A customer gave me access to their Remote Desktop Gateway server to do some after-hour consulting. Every time I attempted to connect from my Microsoft Surface Book, I got the following error:
Your computer can’t connect to the Remote Desktop Gateway server. Contact you network administrator for assistance.
I assumed my account was not setup correctly, but the customer was able to successfully connect with the account they assigned me. When I attempted to connect from my Desktop PC (same Windows 10 build as my Surface Book), I was able to connect successfully. The following registry edit fixed the issue for me, although I am still baffled as to why it is needed, since it doesn’t exist on my Desktop PC registry which worked from the start.
- Open Regedit
- Go to HKCUSoftwareMicrosoftTerminal Server Client
- Create a new DWORD (32-bit) called: RDGClientTransport
- Give it a Value of: 1
As soon as I added that entry, I was able to connect. No reboot required.
Configuring RDC to use the Remote Desktop Gateway. Click ' Settings '. Select the option to' Use these RD Gateway server settings: ' Enter remote.uconn.edu into the 'Server name:' field. Click Connect. Before a remote session can be initiated the host PC will need to be configured for remote access. Your computer can’t connect to the Remote Desktop Gateway server. Contact you network administrator for assistance.
Remote Desktop Gateway is a great way to provide secure access to remote server resources across corporate firewalls and proxies. To provide additional levels of security this blog will show you how to integrate with Azure Multi-Factor Authentication (MFA) Server.
In this first part, we will configure a two-way SMS, in Part 2 we will configure it to work with the Microsoft Authenticator Mobile App.
- Create an Azure Multi-Factor Authentication provider
- Click “MANAGE” to open up the configuration settings
- Click “Generate Activation Credentials” and record the details as they will be used later. Clock “Download” to begin the download
- Install and configure the Azure Multi-Factor Authentication Server on a separate server to your RDS Gateway
- Enter the Activation credentials you saved in previous step, if these do not work generate new credentials as they appear to only be valid for a short period of time.
- Replication between multiple MFA servers can be configured for HA
- We are going to use RADIUS to insert the MFA server in the authentication flow
- Enter in the details of your RDS Gateway / NPS server and shared secret. In this example the RDS Gateway is using a local NPS server.
- Configure RADIUS Target as RADIUS server, and enter the same details as previous step as the NPS server in our example will be a Client and a Target.
- Open MFA Server Console and finish configuration. Click “RADIUS Authentication”
- Edit Client and enter application name “RDS Gateway“, select the option “Require Multi-Factor Authentication user match”
- Click Users, and Import from Active Directory… Define your criteria to select users
- Edit user and enter their Phone number and Country Code, select Text Message – Two-Way – OTP and selectEnabled
- Select Test to check that it’s working before configuring the RD Gateway
- A Text Message will be sent to your phone, respond with the code and you will be notified that it was the test was successful
- Configure the RDS Gateway. Open RD Gateway Manager and right click server and go to properties. SelectRD CAP Store and change the option to Central server running NPS. Enter the IP of the MFA Server and configure the Shared Secret used earlier.
- Configure NPS Server. Open Network Policy Server > RADIUS Clients and Servers > Remote RADIUS Server Groups. Right Click TS GATEWAY SERVER GROUP and select PropertiesAdd… the MFA ServerClick Authentication/Accounting tab and enter the Shared secretClick Load Balancing tab and increase the timeout for response to 60 seconds
- Create RADIUS Client, choose friendly name MFA, and make not to use it later, enter IP and Shared Secret of MFA server.
- Configure Connection Request Policies. Right Click TS GATEWAY AUTHORIZATION POLICY and selectDuplicate PolicyRename the Duplicate Policy to “FROM MFA”, and select Policy enabledOn Conditions tab, Client Friendly Name, and enter the name used above MFA
- Modify policy TS GATEWAY AUTHORIZATION POLICY, click Settings tab and change the Authenticationand Authorization to “Forward requests to the following remote RADIUS server group” and select TS GATEWAY SERVER GROUP
- Move the FROM MFA policy above TS GATEWAY AUTHORIZATION POLICY
- Now when connecting through the RD Gateway the connection will remain pending until the SMS is responded to with the code, at which point the connection is initiated.