- Use Microsoft Authenticator For Rdp
- Using Microsoft Authenticator With Remote Desktop
- Microsoft Authenticator With Remote Desktop
- Microsoft Authenticator Remote Desktop App
- Microsoft Authenticator App Remote Desktop
- Remote Desktop Services/Network Policy Server configuration Start by setting up RD Gateway for 2FA, according to Microsoft recommendations and any specific requirements in your environment. Configure the NPS to listen on the port set in PhenixID Server proxy: NPS also needs to have the PhenixID Server as a RADIUS client, since traffic.
- Remote Desktop Services/Network Policy Server configured according to Microsoft recommendations and any specific requirements in your environment. Instruction Overview. This document will guide you through the configuration steps to integrate two-factor authentication against Microsoft Remote Desktop Services.
- Example of how to configure 2FA with Google Authenticator. Two factor authentication is set in the Data Source Configuration. You can set 2FA when creating a new data source or edit an existing data source. To edit your data source, click File – Data Sources. Click the pencil to edit the data source.
Mar 04, 2020 Switch to the Multi-factor Authentication submenu on the left Select the policy from the drop-down list and configure your authentication method (we are choosing Microsoft Authenticator) Click on Enable Microsoft Authenticator Switch to the Authenticator Settings tab. Introducing the updated Microsoft Authenticator! One app to quickly and securely verify your identity online, for all of your accounts. This app provides an extra layer of protection when you sign in, often referred to as two-step verification or multi-factor authentication.
Need a quick and easy 2FA setup for Windows and RDP logons? This might help…
So I recently had a challenge where I needed to add 2FA (specifically, using the Microsoft Authenticator service) to a Windows 10 logon for a particular set of users. Rather naively, I assumed that you would be able to do this simply using the Microsoft Authenticator service directly, but I was surprised to find that this functionality wasn’t offered. The way Microsoft recommend to do it was by using Windows Hello, but within a few minutes of reading the literature around it, it was clear that there was a *lot* of work required to get Windows Hello up and running – and it wasn’t exactly fully foolproof either.
There’s alot of requests to extend the Microsoft Authenticator service onto Windowsconsole logons and RDP logons, and since MS have sunset the on-premises MFAserver this is only increasing. Microsoft seem hell-bent on pushing through thepasswordless, biometric concept of Windows Hello, and while this is somethingthat no doubt will gain much traction in the future, legacy systems withpasswords and MFA aren’t going away anytime soon. So, in the absence ofAuthenticator being integrated with Windows 10, it started to look like I wason the hunt for a (preferably free or low-cost!) third-party provider.
Duo are one of the leaders in this category, but given that their freeversion only extends to ten users, it didn’t fit my needs. Enter Leee Jeffriesto tell me about ManageEngine’s AD Self Service Plus product, which is free forup to fifty users (and, if I’m not mistaken, seems to be owned by Zoho). Thislooked really promising, so off I set to see how easy it was to get up andrunning.
Installing the software
First I set out to install my AD SelfService Plus software
The default port for the web service is 8888 – if you wish to use a different port, you can enter it at this point
The installation will then proceed
Once the installation is finished, you can launch the console from the desktop shortcut, and you can also install it as a Windows service if you wish (from the Start menu shortcuts)
If you doinstall the software as a service, the server will need to be rebooted beforeit activates. Also, it is recommended to run the service as a domain accountrather than LocalSystem, especially if it is going to be doing remotedeployments of the client software from the console.
As theconsole runs in a browser, you may need to turn off IE Enhanced SecurityConfiguration if you are intending to access it from the server desktop.
Setting up SSL
The ADSelfService Plus software uses a Tomcat instance so in order for it to workproperly, you will need to install an SSL certificate.
There are anumber of articles on the ManageEngine site about configuring certificates,however in order to install a self-signed certificate from my own CA I had tofollow this process.
Log on to the console as admin (the default password is also admin)
Go to Admin| Product Settings | Connection
Check “Enable SSL port” and click Save
You canchange the default port from 9251 if you wish. After doing this, restart the ADSelfService Plus service.
Log back into the console as admin again (this time you will probably get a securitywarning, as the certificate was not issued by a trusted CA)
Return toAdmin | Product Settings | Connection.
Click SSL Certification Tool button.
Fill in the required fields for generating the Certificate Signing Request (CSR)
This willgenerate two files – a file called SelfService.csr at webappsadsspCertificatesand a file called SelfService.keystore at jrebin (both paths relativeto the software install directory).
Log on toyour Certificate Authority (https://servername/certsrv) and submit the CSR
Request aCertificate | Advanced Certificate request | Submit a certificate request byusing a base-64-encoded CMC or PKCS #10 file, or submit a renewal request byusing a base-64-encoded PKCS #7 file.
Copy thecontents of the SelfService.csr file into the Saved Request box
Select Web Server from the options for Certificate Template
Click Submitand then click Yes
ClickDownload Certificate to download the certificate in .cer format
ClickDownload Certificate Chain to download the certificate in .p7b format
Place both the files at jrebin
Open an elevatedcommand prompt
Changedirectory to jrebin
Run thefollowing commands
keytool-import -alias tomcat -trustcacerts -file certnew.p7b -keystoreselfservice.keystore
(password isthe password you specified when generating the CSR)
Type ‘y’ or‘Yes’ afterwards and press Enter
.keytool-importkeystore -srckeystore selfservice.keystore -destkeystoreselfservice.keystore -deststoretype pkcs12
(password isthe password you specified when generating the CSR)
keytool-import -alias tomcat -keystore ..libsecuritycacerts -file certnew.cer
(password ischangeit)
Type ‘y’ or‘Yes’ afterwards and press Enter
Copy the SelfService.Keystorefile from jrebin to conf
Back up theserver.xml file
Editserver.xml (you may need to run Notepad elevated to do this)
Replace bothinstances of keystoreFile value with ./conf/SelfService.keystore
Replace bothinstances of keystorePass value with the password you specified whengenerating the CSR
Delete theproperty keystoreType=”PKCS12″
Restart theAD SelfService Plus service
Log back on to the console. You should now see that your SSL certificate is trusted
Firewall configuration
Set up a Windows Firewall rule to allow inbound traffic on TCP port 9251
Configuring the policy
Next we needto configure a policy for our endpoint MFA
Log on tothe console
Click onConfiguration | Policy Configuration
You caneither create a new policy or edit the default one (which will be named afterthe domain)
Select the OUs or Groups that the policy will apply to by clicking the Select OUs/Groups button. I have chosen to apply the policy to an AD group
Click onSave Policy
Switch tothe Multi-factor Authentication submenu on the left
Select thepolicy from the drop-down list and configure your authentication method (we arechoosing Microsoft Authenticator)
Click on Enable Microsoft Authenticator
Switch tothe Authenticator Settings tab
Choose thepolicy you are working on
Enable Endpoint MFA and select the second authentication type. Also, select whether you want users to be enable to log in without 2FA if the AD SelfService Plus system is down
Next, click on Access URL and make sure you have switched to HTTPS with the right port number (9251 by default). It is imperative that this change is made before software is deployed to any target endpoints otherwise it will continue to try and connect on the old port.
Click onSave and then Save Settings
Deploy the client software to endpoints
Next we needto install the client software on the target endpoints where we wish to enableMFA. Whilst this software has an MSI download available which you can use topush the software via SCCM or a similar tool, with the free version, you mustdo the deployment via the console itself.
The endpointrequires two pre-requisites before deployment:-
- Enable the Remote Registry service (either locally or via GPO)
2. Ensure that the target machine can be contacted via Windows File and Print Sharing exception in Windows Firewall (this can be done either locally or via a GPO), as the deployment process connects via the admin$ share
Open the console
Click onConfiguration | Administrative Tools | GINA/Mac/Linux (Ctrl-Alt-Del)
Click onGINA/Mac/Linux installation
In New Installation, locate the target machines you wish to deploy the software to
ClickInstall
Once the install is successful, the console will report success. Checking the target endpoint’s logon screen will now show an additional option as below
Clicking on the new option should successfully show the AD SelfService Plus options as configured in your password policy. If it fails, then remediate the error and try again (certificate issues should present themselves at this point, along with any other communications problems). The below image is similar to what you should see if it is successful (dependent on how the policy is configured)
Enrolling users
Next you need to enrol the users so that they are set up for the second factor authentication (Microsoft Authenticator in this case). There are various methods within the console that you can force enrolment. For purposes of this demo we are simply going to log the user in to the AD SelfService Plus console where they will be prompted to enrol.
Once the user enters the PIN after they have scanned the QR code, they will be successfully enrolled.
Verifying
Now it’ssimply a case of logging on as the enrolled user and using the MicrosoftAuthenticator app for a second level of verification.
When the user logs on, they should be presented with this screen
They then have to provide the PIN code from Microsoft Authenticator before they can successfully log on. Congratulations, you now have 2FA configured for your Windows network logons (and free for up to 50 users).
Summary
Use Microsoft Authenticator For Rdp
Obviously if you’re in the Citrix world then there are already a bunch of options available for MFA that are very closely integrated, so this would probably only be on your radar if you needed the free version. For non-Citrix customers though, this could be very useful, particularly for limited-scope deployments like I was looking at.
There is also a huge amount of other functionality available within the AD SelfService Plus software that may prove invaluable from both a security and management perspective, so further exploring the possibilities may well be very fruitful.
38,128 total views, 28 views today
Need a quick and easy 2FA setup for Windows and RDP logons? This might help…
So I recently had a challenge where I needed to add 2FA (specifically, using the Microsoft Authenticator service) to a Windows 10 logon for a particular set of users. Rather naively, I assumed that you would be able to do this simply using the Microsoft Authenticator service directly, but I was surprised to find that this functionality wasn’t offered. The way Microsoft recommend to do it was by using Windows Hello, but within a few minutes of reading the literature around it, it was clear that there was a *lot* of work required to get Windows Hello up and running – and it wasn’t exactly fully foolproof either.
There’s alot of requests to extend the Microsoft Authenticator service onto Windowsconsole logons and RDP logons, and since MS have sunset the on-premises MFAserver this is only increasing. Microsoft seem hell-bent on pushing through thepasswordless, biometric concept of Windows Hello, and while this is somethingthat no doubt will gain much traction in the future, legacy systems withpasswords and MFA aren’t going away anytime soon. So, in the absence ofAuthenticator being integrated with Windows 10, it started to look like I wason the hunt for a (preferably free or low-cost!) third-party provider.
Duo are one of the leaders in this category, but given that their freeversion only extends to ten users, it didn’t fit my needs. Enter Leee Jeffriesto tell me about ManageEngine’s AD Self Service Plus product, which is free forup to fifty users (and, if I’m not mistaken, seems to be owned by Zoho). Thislooked really promising, so off I set to see how easy it was to get up andrunning.
Installing the software
First I set out to install my AD SelfService Plus software
The default port for the web service is 8888 – if you wish to use a different port, you can enter it at this point
The installation will then proceed
Once the installation is finished, you can launch the console from the desktop shortcut, and you can also install it as a Windows service if you wish (from the Start menu shortcuts)
If you doinstall the software as a service, the server will need to be rebooted beforeit activates. Also, it is recommended to run the service as a domain accountrather than LocalSystem, especially if it is going to be doing remotedeployments of the client software from the console.
As theconsole runs in a browser, you may need to turn off IE Enhanced SecurityConfiguration if you are intending to access it from the server desktop.
Setting up SSL
The ADSelfService Plus software uses a Tomcat instance so in order for it to workproperly, you will need to install an SSL certificate.
There are anumber of articles on the ManageEngine site about configuring certificates,however in order to install a self-signed certificate from my own CA I had tofollow this process.
Log on to the console as admin (the default password is also admin)
Go to Admin| Product Settings | Connection
Check “Enable SSL port” and click Save
You canchange the default port from 9251 if you wish. After doing this, restart the ADSelfService Plus service.
Log back into the console as admin again (this time you will probably get a securitywarning, as the certificate was not issued by a trusted CA)
Return toAdmin | Product Settings | Connection.
Click SSL Certification Tool button.
Fill in the required fields for generating the Certificate Signing Request (CSR)
This willgenerate two files – a file called SelfService.csr at webappsadsspCertificatesand a file called SelfService.keystore at jrebin (both paths relativeto the software install directory).
Log on toyour Certificate Authority (https://servername/certsrv) and submit the CSR
Request aCertificate | Advanced Certificate request | Submit a certificate request byusing a base-64-encoded CMC or PKCS #10 file, or submit a renewal request byusing a base-64-encoded PKCS #7 file.
Copy thecontents of the SelfService.csr file into the Saved Request box
Select Web Server from the options for Certificate Template
Click Submitand then click Yes
ClickDownload Certificate to download the certificate in .cer format
ClickDownload Certificate Chain to download the certificate in .p7b format
Place both the files at jrebin
Open an elevatedcommand prompt
Changedirectory to jrebin
Run thefollowing commands
keytool-import -alias tomcat -trustcacerts -file certnew.p7b -keystoreselfservice.keystore
Using Microsoft Authenticator With Remote Desktop
(password isthe password you specified when generating the CSR)
Type ‘y’ or‘Yes’ afterwards and press Enter
Microsoft Authenticator With Remote Desktop
.keytool-importkeystore -srckeystore selfservice.keystore -destkeystoreselfservice.keystore -deststoretype pkcs12
(password isthe password you specified when generating the CSR)
keytool-import -alias tomcat -keystore ..libsecuritycacerts -file certnew.cer
(password ischangeit)
Type ‘y’ or‘Yes’ afterwards and press Enter
Copy the SelfService.Keystorefile from jrebin to conf
Back up theserver.xml file
Editserver.xml (you may need to run Notepad elevated to do this)
Replace bothinstances of keystoreFile value with ./conf/SelfService.keystore
Replace bothinstances of keystorePass value with the password you specified whengenerating the CSR
Delete theproperty keystoreType=”PKCS12″
Restart theAD SelfService Plus service
Log back on to the console. You should now see that your SSL certificate is trusted
Firewall configuration
Set up a Windows Firewall rule to allow inbound traffic on TCP port 9251
Configuring the policy
Next we needto configure a policy for our endpoint MFA
Log on tothe console
Click onConfiguration | Policy Configuration
You caneither create a new policy or edit the default one (which will be named afterthe domain)
Select the OUs or Groups that the policy will apply to by clicking the Select OUs/Groups button. I have chosen to apply the policy to an AD group
Click onSave Policy
Switch tothe Multi-factor Authentication submenu on the left
Select thepolicy from the drop-down list and configure your authentication method (we arechoosing Microsoft Authenticator)
Click on Enable Microsoft Authenticator
Switch tothe Authenticator Settings tab
Choose thepolicy you are working on
Enable Endpoint MFA and select the second authentication type. Also, select whether you want users to be enable to log in without 2FA if the AD SelfService Plus system is down
Next, click on Access URL and make sure you have switched to HTTPS with the right port number (9251 by default). It is imperative that this change is made before software is deployed to any target endpoints otherwise it will continue to try and connect on the old port.
Click onSave and then Save Settings
Deploy the client software to endpoints
Next we needto install the client software on the target endpoints where we wish to enableMFA. Whilst this software has an MSI download available which you can use topush the software via SCCM or a similar tool, with the free version, you mustdo the deployment via the console itself.
The endpointrequires two pre-requisites before deployment:-
- Enable the Remote Registry service (either locally or via GPO)
2. Ensure that the target machine can be contacted via Windows File and Print Sharing exception in Windows Firewall (this can be done either locally or via a GPO), as the deployment process connects via the admin$ share
Open the console
Click onConfiguration | Administrative Tools | GINA/Mac/Linux (Ctrl-Alt-Del)
Click onGINA/Mac/Linux installation
In New Installation, locate the target machines you wish to deploy the software to
ClickInstall
Once the install is successful, the console will report success. Checking the target endpoint’s logon screen will now show an additional option as below
Microsoft Authenticator Remote Desktop App
Clicking on the new option should successfully show the AD SelfService Plus options as configured in your password policy. If it fails, then remediate the error and try again (certificate issues should present themselves at this point, along with any other communications problems). The below image is similar to what you should see if it is successful (dependent on how the policy is configured)
Enrolling users
Next you need to enrol the users so that they are set up for the second factor authentication (Microsoft Authenticator in this case). There are various methods within the console that you can force enrolment. For purposes of this demo we are simply going to log the user in to the AD SelfService Plus console where they will be prompted to enrol.
Once the user enters the PIN after they have scanned the QR code, they will be successfully enrolled.
Verifying
Now it’ssimply a case of logging on as the enrolled user and using the MicrosoftAuthenticator app for a second level of verification.
When the user logs on, they should be presented with this screen
They then have to provide the PIN code from Microsoft Authenticator before they can successfully log on. Congratulations, you now have 2FA configured for your Windows network logons (and free for up to 50 users).
Summary
Obviously if you’re in the Citrix world then there are already a bunch of options available for MFA that are very closely integrated, so this would probably only be on your radar if you needed the free version. For non-Citrix customers though, this could be very useful, particularly for limited-scope deployments like I was looking at.
There is also a huge amount of other functionality available within the AD SelfService Plus software that may prove invaluable from both a security and management perspective, so further exploring the possibilities may well be very fruitful.
Microsoft Authenticator App Remote Desktop
38,129 total views, 29 views today