Article Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Report Inappropriate Content
Re: How to protect RDWeb with MFA or two-factor authentication
We've had requests from many customers to document how Centrify can protect RDWeb access with MFA or two-factor authentication. It turns out it's a simple WS-Federation with Centirfy Identity Service, where you enable MFA for your users.
Here's how to set it up:
- Install WIF (Windows Identity Foundation on your RDWeb Server:
- If you're running Windows 2012, install it from Roles and Features;
- If you're running Windows 2008 R2, install .NET Framework 3.5.1 from Roles and Features first and then download Windows6.1-KB974405-x64.msu from Microsoft to install WIF.
- Modify C2WTShost.exe.config:
- Run notepad as an Administrator;
- Add the line <add value="IIS APPPOOL\RDWebAccess" /> under <allowedCallers> as below:
-
<allowedCallers> <clear /> <add value="IIS APPPOOL\RDWebAccess" /> </allowedCallers>
- Enable the Claims to Windows Token Service:
- Open services.msc;
- Look for the service called Claims to Windows Token Service;
- Right-click it then click Properties;
- Make sure the startup type is set to Automatic;
- Make sure the service is started.
- On your RDWeb server, replace the contents of C:\Windows\Web\RDWeb\Pages\Web.config with the below and note the fields in bold that you'll have to change later:
<?xml version="1.0" encoding="UTF-8"?> <!-- Note: As an alternative to hand editing this file you can use the web admin tool to configure settings for your application. Use the Website->Asp.Net Configuration option in Visual Studio. A full list of settings and comments can be found in machine.config.comments usually located in \Windows\Microsoft.Net\Framework\v2.x\Config --> <configuration> <!-- Centrify --> <configSections> <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </configSections> <!-- /Centrify --> <!-- Admin Defined settings --> <appSettings> <!-- PasswordChangeEnabled: Provides password change page for users. Value must be "true" or "false" --> <add key="PasswordChangeEnabled" value="false" /> <!-- LocalHelp: Displays local help for users, instead of the web-based help. Value must be "true" or "false" --> <add key="LocalHelp" value="false" /> <!-- ShowDesktops: Displays or hides the Remote Desktops tab. Value must be "true" or "false" --> <add key="ShowDesktops" value="true" /> <!-- DefaultTSGateway: Admin can preset this to a given Gateway name, or set to "" for no gateway. --> <add key="DefaultTSGateway" value="" /> <!-- GatewayCredentialsSource: TS Gateway Authentication Type. Admins can preset this. 0 = User Password 1 = Smartcard 4 = "Ask me later" --> <add key="GatewayCredentialsSource" value="4" /> <!-- Devices and resources: Preset the Checkbox values to either true or false --> <add key="xPrinterRedirection" value="true" /> <add key="xClipboard" value="true" /> <add key="xDriveRedirection" value="false" /> <add key="xPnPRedirection" value="false" /> <add key="xPortRedirection" value="false" /> <!-- Public/Private Mode Timeout for FBA --> <add key="PublicModeSessionTimeoutInMinutes" value="20" /> <add key="PrivateModeSessionTimeoutInMinutes" value="240" /> <!-- Checkbox to opt for optimized LAN experience --> <add key="ShowOptimizeExperience" value="false" /> <add key="OptimizeExperienceState" value="false" /> </appSettings> <connectionStrings /> <system.web> <!-- Centrify --> <httpRuntime requestValidationMode="2.0" /> <pages validateRequest="false" /> <!-- /Centrify --> <!-- The <authentication> section enables configuration of the security authentication mode used by ASP.NET to identify an incoming user. --> <!-- To turn on Windows Authentication: - uncomment <authentication mode="Windows"/> section - and comment out: 1) <authentication mode="Forms"> section. 2) <modules> and <security> sections in <system.webServer> section at the end of the file. 3) Optional: Windows Authentication will work in https. However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR. Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and click Apply in the top right in the right pane. Repeat the steps for RDWeb/Pages VDIR. --> <!-- <authentication mode="Windows"/> <authentication mode="Forms"> <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" /> </authentication> --> <!-- Centrify --> <authorization><deny users="?" /></authorization> <authentication mode="None"> <forms loginUrl="default.aspx" /> </authentication> <!-- /Centrify --> <webParts> <personalization defaultProvider="TSPortalProvider"> <providers> <add name="TSPortalProvider" type="Microsoft.TerminalServices.Publishing.Portal.TSPortalProvider" /> </providers> </personalization> </webParts> </system.web> <system.webServer> <modules runAllManagedModulesForAllRequests="true"> <remove name="FormsAuthentication" /> <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" /> <!-- Centrify --> <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /> <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /> <!-- /Centrify --> </modules> <security> </security> <httpRedirect enabled="false" /> </system.webServer> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <assemblyIdentity name="TSPortalWebPart" publicKeyToken="31bf3856ad364e35" culture="neutral" /> <bindingRedirect oldVersion="6.0.0.0" newVersion="6.1.0.0" /> </dependentAssembly> </assemblyBinding> </runtime> <!-- Centrify --> <microsoft.identityModel> <service> <audienceUris> <add value="urn:microsoft:rdweb" /> <add value="RESOURCE_APPLICATION_URL_GOES_HERE" /> <!-- EDIT --> </audienceUris> <securityTokenHandlers> <remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <sessionTokenRequirement useWindowsTokenService="true" /> </add> <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" /> </add> </securityTokenHandlers> <federatedAuthentication> <wsFederation passiveRedirectEnabled="true" issuer="IDENTITY_PROVIDER_SIGN-IN_URL_GOES_HERE" realm="RESOURCE_APPLICATION_URL_GOES_HERE" requireHttps="true" /> <!-- EDIT --> <cookieHandler requireSsl="false" /> </federatedAuthentication> <applicationService> </applicationService> <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <trustedIssuers> <add thumbprint="CERTIFICATE_THUMBPRINT_GOES_HERE" name="ISSUER_GOES_HERE" /> <!-- EDIT --> </trustedIssuers> </issuerNameRegistry> <certificateValidation certificateValidationMode="None" /> </service> </microsoft.identityModel> <!-- /Centrify --> <location path="rdp"> <system.web> <!-- <authorization> <deny users="?" /> </authorization> --> </system.web> <system.webServer> <handlers> <add name="RDWAResourceFileHandler" path="rdp" verb="*" type="Microsoft.TerminalServices.Publishing.Portal.ResourceFileHandler" preCondition="integratedMode" allowPathInfo="true" /> </handlers> </system.webServer> </location> </configuration>
Note: If your RDWeb server runs on Windows 2008, comment the line below with <!-- and --> like this:
<!-- <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" /> -->
- On the Admin Portal of Centrify Identity Service, add a new custom WS-Fed application:
- Set the app name as something like RDWeb, grant access to your users in the User Access tab, etc, then set the Resource application URL as https://<your-server-and-domain-name>/RDWeb/Pages/Default.aspx:
- Set the Advanced tab script with the content below:
setVersion('1'); setIssuer(Issuer); setServiceUrl(ServiceUrl); setSubjectName(LoginUser.Username); setAuthenticationMethod('urn:federation:authentication:windows'); setAudience(ServiceUrl); setRecipient(ServiceUrl); setSignatureType('Assertion'); setHttpDestination(ServiceUrl); var email = LoginUser.Get('mail'); if (!email || email == '') { setClaim('EmailAddress', LoginUser.Get('userprincipalname')); } else { setClaim('EmailAddress', email); } addSubjectToAttrStatement("True"); setCustomAttribute("upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", LoginUser.Get("userprincipalname"));
- Go back to the Application Settings tab and open your C:\Windows\Web\RDWeb\Pages\web.config file; replace the contents at the end of the file with the info from the CIS app, see below:
- Open IIS Manager on the RDWeb server and navigate to RDWeb / Sites / Default Web Site / RDWeb / Pages; click on Configuration Editor on the right hand side:
- Click the dropdown box at the top of the screen and browse to system.web / authentication:
- Make sure both defaultUrl and loginURL are set to default.aspx:
- In the RDWeb Access Application Pool, click Advanced and make sure “Load User Profile” is set to "True":
- Go back to your RDWeb app in CIS and set up the MFA Profile in the Policy tab:
- Now try to load https://your-rdweb-server/RDWeb/Pages and you'll be asked for MFA.
See attached for both a web.config file sample and the Advanced tab script in text file format.
Comments
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.