question

GreenZebra112-6904 avatar image
0 Votes"
GreenZebra112-6904 asked

RDS Deployment NPS MFA Extension

I’m new to using NPS server.

I’m trying to secure our RDS deployment with Azure MFA. It appears this requires a minimum of 2 NPS servers; the initial proxy NPS server is installed on the RD Gateway and is configured to point to a central store NPS which is where the NPS extension for Azure AD is installed.

I’ve got this part working now in a test environment, but I’d like to avoid forcing MFA on all users at once, and roll this out more gradually.
Per the documentation, it looks like all the RDS authentication that goes through the NPS server where the extension is installed must be MFA. I thought I could then use the proxy NPS server to direct some users to another backend NPS server for normal AD authentication. I haven’t been able to figure out how to point some users toward a different NPS server based on AD group membership.

How can I configure NPS/RD Gateway to direct users to different NPS servers based on AD group membership?

Or is this only solvable using conditional access policies?


windows-serverremote-desktop-servicesazure-ad-multi-factor-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-0326 avatar image
0 Votes"
LimitlessTechnology-0326 answered

Hello there,


Remote Desktop connection authorization policies (RD CAPs) specify the requirements for connecting to a Remote Desktop Gateway server. RD CAPs can be stored locally (default) or they can be stored in a central RD CAP store that is running NPS. To configure integration of Azure AD MFA with RDS, you need to specify the use of a central store.

On the RD Gateway server, open Server Manager.

On the menu, click Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.

In the RD Gateway Manager, right-click [Server Name] (Local), and click Properties.

In the Properties dialog box, select the RD CAP Store tab.

On the RD CAP Store tab, select Central server running NPS.

In the Enter a name or IP address for the server running NPS field, type the IP address or server name of the server where you installed the NPS extension.

Enter the name or IP Address of your NPS Server

Click Add.

In the Shared Secret dialog box, enter a shared secret, and then click OK. Ensure you record this shared secret and store the record securely.

Hope this solve your issue please upvote it,

Thanks
Sridhar M

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.