Force RDP Gateway to request verification twice, for GW and separately for the target server

Mountain Pond 1,161 Reputation points
2024-03-27T15:56:10.76+00:00

Hello, please help me with RDP GW.

Here's a question: can I force it to request double authentication on the server? So that the RDP GW would request authentication and then the target server would request a separate authentication.

Why this is needed: The user has a key that must be used to log into the target server. However, the user works under a different user than the one to whom the key was issued.

What I want: I want to verify on RDP GW using a password, and then on the target server using a key.

How it works: if a user connects via RDP to a Jump server using a password, he can connect to other servers using a key that is redirected.

I want to not use Jump box, but use RDP GW instead. I get an error if I uncheck "Bypass RD Gateway server for local address"

Why the user cannot use the key without Jump box or RDP GW: The user is running as a local user in a workgroup. Even if the domain controllers are accessible, I cannot run the RDP client as a domain user. Because the computer on which the user works is not a member of the domain. And of course, if I launch an RDP client on behalf of a local user, this user does not have access to the key (certificate) and I will no longer be able to connect to another server using the key.

For this reason I'm looking for workarounds.

Perhaps there are other options.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,861 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,245 questions
0 comments
Accepted answer
  1. Karlie Weng 14,106 Reputation points Microsoft Vendor
    2024-03-29T01:40:19.35+00:00

    Hello,

    Even though your end users are working on a workgroup PC, they should login as domain users for authentication.

    Because your server doesn't have a credential for a client local user. In this circumstance, you should work with a Per Device CAL in your license server.

    A per device CAL means any domain user can login via this workgroup pc.

    You can follow this document as a reference: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-client-access-license

    Then the work process will be like what you said, user has 1st auth when login via GW , and 2nd auth when login via servers.

    Note: You should figure out how your keys work, what I said is just auth as password

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest