× Welcome to the Centrify Community! New to the Community? Start Here.

Re: How to protect RDWeb with MFA or two-factor authentication

IsraelBiscaia

How to protect RDWeb with MFA or two-factor authentication

By Centrify Advisor I ‎02-10-2017 10:47 AM

 

We've had requests from many customers to document how Centrify can protect RDWeb access with MFA or two-factor authentication. It turns out it's a simple WS-Federation with Centirfy Identity Service, where you enable MFA for your users.

 

Here's how to set it up:

 

  • Install WIF (Windows Identity Foundation on your RDWeb Server:
    • If you're running Windows 2012, install it from Roles and Features;
    • If you're running Windows 2008 R2, install .NET Framework 3.5.1 from Roles and Features first and then download Windows6.1-KB974405-x64.msu from Microsoft to install WIF.

 

  • Modify C2WTShost.exe.config:
    • Run notepad as an Administrator;
    • Add the line <add value="IIS APPPOOL\RDWebAccess" /> under <allowedCallers> as below:
    • <allowedCallers>
     <clear />
     <add value="IIS APPPOOL\RDWebAccess" />
</allowedCallers>

 

  • Enable the Claims to Windows Token Service:
    • Open services.msc;
    • Look for the service called Claims to Windows Token Service;
    • Right-click it then click Properties;
    • Make sure the startup type is set to Automatic;
    • Make sure the service is started.

 

  • On your RDWeb server, replace the contents of C:\Windows\Web\RDWeb\Pages\Web.config with the below and note the fields in bold that you'll have to change later:
<?xml version="1.0" encoding="UTF-8"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>

<!-- Centrify -->
  <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
<!-- /Centrify -->

  <!-- Admin Defined settings -->
  <appSettings>

    <!-- PasswordChangeEnabled: Provides password change page for users. Value must be "true" or "false" -->
    <add key="PasswordChangeEnabled" value="false" />
      
    <!-- LocalHelp: Displays local help for users, instead of the web-based help. Value must be "true" or "false" -->
    <add key="LocalHelp" value="false" />

    <!-- ShowDesktops: Displays or hides the Remote Desktops tab. Value must be "true" or "false" -->
    <add key="ShowDesktops" value="true" />

    <!-- DefaultTSGateway: Admin can preset this to a given Gateway name, or set to "" for no gateway. -->
    <add key="DefaultTSGateway" value="" />

    <!-- GatewayCredentialsSource: TS Gateway Authentication Type.
         Admins can preset this.
         0 = User Password
         1 = Smartcard
         4 = "Ask me later"
    -->
    <add key="GatewayCredentialsSource" value="4" />

    <!-- Devices and resources: Preset the Checkbox values to either true or false -->
    <add key="xPrinterRedirection" value="true" />
    <add key="xClipboard" value="true" />
    <add key="xDriveRedirection" value="false" />
    <add key="xPnPRedirection" value="false" />
    <add key="xPortRedirection" value="false" />

    <!--  Public/Private Mode Timeout for FBA -->
    <add key="PublicModeSessionTimeoutInMinutes" value="20" />
    <add key="PrivateModeSessionTimeoutInMinutes" value="240" />

    <!--  Checkbox to opt for optimized LAN experience -->
    <add key="ShowOptimizeExperience" value="false" />
    <add key="OptimizeExperienceState" value="false" />

  </appSettings>

  <connectionStrings />

  <system.web>

<!-- Centrify -->
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />
<!-- /Centrify -->

    <!--
        The <authentication> section enables configuration
        of the security authentication mode used by
        ASP.NET to identify an incoming user.
    -->
      <!--
          To turn on Windows Authentication:
              - uncomment <authentication mode="Windows"/> section
              - and comment out:
              1) <authentication mode="Forms"> section.
              2) <modules> and <security> sections in <system.webServer> section at the end of the file.
              3) Optional: Windows Authentication will work in https.  However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR.
                 Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and
                 click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.
      -->

      <!--
      <authentication mode="Windows"/>
      
      <authentication mode="Forms">
          <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />
      </authentication>
      -->

  <!-- Centrify -->
  <authorization><deny users="?" /></authorization>
  <authentication mode="None">
            <forms loginUrl="default.aspx" />
        </authentication>
  <!-- /Centrify -->

      <webParts>
          <personalization defaultProvider="TSPortalProvider">
            <providers>
              <add name="TSPortalProvider" type="Microsoft.TerminalServices.Publishing.Portal.TSPortalProvider" />
          </providers>
        </personalization>
      </webParts>
  </system.web>

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <remove name="FormsAuthentication" />
      <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" />

<!-- Centrify -->
  <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
  <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
<!-- /Centrify -->

    </modules>

    <security>
    </security>
    <httpRedirect enabled="false" />
  </system.webServer>

  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="TSPortalWebPart" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="6.0.0.0" newVersion="6.1.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>

<!-- Centrify -->
  <microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="urn:microsoft:rdweb" />
        <add value="RESOURCE_APPLICATION_URL_GOES_HERE" /> <!-- EDIT -->
      </audienceUris>
    <securityTokenHandlers>
      <remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <sessionTokenRequirement useWindowsTokenService="true" />
      </add>
      <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
      </add>
    </securityTokenHandlers>
    <federatedAuthentication>
      <wsFederation passiveRedirectEnabled="true" issuer="IDENTITY_PROVIDER_SIGN-IN_URL_GOES_HERE" realm="RESOURCE_APPLICATION_URL_GOES_HERE" requireHttps="true" /> <!-- EDIT -->
      <cookieHandler requireSsl="false" />
    </federatedAuthentication>
    <applicationService>
    </applicationService>
    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <trustedIssuers>
        <add thumbprint="CERTIFICATE_THUMBPRINT_GOES_HERE" name="ISSUER_GOES_HERE" /> <!-- EDIT -->
      </trustedIssuers>
    </issuerNameRegistry>
    <certificateValidation certificateValidationMode="None" />
    </service>
  </microsoft.identityModel>
<!-- /Centrify -->

  <location path="rdp">
    <system.web>
      <!-- <authorization>
        <deny users="?" />
      </authorization> -->
    </system.web>
    <system.webServer>
      <handlers>
        <add name="RDWAResourceFileHandler" path="rdp" verb="*" type="Microsoft.TerminalServices.Publishing.Portal.ResourceFileHandler" preCondition="integratedMode" allowPathInfo="true" />
      </handlers>
    </system.webServer>
   </location>
</configuration>

Note: If your RDWeb server runs on Windows 2008, comment the line below with <!-- and --> like this:

 

<!-- <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" /> -->

 

  • On the Admin Portal of Centrify Identity Service, add a new custom WS-Fed application:

 

  • Screen Shot 2017-01-23 at 13.07.09.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Screen Shot 2017-01-23 at 13.07.34.png

 

  • Set the app name as something like RDWeb, grant access to your users in the User Access tab, etc, then set the Resource application URL as https://<your-server-and-domain-name>/RDWeb/Pages/Default.aspx:

Screen Shot 2017-01-23 at 13.34.57.png

 

  • Set the Advanced tab script with the content below:

Screen Shot 2017-02-10 at 16.24.19.png

 

setVersion('1');
setIssuer(Issuer);
setServiceUrl(ServiceUrl);
setSubjectName(LoginUser.Username);
setAuthenticationMethod('urn:federation:authentication:windows');
setAudience(ServiceUrl);
setRecipient(ServiceUrl);
setSignatureType('Assertion');
setHttpDestination(ServiceUrl);

var email = LoginUser.Get('mail');
if (!email || email == '') {
    setClaim('EmailAddress', LoginUser.Get('userprincipalname'));
} else {
    setClaim('EmailAddress', email);
}

addSubjectToAttrStatement("True");

setCustomAttribute("upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", LoginUser.Get("userprincipalname"));

 

  • Go back to the Application Settings tab and open your C:\Windows\Web\RDWeb\Pages\web.config file; replace the contents at the end of the file with the info from the CIS app, see below:

Screen Shot 2017-01-23 at 13.33.46.png

 

  • Open IIS Manager on the RDWeb server and navigate to RDWeb / Sites / Default Web Site / RDWeb / Pages; click on Configuration Editor on the right hand side:

Screen Shot 2017-01-23 at 13.17.55.png

 

  • Click the dropdown box at the top of the screen and browse to system.web / authentication:

 

Screen Shot 2017-01-23 at 13.18.28.png

 

  • Make sure both defaultUrl and loginURL are set to default.aspx:

Screen Shot 2017-01-23 at 13.29.05.png

 

  • In the RDWeb Access Application Pool, click Advanced and make sure “Load User Profile” is set to "True":

Picture1.png

 

Picture2.png

 

  • Go back to your RDWeb app in CIS and set up the MFA Profile in the Policy tab:

Screen Shot 2017-01-23 at 13.37.03.png

 

  • Now try to load https://your-rdweb-server/RDWeb/Pages and you'll be asked for MFA.

See attached for both a web.config file sample and the Advanced tab script in text file format.

views 2921
Comments
By mikekfts
on ‎10-29-2018 12:29 PM

Is there an updated version of this guide for Server 2016?  I'm getting the following error when following this guide.  Following the advice given in the info below is giving me an HTTP 500 error.

 

Task-returning Page methods are unsupported in the current application configuration. To enable this, set the following configuration switch in Web.config:<br><system.web><br>  <httpRuntime targetFramework="4.5" /><br></system.web><br>For more information, see http://go.microsoft.com/fwlink/?LinkId=252465.

Task-returning Page methods are unsupported in the current application configuration. To enable this, set the following configuration switch in Web.config:
<system.web>
 <httpRuntime targetFramework="4.5" />
</system.web>
For more information, see http://go.microsoft.com/fwlink/?LinkId=252465.

 

0 Kudos
By CarlosH
on ‎11-06-2018 06:28 PM

Please update the content for Windows 2016, we are having the same issue.

0 Kudos
By mikekfts
on ‎11-13-2018 06:17 AM

 Just a quick update- I've soken to Centrify support a few times and they verified my config was correct.  I've tried this one three different servers (I had personal concerns that my tinkering on servers 1 and 2 coiuld have messed with Centrify) but I've made no progress.  I'll make sure an update is posted here once this is resolved.

0 Kudos
By tmeyer
on ‎11-29-2018 12:34 PM

I also need this updated to work with Windows 2016.  The error I receive is:

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ArgumentException: Must specify a SID string
Parameter name: strSid

Source Error:


Line 185:            tswf = new WebFeed(RdpType.Both, true);            
Line 186:            
Line 187:            Tuple<string, int> retValues = await tswf.GenerateFeedAsync(
Line 188:                            strUserIdentity,
Line 189:                            FeedXmlVersion.Win8,              

Source File: c:\Windows\Web\RDWeb\Pages\en-US\Default.aspx    Line: 187

Stack Trace:
[ArgumentException: Must specify a SID string
Parameter name: strSid]
   Microsoft.TerminalServices.Publishing.Portal.RWSCPubAndTsAccessor.GetApplicationsAsync(String strSid, Boolean onlyShowAvailableByDefaultResources, Boolean includeRDPFileContents) +837
   Microsoft.TerminalServices.Publishing.Portal.<GetRemoteAppsAsync>d__5.MoveNext() +124
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.TerminalServices.Publishing.Portal.<GetDataForFeedAsync>d__15.MoveNext() +590
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   Microsoft.TerminalServices.Publishing.Portal.<GenerateFeedAsync>d__13.MoveNext() +438
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +31
   ASP.<GetAppsAsync>d__0.MoveNext() in c:\Windows\Web\RDWeb\Pages\en-US\Default.aspx:187
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   System.Web.UI.<ExecuteTasksAsync>d__3.MoveNext() +364
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
   System.Web.UI.<ProcessRequestAsync>d__554.MoveNext() +997
 

0 Kudos
By Secure-ISS
on ‎12-06-2018 05:52 PM

Yes...please update this document to include the required steps. We are getting the same error as shown by the other users above and have also spent some time trying to figure it out without success. 

0 Kudos
Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel