Microsoft RDS – ADFS & WAP

The purpose of this integration guide is to provide guidelines on how to integrate Mideye two-factor authentication with Remote Desktop Services using Microsoft ADFS and WAP.

Requirements and prerequisites

Mideye Server release 4.7.2 is required, but it is recommended to update to latest release 5.

This guide assumes that there is already a functional RDS-environment installed with a Remote Desktop Gateway. Also, Microsoft ADFS and WAP must be functional and WAP must be a member of the domain.

Configure ADFS

Open ADFS management console and navigate to “Relaying Party Trusts” followed by “Add Relaying Party Trust”.

Create the following Relaying Party Trust:

A claims aware relaying party that is configured manually (without any metadata), and without any enabled support for WS-federation Passive Protocol or SAML 2.0 WebSSO protocol. Only add a trust identifier that should be the public DNS of your RD-gateway (i.e https://rdweb.mideye.com)

Create a new Relaying Party.

Configure Active Directory Users and Computers

A service principal name for the Web Application Proxy (WAP). This should be the same as the external DNS for end users, in this scenario http/rdweb.mideye.com

Add a SPN for the Web Application Proxy

Add a delegation for the Web Application Proxy.

Add delegation for http

Configure Web Application Proxy (WAP)

Add DNS-record in the etc hosts file. It should be the same DNS-name as for the external record, but for WAP it should point to the internal IP of the RDweb.

Add the internal IP for RD-gateway.

Open the WAP-console and click “publish”. Select ADFS followed by Web and MSOFBA. Select the Relaying party created on the ADFS-server and give the publish a friendly name followed by the external DNS and the internal DNS. This should be the same, and in this scenario https://rdweb.mideye.com. Select a valid certificate.

Next, on the WAP server open an elevated powershell-prompt and add the following configuration:

Get-WebApplicationProxyApplication -Name "Remote Desktop Services 2019" | Set-WebApplicationProxyApplication -DisableHttpOnlyCookieProtection:$true

Replace the -Name flag with the name of the Published Web Application.

Configure RDweb / RDgateway

Open IIS and navigate to the server and open “Authentication”. Set Windows authentication to “Enabled” and make sure that Forms Authentication is set to “Disabled”.

Open web.config located in C:\Windows\Web\RDWeb\Pages and enable authentication mode Windows and disable forms.

<authentication mode="Windows">
<!--
<authentication mode="Forms">
<forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />
</authentication>
-->

Disable the forms authentication module

<!--
<modules runAllManagedModulesForAllRequests="true">
<remove name="FormsAuthentication" />
<add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" />
</modules>
-->

Set windows authentication to true

<authentication>
<windowsauthentication enabled="true">
<anonymousauthentication enabled="false">
</anonymousauthentication></windowsauthentication></authentication>

Save the file and open default.aspx located in C:\Windows\Web\RDWeb\Pages\en-US. Change:

public bool bShowPublicCheckBox = false, bPrivateMode = false, bRTL = false;
to
public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;

Save and run IISreset from an elevated terminal.

Configuration Connection Broker(s)

From the active connection broker, run the following command from an elevated powershell prompt. Change collectionname and pre-authentication server.

Set-RDSessionCollectionConfiguration -CollectionName MideyeDev -CustomRdpProperty “pre-authentication server address:s:https://rdweb.mideye.com`nrequire pre-authentication:i:1”

End user Desktop

Open Internet Explorer and go to Internet Options. Select Security and add the URL to trusted sites (https://rdweb.mideye.com)

Click Close and select Custom Level

At the bottom of the list, select automatic logon with current username and password.

Troubleshooting

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.