× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

How to protect RDWeb with MFA or two-factor authentication

How to protect RDWeb with MFA or two-factor authentication

By Centrify Advisor I ‎02-10-2017 10:47 AM

 

We've had requests from many customers to document how Centrify can protect RDWeb access with MFA or two-factor authentication. It turns out it's a simple WS-Federation with Centirfy Identity Service, where you enable MFA for your users.

 

Here's how to set it up:

 

  • Install WIF (Windows Identity Foundation on your RDWeb Server:
    • If you're running Windows 2012, install it from Roles and Features;
    • If you're running Windows 2008 R2, install .NET Framework 3.5.1 from Roles and Features first and then download Windows6.1-KB974405-x64.msu from Microsoft to install WIF.

 

  • Modify C2WTShost.exe.config:
    • Run notepad as an Administrator;
    • Add the line <add value="IIS APPPOOL\RDWebAccess" /> under <allowedCallers> as below:
    • <allowedCallers>
           <clear />
           <add value="IIS APPPOOL\RDWebAccess" />
      </allowedCallers>

 

  • Enable the Claims to Windows Token Service:
    • Open services.msc;
    • Look for the service called Claims to Windows Token Service;
    • Right-click it then click Properties;
    • Make sure the startup type is set to Automatic;
    • Make sure the service is started.

 

  • On your RDWeb server, replace the contents of C:\Windows\Web\RDWeb\Pages\Web.config with the below and note the fields in bold that you'll have to change later:
<?xml version="1.0" encoding="UTF-8"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>

<!-- Centrify -->
  <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
<!-- /Centrify -->

  <!-- Admin Defined settings -->
  <appSettings>

    <!-- PasswordChangeEnabled: Provides password change page for users. Value must be "true" or "false" -->
    <add key="PasswordChangeEnabled" value="false" />
      
    <!-- LocalHelp: Displays local help for users, instead of the web-based help. Value must be "true" or "false" -->
    <add key="LocalHelp" value="false" />

    <!-- ShowDesktops: Displays or hides the Remote Desktops tab. Value must be "true" or "false" -->
    <add key="ShowDesktops" value="true" />

    <!-- DefaultTSGateway: Admin can preset this to a given Gateway name, or set to "" for no gateway. -->
    <add key="DefaultTSGateway" value="" />

    <!-- GatewayCredentialsSource: TS Gateway Authentication Type.
         Admins can preset this.
         0 = User Password
         1 = Smartcard
         4 = "Ask me later"
    -->
    <add key="GatewayCredentialsSource" value="4" />

    <!-- Devices and resources: Preset the Checkbox values to either true or false -->
    <add key="xPrinterRedirection" value="true" />
    <add key="xClipboard" value="true" />
    <add key="xDriveRedirection" value="false" />
    <add key="xPnPRedirection" value="false" />
    <add key="xPortRedirection" value="false" />

    <!--  Public/Private Mode Timeout for FBA -->
    <add key="PublicModeSessionTimeoutInMinutes" value="20" />
    <add key="PrivateModeSessionTimeoutInMinutes" value="240" />

    <!--  Checkbox to opt for optimized LAN experience -->
    <add key="ShowOptimizeExperience" value="false" />
    <add key="OptimizeExperienceState" value="false" />

  </appSettings>

  <connectionStrings />

  <system.web>

<!-- Centrify -->
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />
<!-- /Centrify -->

    <!--
        The <authentication> section enables configuration
        of the security authentication mode used by
        ASP.NET to identify an incoming user.
    -->
      <!--
          To turn on Windows Authentication:
              - uncomment <authentication mode="Windows"/> section
              - and comment out:
              1) <authentication mode="Forms"> section.
              2) <modules> and <security> sections in <system.webServer> section at the end of the file.
              3) Optional: Windows Authentication will work in https.  However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR.
                 Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and
                 click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.
      -->

      <!--
      <authentication mode="Windows"/>
      
      <authentication mode="Forms">
          <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />
      </authentication>
      -->

  <!-- Centrify -->
  <authorization><deny users="?" /></authorization>
  <authentication mode="None">
            <forms loginUrl="default.aspx" />
        </authentication>
  <!-- /Centrify -->

      <webParts>
          <personalization defaultProvider="TSPortalProvider">
            <providers>
              <add name="TSPortalProvider" type="Microsoft.TerminalServices.Publishing.Portal.TSPortalProvider" />
          </providers>
        </personalization>
      </webParts>
  </system.web>

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <remove name="FormsAuthentication" />
      <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" />

<!-- Centrify -->
  <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
  <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
<!-- /Centrify -->

    </modules>

    <security>
    </security>
    <httpRedirect enabled="false" />
  </system.webServer>

  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="TSPortalWebPart" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="6.0.0.0" newVersion="6.1.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>

<!-- Centrify -->
  <microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="urn:microsoft:rdweb" />
        <add value="RESOURCE_APPLICATION_URL_GOES_HERE" /> <!-- EDIT -->
      </audienceUris>
    <securityTokenHandlers>
      <remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <sessionTokenRequirement useWindowsTokenService="true" />
      </add>
      <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
      </add>
    </securityTokenHandlers>
    <federatedAuthentication>
      <wsFederation passiveRedirectEnabled="true" issuer="IDENTITY_PROVIDER_SIGN-IN_URL_GOES_HERE" realm="RESOURCE_APPLICATION_URL_GOES_HERE" requireHttps="true" /> <!-- EDIT -->
      <cookieHandler requireSsl="false" />
    </federatedAuthentication>
    <applicationService>
    </applicationService>
    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <trustedIssuers>
        <add thumbprint="CERTIFICATE_THUMBPRINT_GOES_HERE" name="ISSUER_GOES_HERE" /> <!-- EDIT -->
      </trustedIssuers>
    </issuerNameRegistry>
    <certificateValidation certificateValidationMode="None" />
    </service>
  </microsoft.identityModel>
<!-- /Centrify -->

  <location path="rdp">
    <system.web>
      <!-- <authorization>
        <deny users="?" />
      </authorization> -->
    </system.web>
    <system.webServer>
      <handlers>
        <add name="RDWAResourceFileHandler" path="rdp" verb="*" type="Microsoft.TerminalServices.Publishing.Portal.ResourceFileHandler" preCondition="integratedMode" allowPathInfo="true" />
      </handlers>
    </system.webServer>
   </location>
</configuration>

Note: If your RDWeb server runs on Windows 2008, comment the line below with <!-- and --> like this:

 

<!-- <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" /> -->

 

  • On the Admin Portal of Centrify Identity Service, add a new custom WS-Fed application:

 

  • Screen Shot 2017-01-23 at 13.07.09.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Screen Shot 2017-01-23 at 13.07.34.png

 

  • Set the app name as something like RDWeb, grant access to your users in the User Access tab, etc, then set the Resource application URL as https://<your-server-and-domain-name>/RDWeb/Pages/Default.aspx:

Screen Shot 2017-01-23 at 13.34.57.png

 

  • Set the Advanced tab script with the content below:

Screen Shot 2017-02-10 at 16.24.19.png

 

setVersion('1');
setIssuer(Issuer);
setServiceUrl(ServiceUrl);
setSubjectName(LoginUser.Username);
setAuthenticationMethod('urn:federation:authentication:windows');
setAudience(ServiceUrl);
setRecipient(ServiceUrl);
setSignatureType('Assertion');
setHttpDestination(ServiceUrl);

var email = LoginUser.Get('mail');
if (!email || email == '') {
    setClaim('EmailAddress', LoginUser.Get('userprincipalname'));
} else {
    setClaim('EmailAddress', email);
}

addSubjectToAttrStatement("True");

setCustomAttribute("upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", LoginUser.Get("userprincipalname"));

 

  • Go back to the Application Settings tab and open your C:\Windows\Web\RDWeb\Pages\web.config file; replace the contents at the end of the file with the info from the CIS app, see below:

Screen Shot 2017-01-23 at 13.33.46.png

 

  • Open IIS Manager on the RDWeb server and navigate to RDWeb / Sites / Default Web Site / RDWeb / Pages; click on Configuration Editor on the right hand side:

Screen Shot 2017-01-23 at 13.17.55.png

 

  • Click the dropdown box at the top of the screen and browse to system.web / authentication:

 

Screen Shot 2017-01-23 at 13.18.28.png

 

  • Make sure both defaultUrl and loginURL are set to default.aspx:

Screen Shot 2017-01-23 at 13.29.05.png

 

  • In the RDWeb Access Application Pool, click Advanced and make sure “Load User Profile” is set to "True":

Picture1.png

 

Picture2.png

 

  • Go back to your RDWeb app in CIS and set up the MFA Profile in the Policy tab:

Screen Shot 2017-01-23 at 13.37.03.png

 

  • Now try to load https://your-rdweb-server/RDWeb/Pages and you'll be asked for MFA.

See attached for both a web.config file sample and the Advanced tab script in text file format.

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel