Hello there!

Need Help? We are right here!

miniOrange Email Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

How to setup Two-Factor Authentication (2FA/MFA) for Windows Logon & RDP



With the pace of password-based security breaches, simply using usernames and passwords to secure a Windows login is no longer an option.That’s why it has become necessary to add an additional layer of two-factor authentication security to filter out unauthorised users.
miniOrange's Windows Two-Factor Authentication solution for windows logon prevents these sorts of Password-Based breaches and adds an additional layer of security to your Microsoft Windows account login.

Enabling Windows 2FA / MFA always verifies identities before allowing access, making it more difficult for unauthorized users to gain access to your Microsoft Windows account. miniOrange Credential Provider can be installed on Microsoft Windows Client and Server operating systems to enable the Two-Factor Authentication to Remote Desktop (RDP) and local Windows Login.
Windows 2FA solution is also responsible for your User Management with a Microsoft Active Directory or an LDAP directory. With this 2FA / MFA solution, users will get easy access to the endpoints they need to access by increasing identity assurance and reducing the risk and exposure. You can also enable offline access accordingly for secure authentication. miniOrange's advanced MFA solution organizations are able to get secure access to all work applications, for all their users, from anywhere, with any device they choose.





miniOrange 2FA Credential Provider for Windows Logon and Remote Desktop (RDP) access supports following Multi-Factor Authentication (MFA) Methods:-

Authentication TypeMethodSupported
miniOrange Authenticator Soft Token
miniOrange Push Notification
Mobile Token Google Authenticator
Microsoft Authenticator
Authy Authenticator
SMSOTP Over SMS
SMS with Link
EmailOTP Over Email
Email with Link
Call VerificationOTP Over Call
Hardware Token Yubikey Hardware Token
Display Hardware Token
System Requirements for miniOrange Two-Factor Authentication (2FA / MFA) Credential Provider

miniOrange Credential Provider for Windows Logon and RDP Access supports both client and server operating systems.

    Supported Microsoft Windows Client versions:

  • Windows 7 SP1
  • Windows 8.1
  • Windows 10
  • Windows 11

  • Supported Windows Server versions(GUI and core installs):

  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

miniOrange Two-Factor Authentication (2FA/MFA) Credential Provider for Windows Logon also requires .NET Framework 4.5 or later. If the correct .NET version is not present on your system then miniOrange Credential Provider setup prompts you to install the .NET Framework.

miniOrange 2-Factor Authentication (2FA/MFA) Credential Provider can also be installed via group policy software publishing and Group policy administrative templates.

Get Free Installation Help - Book a Slot


miniOrange offers free help through a consultation call with our System Engineers to Install or Setup Two-Factor Authentication (2FA) for Windows Logon and RDP solution in your environment with 30 days trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you setting it up in no time.



How Windows Logon 2FA Works


Windows 2FA/MFA Login 
          architecture flow


Prerequisites

Step by step guide to setup Two-Factor Authentication (2FA/MFA) for Windows Logon

1. Download 2FA Module

2. Setup your miniOrange dashboard for Windows 2FA

In this step, we are going to setup your 2FA preferences, such as:

  • Which users should be asked for 2FA during windows logon.
  • What 2FA methods can they use.

2.1 Adding app and policy for 2FA

  • Login into miniOrange Admin Console.
  • Go to Apps and click on Add Applicaton button.
  • Windows login 2FA /MFA add app

  • In Choose Application Type click on Create App button in Desktop application type.
  • Windows login 2FA /MFA select Desktop as application type

  • Add Windows app on miniOrange.
  • RDP 2FA/MFA add Windows App

  • Add App Name.
  • Windows and RDP Two-Factor Authentication (2FA/MFA) mention app name

  • Select Login Method as Password and Enable 2-Factor Authentication (2FA).
  • Windows Remote Desktop Protocol (RDP) 2FA/MFA : Add Policy

  • Click on Save.

2.2 Choose which 2FA options the users can use

3. Setup miniOrange Two-Factor Authentication (2FA/MFA) Credential Provider for Windows Logon

  • Go to the folder where you have the mOCredentialProvider.msi file downloaded. Double Click and it will take you to the installation window. Follow the instructions to install it.
  • Go to C:\Program Files\miniOrangeCredProviderInstaller and open Configuration.exe file.
  • Windows 2FA/MFA configure credential provider

  • Make sure "miniOrange service" status is running and in the "Credential Provider/GINA status" section the "Registered" and "Enabled" are "Yes".

    Two-Factor Authentication (2FA/MFA) for Windows Logon RDP status run

  • Copy customer details.
    • If you are using our miniOrange Cloud IDP server:
      Login into miniOrange console with your customer account and goto "Product settings". Copy the "Customer Key" and "Customer API Key" and keep it with you.

      Windows RDP Two-Factor Authentication (2FA/MFA) mo setting

    • If you are using on-premise IDP server:
      Login into your on-premise IDP server account and goto "Product settings" section. Copy the "Server Base URL", "Customer Key", and "Customer API Key" and keep it with you.

      Two-Factor Authentication (2FA/MFA) for Windows Logon RDP on-premise setting

  • Double Click on miniOrange machine and add these details:
    • Customer ID
    • API Key
    • Name of the application which was created in miniOrange.
    Windows Remote Desktop Two-Factor Authentication (2FA/MFA) plugin configuration

  • If you’re using domain joined machines, click on Domain User Login plugin in Plugin Selection window.
  • Windows Two-Factor Authentication (2FA/MFA) change ldap domain

  • Set these values and click on Save:
    Login Behaviour - Automatically Add Domain
    Domain - Your AD domain
  • Two-Factor Authentication(2FA/MFA) for Windows Logon login selection

  • Make sure the Gateway box is checked.
  • Two-Factor Authentication(2FA/MFA) for Windows Logon check gateway box

4. Test miniOrange Credential Provider 2FA Setup

We’ll do a simple test to see how 2FA prompt will show up on your logon screen and to check if everything was configured correctly.

  • Run the command "MFAAuthnPrompt.exe " and replace with your Windows username.

Note:

The Username you are entering must exist and must have the same Username in the Windows and in the users list of your miniOrange account. Don’t pass the domain name while adding username in the command.



    Windows 2FA/MFA Authentication Prompt

  • The following Two-Factor Authentication (2FA) prompt will be displayed. The 2FA options for each user will vary depending on the ones you’ve enabled in step 2 and the ones configured by your user.
  • Select your 2FA method and click on "Next".
  • Windows 2FA/MFA Choose your authentication method

  • Enter the OTP on the next screen based on the option you selected.
  • Windows 2FA/MFA Enter OTP

  • Try Windows/RDP logon with miniOrange MFA as shown below.
  • Windows 2FA/MFA sign into windows rdp

  • After successful authentication, it will prompt for Two-Factor Authentication (2FA). Select the 2FA method and click Next
  • Windows 2FA/MFA OTP over email

  • Enter your OTP and click on Next as shown in the below screenshot. After successful OTP validation users will be logged into the windows machine.
  • Windows 2FA/MFA enter email otp

5. Setup Credential Provider Group Policy for Windows


Group Policy provides centralized management and configuration of operating systems, applications, and users settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO).

Network administrators have one place where they can configure a variety of Windows settings for every computer on the network.

We are using GPO to simplify the installation of credential provider software and propagating windows registry settings of this software in one go for each computer joined to the domain.

Follow the steps to Setup miniOrange Multi-Factor Authentication (2FA/MFA) Credential Provider Group Policy:

  • Search "Computer management" from programs search and open it. Goto "Shared Folders->Shares"

    Two-Factor Authentication (2FA/MFA) for Windows Logon RDP go to shared folders

  • Right click on the "Shares section area" and click on "New" from the list as shown in the below screenshot.

    Windows Two-Factor Authentication (2FA/MFA) new shared folder

  • Click "Next" in the newly opened Shared Folder Wizard.

    Windows RDP Two-Factor Authentication (2FA/MFA) shared folder wizard

  • Click on the "Browse" button.

    Windows Logon 2FA/MFA browse package

  • Browse for the folder path on the system where the "mOCredentialProvider.msi" resides and select that folder.

    Windows Remote Dersktop 2FA/MFA select package folder

  • Click on "Next".

    Windows Remote Dersktop 2FA/MFA click next

  • Provide description of the folder being shared and Click on "Next".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider shared folder description

  • Select the permissions of your choice for the folder being shared.

    Windows Logon and RDP 2FA/MFAWindows Logon and RDP 2FA/MFA

  • Sharing of the folder is successful. Click on "Finish".

    Windows Logon and RDP 2FA/MFA shared folder successful

  • Goto the shared folder on your system and right click on "mOCredentialProvider.msi" file and select "Share with->Specific people".

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider share with specific people

  • Make sure the file is shared with "Administrator" users of your domain and as well as to the user on the windows computer on which you are going to create the Group Policy Object.

    TWindows Logon and RDP 2FA/MFA share with administrator

  • Open "Administrative tools->Group Policy management". Right click on your domain and select "Create a GPO in this domain, and Link here.." option.

    Windows Remote Dersktop 2FA/MFA create GPO

  • Provide a Name for the GPO and click on "OK".

    
Windows RDP 2FA/MFA provide GPO name

  • You can Add/Remove specific Users, Groups and Machines of your domain from the highlighted section. This will help you to execute the Group policy for a specific set of Users, Groups, And Computers.

    Windows Remote Desktop Two-Factor Authentication (2FA/MFA) assign users to GPO

  • Right click on the newly created GPO and select "Edit" from the list of menu.

    Windows Two-Factor Authentication (2FA/MFA) edit GPO

  • The new window will be opened for GPO edit it as mentioned.

    
Windows RDP 2FA/MFA GPO edit window

  • Expand "Policies->Software Settings" from Computer Configuration.

    Two-Factor Authentication(2FA/MFA) for Windows :  GPO policies settings

  • Goto Shared folder on your system.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP Windows Credential Provider GPO select shared folder

  • Right click the shared folder "mOCredentialProvider" and select properties option from the list.

    Windows Two-Factor Authentication (2FA/MFA) GPO shared foler properties

  • Goto "Sharing tab" of the properties window and copy "Network path".

    Windows RDP 2FA/MFA GPO copy network path

  • Right click on the "Software Installation" section area and select "New->Package" from the list.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP Credential Provider GPO new package

  • Provide the copied path from above step.

    Windows Remote Desktop Two-Factor Authentication (2FA/MFA) GPO paste path

  • Select "mOCredentialProvider.msi" file from the shared folder.

    Windows RDP 2FA/MFA GPO select mo-package

  • Select "Assigned" and click on "Ok" in the window.

    Windows Remote Dersktop 2FA/MFA GPO mo-package assigned

  • Double click on the "miniOrangeCredProviderInstaller" package.

    Two-Factor Authentication(2FA/MFA) for Windows Logon and RDP Windows Credential Provider GPO mo-package properties

  • Goto "Deployment" tab and click on the "Advanced" button.

    Windows RDP 2FA/MFA GPO mo-package deployment

  • Enable "Ignore Language when deploying this package" checkbox from Advanced deployment options section and click on "Ok".

    Windows  RDP Two-Factor Authentication (2FA/MFA) GPO ignore language

  • Click on "Apply" and then "Ok" to close the properties windows.

    Windows RDP 2FA/MFA GPO apply mo-package properties

  • Expand "Preferences->Registry" from Computer Configuration.

    Windows  RDP Two-Factor Authentication (2FA/MFA) GPO registry preferences

  • Right click on "Registry" and select "New->Registry Wizard" from the list.

    Windows Two-Factor Authentication (2FA/MFA) GPO new registry

  • Select "Local Computer" as we have installed the miniOrangeCredentialProiver package on this windows machine. Click on "Next".

    Windows 2FA/MFA GPO local machine registry

  • Expand the "HKEY_LOCAL_MACHINE" folder.

    Windows Logon and RDP 2FA/MFA GPO registry folder

  • Goto "SOFTWARE->pGina3" in "HKEY_LOCAL_MACHINE".

    Windows  RDP Two-Factor Authentication (2FA/MFA) GPO software folder

  • Enable checkboxes for all the options present in "pGina3" folder and click "Finish".

    Windows Remote Desktop Two-Factor Authentication (2FA/MFA) GPO enable pgina options

  • Expand the "First Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3" and make sure all selected options are present.

    Windows Two-Factor Authentication (2FA/MFA)GPO expand first registry

  • Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->0f52390b-c781-43ae-bd62-553c77fa4cf7" folder.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP GPO second plugin

  • Enable checkboxes for all options except "SearchPW" option and click on "Finish".

    Windows 2FA/MFA GPO disable searchpw

  • Expand the "Second Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->0f52390b-c781-43ae-bd62-553c77fa4cf7" and make sure all selected options except "SearchPW" option are present.

    Windows RDP 2FA/MFA GPO expand second registry

  • Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d" folder as shown in the below screenshot. Enable checkboxes for all options and click on the "Finish" button.

    Two-Factor Authentication(2FA/MFA) for Windows Logon RDP-Windows Credential Provider GPO third plugin

  • Expand the "Third Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d" and make sure all selected options are present.

    Windows Remote Dersktop 2FA/MFA expand third registry

  • Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->81f8034e-e278-4754-b10c-7066656de5b7" folder as shown in the below screenshot. Enable checkboxes for all options except the "Password" option and click on the "Finish" button.

    Windows Logon 2FA/MFA GPO fourth plugin

  • Expand the "Fourth Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->81f8034e-e278-4754-b10c-7066656de5b7" and make sure all selected options except "Password" option are present.

    Windows Logon and RDP 2FA/MFA GPO expand fourth registry

  • Follow these 3 steps again. Goto "SOFTWARE->pGina3->Plugins->ffd3547a-c950-4ef4-bb0e-b6523965c021" folder as shown in the below screenshot. Enable checkboxes for all options and click on the "Finish" button.

    Windows RDP 2FA/MFA GPO fifth plugin

  • Expand the "Fifth Registry Wizard Values" folder and goto "HKEY_LOCAL_MACHINE->SOFTWARE->pGina3->Plugins->ffd3547a-c950-4ef4-bb0e-b6523965c021" and make sure all selected options are present.

    Windows RDP Two-Factor Authentication (2FA/MFA) GPO expand fifth registry

  • The Group policy settings will be applied on the computers once they are restarted. You can also perform force group policy push by executing command from the command prompt window.
    NOTE: Login into the other domain-joined windows computer on which you want to apply these group policy settings.

    Windows login Two-Factor Authentication (2FA/MFA) GPO apply grp policies

6. Configure Your User Directory (Optional)

miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, Azure AD, OpenLDAP, Google, AWS Cognito etc), Identity Providers (like Okta, Shibboleth, Ping, OneLogin, KeyCloak), Databases (like MySQL, Maria DB, PostgreSQL) and many more. You can configure your existing directory/user store or add users in miniOrange.



  • To add your users in miniOrange there are 2 ways:
  • 1. Create User in miniOrange

    • Click on Users >> User List >> Add User.
    • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider VPN 2FA : Add user in miniOrange

    • Here, fill the user details without the password and then click on the Create User button.
    • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider MFA: Add user details

    • After successful user creation a notification message "An end user is added successfully" will be displayed at the top of the dashboard.
    • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider Two-Factor Authentication: Add user details

    • Click on On Boarding Status tab. Check the email, with the registered e-mail id and select action Send Activation Mail with Password Reset Link from Select Action dropdown list and then click on Apply button.
    • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider 2FA: Select email action

    • Now, Open your email id. Open the mail you get from miniOrange and then click on the link to set your account password.
    • On the next screen, enter the password and confirm password and then click on the Single Sign-On (SSO) reset password button.
    • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider Multi-Factor Authentication: Reset user password
    • Now, you can log in into miniOrange account by entering your credentials.

    2. Bulk Upload Users in miniOrange via Uploading CSV File.

    • Navigate to Users >> User List. Click on Add User button.
    • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider 2FA: Add users via bulk upload

    • In Bulk User Registration Download sample csv format from our console and edit this csv file according to the instructions.
    • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider Two-Factor authentication: Download sample csv file

    • To bulk upload users, choose the file make sure it is in comma separated .csv file format then click on Upload.
    • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider 2FA : Bulk upload user

    • After uploading the csv file successfully, you will see a success message with a link.
    • Click on that link you will see list of users to send activation mail. Select users to send activation mail and click on Send Activation Mail. An activation mail will be sent to the selected users.
  • Click on External Directories >> Add Directory in the left menu of the dashboard.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider 2FA: Configure User Store

  • Select Directory type as AD/LDAP.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider 2FA: Select AD/LDAP as user store

    1. STORE LDAP CONFIGURATION IN MINIORANGE: Choose this option if you want to keep your configuration in miniOrange. If active directory is behind a firewall, you will need to open the firewall to allow incoming requests to your AD.
    2. STORE LDAP CONFIGURATION ON PREMISE: Choose this option if you want to keep your configuration in your premise and only allow access to AD inside premises. You will have to download and install miniOrange gateway in your premise.
    3. 2FA/MFA for Windows Logon and RDP - Windows Credential Provider Two-Factor Authentication : Select ad/ldap user store type

  • Enter LDAP Display Name and LDAP Identifier name.
  • Select Directory Type as Active Directory.
  • Enter the LDAP Server URL or IP Address against LDAP Server URL field.
  • Click on Test Connection button to verify if you have made a successful connection with your LDAP server.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider MFA/2FA: Configure LDAP server URL Connection

  • In Active Directory, go to the properties of user containers/OU's and search for Distinguished Name attribute.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider MFA: Configure user bind account domain name

  • Enter the valid Bind account Password.
  • Click on Test Bind Account Credentials button to verify your LDAP Bind credentials for LDAP connection.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider MFA: Check bind account credentials

  • Search Base is the location in the directory where the search for a user begins. You will get this from the same place you got your Distinguished name.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider 2FA : Configure user search base

  • Select a suitable Search filter from the drop down menu. To use custom Search Filter select "Write your Custom Filter" option and customize it accordingly.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider MFA/2FA : Select user search filter

  • You can also configure following options while setting up AD. Enable Activate LDAP in order to authenticate users from AD/LDAP. Click on the Save button to add user store.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider MFA : Activate LDAP options

    Here's the list of the attributes and what it does when we enable it. You can enable/disable accordingly.

    Attribute Description
    Activate LDAP All user authentications will be done with LDAP credentials if you Activate it
    Sync users in miniOrange Users will be created in miniOrange after authentication with LDAP
    Fallback Authentication If LDAP credentials fail then user will be authenticated through miniOrange
    Allow users to change password This allows your users to change their password. It updates the new credentials in your LDAP server
    Enable administrator login On enabling this, your miniOrange Administrator login authenticates using your LDAP server
    Show IdP to users If you enable this option, this IdP will be visible to users
    Send Configured Attributes If you enable this option, then only the attributes configured below will be sent in attributes at the time of login

  • Click on Save. After this, it will show you the list of User stores. Click on Test Connection to check whether you have enter valid details. For that, it will ask for username and password.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider 2FA: Test AD/Ldap connection

  • On Successful connection with LDAP Server, a success message is shown.
  • Click on Test Attribute Mapping.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider LDAP successful connection

  • Enter a valid Username. Then, click on Test. Mapped Attributes corresponding to the user are fetched.
  • 2FA/MFA for Windows Logon and RDP - Windows Credential Provider MFA: Fetch mapped attributes for user

  • After successful Attribute Mapping Configuration, go back to the ldap configuration and enable Activate LDAP in order to authenticate users from AD/LDAP.
  • Refer our guide to setup LDAPS on windows server.

User Import and Provisioning from AD

  • Go to Settings >> Product Settings in the Customer Admin Account.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP - Windows Credential Provider  miniOrange dashboard

  • Enable the "Enable User Auto Registration" option and click Save.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP - Windows Credential Provider  Enable User Auto Registration

  • (Optional) To send a welcome email to all the end users that will be imported, enable the "Enable sending Welcome Emails after user registration" option and click Save.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP - Windows Credential Provider  Enable sending Welcome Emails after user registration

  • From the Left-Side menu of the dashboard select Provisioning.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP - Windows Credential Provider  User Sync/Provisioning

  • In Setup Provisioning tab select Active Directory in the Select Application Drop Down.
  • Toggle the Import Users tab, click on Save button.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP - Windows Credential Provider  User Sync Active Directory Configuration

  • On the same section, switch to Import Users section.
  • Select Active Directory from the dropdown and click on the Import Users tab, to import all the users from Active Directory to miniOrange.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP - Windows Credential Provider  User Sync Import Operation

  • You can view all the Users you have imports by selecting Users >> User List from Left Panel.
  • MFA/Two-Factor Authentication(2FA) for 2FA/MFA for Windows Logon RDP - Windows Credential Provider  User List

  • All the imported users will be auto registered.
  • These groups will be helpful in adding multiple 2FA policies on the applications.

miniOrange integrates with various external user sources such as directories, identity providers, and etc.

Not able to find your IdP or Need help setting it up?


Contact us or email us at idpsupport@xecurify.com and we'll help you setting it up in no time.



miniOrange Credential Provider for Remote Desktop (RDP)

The user initiates the login to Remote Desktop Service (RDS) either through a Remote Desktop Client or via the RD Web login page from his browser, after which the RADIUS request is sent from the miniOrange RD Web component installed on the target machine to the miniOrange RADIUS server, which authenticates the user via Local AD, and after successful authentication, 2-factor authentication of the user is invoked. After the user validates himself, he is granted access to the Remote Desktop Service (RDP).


A user can try to connect to RDS (Remote Desktop Services) via 2 ways :

  • RDC - Remote Desktop Client: If the RemoteApp is launched through a Remote Desktop client application, the users validate their 2-factor authentication while they enter the Username and Password to get access to the resources. (as this method doesn't support access-challenge response, only out of band authentication methods are supported ).
  • RD Web Access - RD login page via browser: If the desktop or RemoteApp is launched through a RD Web Login page, the initial user authentication is done from the machine's AD, after which miniOrange challenges the user for 2-factor authentication via a RADIUS challenge request. After the users correctly authenticate themselves, they get connected to their resources.

Two-Factor Authentication (2FA/MFA) for RDS via RD Web

How it works

  • In this case, the user goes to RD Web login page from his browser to connect to the Remote Desktop Service. He enters his Username and Password, and on submission, the RADIUS request from RD Web component installed on target machine is sent to the miniOrange RADIUS server which authenticates the user via local AD in the target machine.
  • Once authenticated, it sends a RADIUS challenge to RD Web, and the RD Web shows OTP screen on browser now. Once the user enters the One Time Passcode, the miniorange IdP verifies it and grants/denies access to the RDS.
  • With this, after the user is connected to the Remote Desktop Service, the user can also gain access to published remote app icons on his browser screen, since the session has already been created for the user.

RDS via RD Web demonstration user flow

Additional Resources :



Want To Schedule A Demo?

Request a Demo
  


Our Other Identity & Access Management Products