policy Server > RADIUS Clients and Servers > Remote RADIUS Server Groups. Right Click TS GATEWAY SERVER GROUP and select Properties
    

    
    

    Add… the MFA Server
    

    
    

    Click Authentication/Accounting tab and enter the Shared secret
    

    
    

    Click Load Balancing tab and increase the timeout for response to 60 seconds
    

    
    

19. Create RADIUS Client, choose friendly name MFA, and make not to use it later, enter IP and Shared Secret of MFA server.
    

    
    

20. Configure Connection Request Policies. Right Click TS GATEWAY AUTHORIZATION POLICY and selectDuplicate Policy
    

    
    

    Rename the Duplicate Policy to “FROM MFA”, and select Policy enabled
    

    
    

    On Conditions tab, Client Friendly Name, and enter the name used above MFA
    

    
    

21. Modify policy TS GATEWAY AUTHORIZATION POLICY, click Settings tab and change the Authenticationand Authorization to “Forward requests to the following remote RADIUS server group” and select TS GATEWAY SERVER GROUP
    

    
    

    
    

22. Move the FROM MFA policy above TS GATEWAY AUTHORIZATION POLICY
    

    
    

23. Now when connecting through the RD Gateway the connection will remain pending until the SMS is responded to with the code, at which point the connection is initiated.