Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

How to protect RDWeb with MFA or two-factor authentication

11 April,19 at 11:50 AM

 

We've had requests from many customers to document how Centrify can protect RDWeb access with MFA or two-factor authentication. It turns out it's a simple WS-Federation with Centirfy Identity Service, where you enable MFA for your users.

 

Here's how to set it up:

 

  • Install WIF (Windows Identity Foundation on your RDWeb Server:
    • If you're running Windows 2012, install it from Roles and Features;
    • If you're running Windows 2008 R2, install .NET Framework 3.5.1 from Roles and Features first and then download Windows6.1-KB974405-x64.msu from Microsoft to install WIF.

 

  • Modify C2WTShost.exe.config:
    • Run notepad as an Administrator;
    • Add the line under as below:
    •      
           
      

 

  • Enable the Claims to Windows Token Service:
    • Open services.msc;
    • Look for the service called Claims to Windows Token Service;
    • Right-click it then click Properties;
    • Make sure the startup type is set to Automatic;
    • Make sure the service is started.

 

  • On your RDWeb server, replace the contents of C:\Windows\Web\RDWeb\Pages\Web.config with the below and note the fields in bold that you'll have to change later:
    
  
    
    
    
    
    
    

  

  

  

  
            
        
          
            
              
          
        
      
  

  
    
      
      
  

    
    
    
  

  
    
      
        
        
      
    
  
    
      
        
        
    
      
      
        
      
      
        
      
    
    
      
    
    
    
    
      
        
    
    
    
  
    
    
      
        
      
    
   

Note: If your RDWeb server runs on Windows 2008, comment the line below withlike this:

 


 

  • On the Admin Portal of Centrify Identity Service, add a new custom WS-Fed application:

 

  • Screen Shot 2017-01-23 at 13.07.09.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Screen Shot 2017-01-23 at 13.07.34.png

 

  • Set the app name as something like RDWeb, grant access to your users in the User Access tab, etc, then set the Resource application URL as https:///RDWeb/Pages/Default.aspx:

Screen Shot 2017-01-23 at 13.34.57.png

 

  • Set the Advanced tab script with the content below:

Screen Shot 2017-02-10 at 16.24.19.png

 

setVersion('1');
setIssuer(Issuer);
setServiceUrl(ServiceUrl);
setSubjectName(LoginUser.Username);
setAuthenticationMethod('urn:federation:authentication:windows');
setAudience(ServiceUrl);
setRecipient(ServiceUrl);
setSignatureType('Assertion');
setHttpDestination(ServiceUrl);

var email = LoginUser.Get('mail');
if (!email || email == '') {
    setClaim('EmailAddress', LoginUser.Get('userprincipalname'));
} else {
    setClaim('EmailAddress', email);
}

addSubjectToAttrStatement("True");

setCustomAttribute("upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", LoginUser.Get("userprincipalname"));

 

  • Go back to the Application Settings tab and open your C:\Windows\Web\RDWeb\Pages\web.config file; replace the contents at the end of the file with the info from the CIS app, see below:

Screen Shot 2017-01-23 at 13.33.46.png

 

  • Open IIS Manager on the RDWeb server and navigate to RDWeb / Sites / Default Web Site / RDWeb / Pages; click on Configuration Editor on the right hand side:

Screen Shot 2017-01-23 at 13.17.55.png

 

  • Click the dropdown box at the top of the screen and browse to system.web / authentication:

 

Screen Shot 2017-01-23 at 13.18.28.png

 

  • Make sure both defaultUrl and loginURL are set to default.aspx:

Screen Shot 2017-01-23 at 13.29.05.png

 

  • In the RDWeb Access Application Pool, click Advanced and make sure “Load User Profile” is set to "True":

Picture1.png

 

Picture2.png

 

  • Go back to your RDWeb app in CIS and set up the MFA Profile in the Policy tab:

Screen Shot 2017-01-23 at 13.37.03.png

 

  • Now try to load https://your-rdweb-server/RDWeb/Pages and you'll be asked for MFA.

See attached for both a web.config file sample and the Advanced tab script in text file format.

Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.