Share via

RDS Deployment NPS MFA Extension

GreenZebra112 1 Reputation point
2021-08-09T22:43:24.037+00:00

I’m new to using NPS server.

I’m trying to secure our RDS deployment with Azure MFA. It appears this requires a minimum of 2 NPS servers; the initial proxy NPS server is installed on the RD Gateway and is configured to point to a central store NPS which is where the NPS extension for Azure AD is installed.

I’ve got this part working now in a test environment, but I’d like to avoid forcing MFA on all users at once, and roll this out more gradually.
Per the documentation, it looks like all the RDS authentication that goes through the NPS server where the extension is installed must be MFA. I thought I could then use the proxy NPS server to direct some users to another backend NPS server for normal AD authentication. I haven’t been able to figure out how to point some users toward a different NPS server based on AD group membership.

How can I configure NPS/RD Gateway to direct users to different NPS servers based on AD group membership?

Or is this only solvable using conditional access policies?

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 45,156 Reputation points
    2021-08-16T18:13:32.683+00:00

    Hello there,

    Remote Desktop connection authorization policies (RD CAPs) specify the requirements for connecting to a Remote Desktop Gateway server. RD CAPs can be stored locally (default) or they can be stored in a central RD CAP store that is running NPS. To configure integration of Azure AD MFA with RDS, you need to specify the use of a central store.

    On the RD Gateway server, open Server Manager.

    On the menu, click Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.

    In the RD Gateway Manager, right-click [Server Name] (Local), and click Properties.

    In the Properties dialog box, select the RD CAP Store tab.

    On the RD CAP Store tab, select Central server running NPS.

    In the Enter a name or IP address for the server running NPS field, type the IP address or server name of the server where you installed the NPS extension.

    Enter the name or IP Address of your NPS Server

    Click Add.

    In the Shared Secret dialog box, enter a shared secret, and then click OK. Ensure you record this shared secret and store the record securely.

    Hope this solve your issue please upvote it,

    Thanks
    Sridhar M

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.