Hey all,
I'm trying to configure a minimal Remote Desktop Services (RDS) setup in my lab that integrates with Azure Multi-Factor Authentication (MFA), but I've hit a snag. Here's what I have:
- A Domain Controller with Entra Connect
- RD Connection Broker
- RD Session Host
- RD Gateway positioned in a DMZ
It works flawlessly when the NPS Extension is disabled. However, as soon as I enable it, I stop receiving the push notifications to approve in the Microsoft Authenticator app, even though push is my default MFA method.
Has anyone encountered something similar or have any suggestions on what I might be overlooking? I'd really appreciate any help!
1 Answer
It sounds like you might be experiencing a RADIUS timeout issue. The default timeout setting for the RD Gateway is typically too short for the complete Azure MFA process to work properly. You can check this by going to the RD Gateway Manager, right-clicking on your server, and selecting Properties. Under the RD CAP Store tab, if you have your NPS server listed there, try increasing the 'Number of seconds without response' to around 60 seconds. Also, ensure that your test user's account has the 'Control access through NPS Network Policy' option enabled in the properties. That’s a common thing that gets overlooked!
Thanks for the tip! I’ll give that a shot tomorrow. I came across info about needing two separate NPS servers—do you think it would work just fine with one on the same VM as the RD Gateway?