Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

How to protect RDWeb with MFA or two-factor authentication

11 April,19 at 11:50 AM


We've had requests from many customers to document how Centrify can protect RDWeb access with MFA or two-factor authentication. It turns out it's a simple WS-Federation with Centirfy Identity Service, where you enable MFA for your users.


Here's how to set it up:


  • Install WIF (Windows Identity Foundation on your RDWeb Server:
    • If you're running Windows 2012, install it from Roles and Features;
    • If you're running Windows 2008 R2, install .NET Framework 3.5.1 from Roles and Features first and then download Windows6.1-KB974405-x64.msu from Microsoft to install WIF.


  • Modify C2WTShost.exe.config:
    • Run notepad as an Administrator;
    • Add the line under as below:


  • Enable the Claims to Windows Token Service:
    • Open services.msc;
    • Look for the service called Claims to Windows Token Service;
    • Right-click it then click Properties;
    • Make sure the startup type is set to Automatic;
    • Make sure the service is started.


  • On your RDWeb server, replace the contents of C:\Windows\Web\RDWeb\Pages\Web.config with the below and note the fields in bold that you'll have to change later:








Note: If your RDWeb server runs on Windows 2008, comment the line below withlike this:



  • On the Admin Portal of Centrify Identity Service, add a new custom WS-Fed application:


  • Screen Shot 2017-01-23 at 13.07.09.png
















Screen Shot 2017-01-23 at 13.07.34.png


  • Set the app name as something like RDWeb, grant access to your users in the User Access tab, etc, then set the Resource application URL as https:///RDWeb/Pages/Default.aspx:

Screen Shot 2017-01-23 at 13.34.57.png


  • Set the Advanced tab script with the content below:

Screen Shot 2017-02-10 at 16.24.19.png



var email = LoginUser.Get('mail');
if (!email || email == '') {
    setClaim('EmailAddress', LoginUser.Get('userprincipalname'));
} else {
    setClaim('EmailAddress', email);


setCustomAttribute("upn", "", LoginUser.Get("userprincipalname"));


  • Go back to the Application Settings tab and open your C:\Windows\Web\RDWeb\Pages\web.config file; replace the contents at the end of the file with the info from the CIS app, see below:

Screen Shot 2017-01-23 at 13.33.46.png


  • Open IIS Manager on the RDWeb server and navigate to RDWeb / Sites / Default Web Site / RDWeb / Pages; click on Configuration Editor on the right hand side:

Screen Shot 2017-01-23 at 13.17.55.png


  • Click the dropdown box at the top of the screen and browse to system.web / authentication:


Screen Shot 2017-01-23 at 13.18.28.png


  • Make sure both defaultUrl and loginURL are set to default.aspx:

Screen Shot 2017-01-23 at 13.29.05.png


  • In the RDWeb Access Application Pool, click Advanced and make sure “Load User Profile” is set to "True":





  • Go back to your RDWeb app in CIS and set up the MFA Profile in the Policy tab:

Screen Shot 2017-01-23 at 13.37.03.png


  • Now try to load https://your-rdweb-server/RDWeb/Pages and you'll be asked for MFA.

See attached for both a web.config file sample and the Advanced tab script in text file format.


Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.