RDS Remote Gateway -> NPS -> privacyIDEA

Hello,

I’m trying to integrate privacyIDEA into our RDS Remote Gateway NPS, but I can’t get it to work.

The configuration and Policies for the Authentication, otp works, but not from a NPS Server.

I followed the NPS configurations Guide from NetKnights for the Windows 2012 Server, but with a Windows 2019 Server. NPS 2012 for two factor authentication with privacyIDEA - NetKnights: IT-Security ~ Two Factor Authentication ~ Encryption

After a bit Google search, I found out, that on the Windows 2019 Server by default the PAP disabled is, so I tried to activate it on the privacyIDEA Connection Request Policy, but there I’m not able to activate it, as long as it is a Remote RADIUS Server. So I did it on the Network Policies.

When I now try to connect to the RDS Farm from the Internet the NPS Rules doing something but not the correct thing. The privacyIDEA Audit only shows something if I write my Password without any otp in the Password field (wrong otp pin), with the otp it just asks again for the correct password, and nothing pops up in the Audit from PrivacyIDEA.

Before I now try to capture the Packets send from the NPS to the privacyIDEA Server(it’s unfortunately on a Hyper-V Cluster, so not just plug and listen Wireshark) and check if there is the problem, I thought perhaps someone have solved this already.

I would like to do it this way, so only the RDS Remote Gateway gets the MFA, and not the whole Domain (Computer login, Exchange etc.).

I saw that there is a ADFS Plugin, but as I understand it, it would do the MFA for the whole Domain?

Is this possible, or am I trying something that cannot work?

Best Regards

DNAcom

This does not work!

I think RDS in Combination with NPS uses some kind of domain ticket creating. This will fail with 2FA.

You need to use the privacyIDEA Credential Provider on the terminal server behind the RD Gateway. Omit NPS.

Thank you for the fast response, and great suggestion.
I’ll will take a look at the privacyIDEA Credential Provider and try it next week.