Hello there!

Need Help? We are right here!

miniOrange Email Support

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

Two-Factor Authentication (2FA) for RD Gateway

When users connect to a Remote Desktop Service, Two Factor Authentication(2FA) is essential to enforce high security protection of their business resources. Installing miniOrange Two Factor Authentication(2FA) for Windows Logon adds two factor authentication to Windows login attempts over RDP in a safe and simple manner.


A user can try to connect to RDS (Remote Desktop Services) via 2 ways :

  1. RDC - Remote Desktop Client:
    If the RemoteApp is launched through a Remote Desktop client application, the users validate their two-factor authentication (2FA) while they enter the username and password to get access to the resources. ( as this method doesn't support access-challenge response, only out of band authentication methods aresupported ).
  2. RD WebAccess - RD login page via browser:
    If the desktop or RemoteApp is launched through a RD Web Login page, the initial user authentication is done from the machine's AD, after which miniOrange challenges the user for two factor authentication(2FA) via a RADIUS challenge request. After the users correctly authenticate themselves, they get connected to their resources.

Authentication Flow:

two-factor authentication for RD Gateway | RD Gateway 2fa

  1. User Attempts to access a Remote Machine using the Remote Desktop Client with Username and Password.
  2. The Username and Password are verified against the Active Directory. (First Factor Authentication)
  3. Radius Request is sent from the RD Gateway to the Network Policy Server (NPS).
  4. Based on the policies defined in the NPS, the Radius request is forwarded to the Radius Server (miniOrange Server) for validation.
  5. miniOrange receives the Radius requests and sends an Out of Band request to the user device.
  6. User validates the Out of Band Request (Email, SMS, Push-Notification). On Success, miniOrange sends back a success response to NPS Server.
  7. NPS Server redirects it to RD Gateway.
  8. The user is granted access to the Remote Machine.

Integrate hassle-free MFA to stop password-based attacks. Your IT gets added security, and users get easy access to the apps and endpoints they need — with just their domain credentials. Always verify identities before allowing access to endpoints for increased identity assurance and reduced risk and exposure. miniOrange Credential Providers can be installed on Microsoft Windows client and server operating systems to add two-factor Authentication to Remote Desktop. In this way you can get access to our 2FA solution for RD Gateway.

miniOrange supports following Authentication Methods for 2FA-

Authentication TypeMethodSupported
miniOrange Authenticator Soft Token
miniOrange Push Notification
SMSSMS with Link
EmailEmail with Link

Get Free Installation Help - Book a Slot

miniOrange offers free help through a consultation call with our System Engineers to Install or Setup Two-Factor Authentication for RD Gateway solution in your environment with 30 days trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you setting it up in no time.


Follow the Step-by-Step Guide given below to configure 2FA for RD Gateway

1. Configure RD Gateway

  • Open the RD Gateway Manager from your Start Menu.
  • Right click on your RD server in the left sidebar and click on Properties.
  • RD Gateway 2fa rdg properties

  • Select the RD CAP Store tab.
  • Select the Central server running NPS radio button and enter the IP address of miniOrange Radius Server and press Add button.
  • Enter the DNS: radius.xecurify.com in the Host and configure the Shared secret and remember this shared secret as it will be required further in the setup.
  • RD Gateway 2fa rdg properties central

  • Click the Apply button and the click on OK button.
  • Open the Network Policy Server manager
  • Expand RADIUS Clients and Servers in the left sidebar
  • Select Remote RADIUS Server
  • Right click on TS GATEWAY SERVER GROUP and click on Properties
  • RD Gateway 2fa nps remote radius

  • Select your RADIUS server and press Edit.
  • Select the Load Balancing tab and set the timeout settings to 120 seconds
  • RD Gateway 2fa load balance

  • Click on the Apply button and then click OK button to close the dialog
  • Expand Policies in the left sidebar and click on Connection Request Policies
  • Right click on TS GATEWAY AUTHORIZATION POLICY and click on Properties
  • Click on Settings tab and select Authentication and ensure that it’s set to Forward requests to the remote RADIUS server
  • RD Gateway 2fa nps-crp forward

  • Click on Policies –> Network Policies.
  • RD Gateway 2fa nps network policies

  • Double click on your RDG CAP policy
  • Click on the Conditions tab
  • RD Gateway 2fa nps network policies conditions

  • Select the Called Station ID attribute and press the Edit… button
  • Set the value to UserAuthType:(PW|CA)
  • two-factor authentication for RD Gateway | RD Gateway 2fa

  • Click on the OK button and click on the Apply button

2. Add RADIUS Client in miniOrange

  • Login to miniOrange dashboard from the Admin Console.
  • Go to Apps >> Manage Apps. Click on Add Application button.
  • MFA/Two Factor Authentication(2FA) for RD Gateway Add application

  • Choose RADIUS as Application type and click on Create App button.
  • 2FA two factor authentication for RD Gateway  radius dashboard

  • Configure details below to add Radius Client.
  • Client Name: Any name for your reference.
    Client IP: IP address of VPN server which will send Radius authentication request.
    Shared Secret: Security key.
    For Eg. "sharedsecret"
    (Keep this with you, you will need to configure same on VPN Server).
    Include Password & OTP in same Request Check this option for clients which takes password and the OTP in same request. Otherwise keep it unchecked.
    Send Groups in Response Enable this to send user groups as Vendor-Specific Group Attributes.
  • Configure the following Policy details for the Radius App.
  • Group Name: Group for which the policy will apply.
    Policy Name: Any Identifier that specifies policy name.
    Login Method Login Method for the users associated with this policy.
    Enable 2-Factor Authentication Enables Second Factor during Login for users associated with this policy.
    Enable Adaptive Authentication Enables Adaptive Authentication for Login of users associated with this policy.
    2FA two factor authentication for RD Gateway  App Configure

  • Click on Save.

Step 3: Configure 2FA for miniOrange Admin Dashboard and RD Gateway

3.1:Configure 2FA for miniOrange Admin Dashboard.

  • From your miniOrange Dashboard in the left navigation bar, select 2- Factor Authentication, click on Configure 2FA.

  • Two factor-authentication for RD Gateway | configure_2fa

    Note: We only support OUT OF BAND methods for MFA over RD Gateway.

  • Choose any OUT OF BAND methods you want to configure.
  • Let's say you want to configure OTP over SMS
  • Click on OTP over SMS
  • Two factor-authentication for RD Gateway  | otp_over_sms

    Two factor-authentication for RD Gateway  | enter_phone_no

  • Now add your mobile number on which you want to receive the OTP.
  • Then click on Save.
  • Two factor-authentication for RD Gateway  | save_phone_number

    Two factor-authentication for RD Gateway  | otp_over_sms_active

  • Now as shown in the above image, OTP over SMS is your Active 2FA method.
  • Enable Prompt for second factor during signin to your console.
  • Then click on Save.
  • Two factor-authentication for RD Gateway  | enable_2fa

  • To verify the configuration login again.
  • You will be asked for Username and password then it is redirected to below page:
  • Enter the OTP received on the phone and click on verify.
  • Two factor-authentication for RD Gateway  |  2fa_otp_verification

  • If you are redirected to your dashboard, you have successfully configured OTP over SMS as your 2FA method.
  • Similarly you can configure rest of the 2FA methods for miniOrange dashboard. Click Here for the Guide
  • To configure 2FA methods for end-users Click here.

3.2: Enable 2FA for Users of RD Gateway.

  • To enable 2FA for Users of RD Gateway application. Go to Policies >> App Authentication Policy
  • Click on Edit against the configured application
  • Two factor-authentication for RD Gateway | Two Factor Authentication configure 2fa of application

  • Enable the Enable 2-Factor Authentication (MFA) option.
  • Two factor-authentication for RD Gateway | Two Factor Authentication enable 2fa

  • Click on Save.

4. Test Your Setup

  • Open Remote Desktop settings. Go to the Advanced tab and click on Settings. Choose the radio button which says, Use these RD Gateway Settings
  • RD Gateway 2fa Test

  • Enter your Computer Name/Address and the User Name.
  • RD Gateway 2fa Username

  • Enter the Password for RD Gateway.
  • RD Gateway 2fa Password

  • You will receive a Notification or message. If you Accept it, then you will be logged in successfully.

External References

Our Other Identity & Access Management Products