How to Protect RD Web Access with 2FA

Note: This integration does not support the use of Push. You will need to use OTP.

Requirements

  • Windows Server 2008 R2, 2012, or 2012 R2 with RD Web Access configured and working.
  • A working Passly tenant.

Introduction

Formally called TSWeb, RD Web Access is Microsoft’s web portal solution that allows you to publish applications over the web using RD RemoteApp. Imagine when you have needed to open an Office document while at home, only to find you do not have the same version as you do at work. Or when you need to work on your Simply Accounting journal entries, but don’t have time to drive into the office. With RD Web, that isn’t a problem.

Obviously, this can be a great risk to your business. Allowing applications to run remotely from the web is only as secure as the password. Someone who is able to share, steal or circumvent a password can gain complete access to the application, and more importantly the data, pretending to be you.

One way to reduce this risk is to enforce a requirement for the user to prove their identity through strong two-factor authentication (2FA). And this is where Passly Two Factor Auth comes in.

When a user browses to the RD Web Portal, they are confronted with their typical domain credentials along with a request for their next Passly passcode. In this way, you can gain the benefit of identity assurance while at the same time using the same business workflow as you have before for RD Web Access. Below is a picture showing this in action:

 

Of course, our RDWeb Logon Agent also has the ability of using risk based authentication decisions. You can selectively decide if certain users can gain access without the need of an Passly Two Factor Auth credential. In this way, you have the fine grained control that you need to roll out strong authentication to your remote users in a staged manner.

Configuring RD Web Access to support Passly Two Factor Authentication

Note: Before attempting this integration ensure all configuration files are first backed up.

Step 1 – Download the component for your version: 

Step 2 – Back up the existing RD Web login.aspx page, located by default at C:\Windows\Web\RDWeb\Pages\en-US\login.aspx

Step 3 – Edit sasURL, siteID, ipWhiteList, and usersNotRequiring2FA variables at the top of login.aspx to match your network’s settings.

Note: The usersNotRequiring2FA variable is a comma separated list of usernames that needs to match the users’ Active Directory username (without the domain portion).

Note: ipWhiteList is a comma-seperated list of IPv4 ranges in CIDR format. IE. 192.168.1.0/24 will whitelist the 192.168.1.0 network.

Step 4 – Copy the AuthAnvil.dll file to the RD Web Logon Site’s bin directory, located by default at: C:\Windows\Web\RDWeb\Pages\Bin

Note: Ensure that the AuthAnvil.dll file is not a blocked DLL. Right-click on the DLL, select Properties, and at the bottom of the dialog box click “Unblock”.

Step 5 – Replace the existing RD Web login.aspx page with the login.aspx page from the RD Web Logon Agent Package.

Note: When copying the RD Web Logon Agent files into the appropriate directories, ensure that the logon agent files are set to inherit NTFS permissions.

Step 6 – Navigate to the RD Web logon page, and log in using your Active Directory username (which must match your Passly username), Active Directory password, and Passly passcode.

Note: The RDWeb Logon Agent will automatically strip the domain portion of the username before attempting an Passly authentication, meaning that the domain will not affect authentication. ie. “DOMAIN\username” will authenticate to Passly 2FA as “username”.

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section