The purpose of this integration guide is to provide guidelines on how to integrate Mideye two-factor authentication with Remote Desktop Services using Microsoft ADFS and WAP.
Requirements and prerequisites
Mideye Server release 4.7.2 is required, but it is recommended to update to latest release 5.
This guide assumes that there is already a functional RDS-environment installed with a Remote Desktop Gateway. Also, Microsoft ADFS and WAP must be functional and WAP must be a member of the domain.
Open ADFS management console and navigate to “Relaying Party Trusts” followed by “Add Relaying Party Trust”.
Create the following Relaying Party Trust:
A claims aware relaying party that is configured manually (without any metadata), and without any enabled support for WS-federation Passive Protocol or SAML 2.0 WebSSO protocol. Only add a trust identifier that should be the public DNS of your RD-gateway (i.e https://rdweb.mideye.com)
Configure Active Directory Users and Computers
A service principal name for the Web Application Proxy (WAP). This should be the same as the external DNS for end users, in this scenario http/rdweb.mideye.com
Add a delegation for the Web Application Proxy.
Configure Web Application Proxy (WAP)
Add DNS-record in the etc hosts file. It should be the same DNS-name as for the external record, but for WAP it should point to the internal IP of the RDweb.
Open the WAP-console and click “publish”. Select ADFS followed by Web and MSOFBA. Select the Relaying party created on the ADFS-server and give the publish a friendly name followed by the external DNS and the internal DNS. This should be the same, and in this scenario https://rdweb.mideye.com. Select a valid certificate.
Next, on the WAP server open an elevated powershell-prompt and add the following configuration:
Get-WebApplicationProxyApplication -Name "Remote Desktop Services 2019" | Set-WebApplicationProxyApplication -DisableHttpOnlyCookieProtection:$true
Replace the -Name flag with the name of the Published Web Application.
Configure RDweb / RDgateway
Open IIS and navigate to the server and open “Authentication”. Set Windows authentication to “Enabled” and make sure that Forms Authentication is set to “Disabled”.
Open web.config located in C:\Windows\Web\RDWeb\Pages and enable authentication mode Windows and disable forms.
<authentication mode="Windows"> <!-- <authentication mode="Forms"> <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" /> </authentication> -->
Disable the forms authentication module
<!-- <modules runAllManagedModulesForAllRequests="true"> <remove name="FormsAuthentication" /> <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" /> </modules> -->
Set windows authentication to true
<authentication> <windowsauthentication enabled="true"> <anonymousauthentication enabled="false"> </anonymousauthentication></windowsauthentication></authentication>
Save the file and open default.aspx located in C:\Windows\Web\RDWeb\Pages\en-US. Change:
public bool bShowPublicCheckBox = false, bPrivateMode = false, bRTL = false; to public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;
Save and run IISreset from an elevated terminal.
Configuration Connection Broker(s)
From the active connection broker, run the following command from an elevated powershell prompt. Change collectionname and pre-authentication server.
Set-RDSessionCollectionConfiguration -CollectionName MideyeDev -CustomRdpProperty “pre-authentication server address:s:https://rdweb.mideye.com`nrequire pre-authentication:i:1”
End user Desktop
Open Internet Explorer and go to Internet Options. Select Security and add the URL to trusted sites (https://rdweb.mideye.com)
Click Close and select Custom Level
At the bottom of the list, select automatic logon with current username and password.
Contact Mideye support
For further support please contact Mideye support, email@example.com, +46854514750.