Remote Access in Server 2008 R2
I'm looking for a walkthrough / steps on implementing a remote access solution using Remote Desktop Web Access (Server 2008 R2) with RD Gateway and Threat Management Gateway 2010 (or Unified Access Gateway), using RSA SecurID as the authentication mechanism.
So here's my thought process so far:
1. RSA fully supports Server 2008 R2 with authentication agents and IIS web agents.
2. RSA SecurID is natively supported in TMG 2010.
3. TMG / IIS fully support the passing of authentication cookies with SecurID.
Now, can someone confirm or refute that RSA SecurID pass-through authentication can be acheived with the ActiveX control to a RD Session Host server that has the RSA Authentication Agent installed?
I have done dozens of searches, and there is a lot of random information floating out there. I'm essentially trying to figure out if I can setup a secure remote access system where the users only have to enter a username and the RSA SecurID Passcode ONCE. I am aware that this IS possible with Citrix products, but can it be done with native Microsoft products?
Please provide any supporting blogs, websites, articles with responses.
Thank you in advance!
Grant
So here's my thought process so far:
1. RSA fully supports Server 2008 R2 with authentication agents and IIS web agents.
2. RSA SecurID is natively supported in TMG 2010.
3. TMG / IIS fully support the passing of authentication cookies with SecurID.
Now, can someone confirm or refute that RSA SecurID pass-through authentication can be acheived with the ActiveX control to a RD Session Host server that has the RSA Authentication Agent installed?
I have done dozens of searches, and there is a lot of random information floating out there. I'm essentially trying to figure out if I can setup a secure remote access system where the users only have to enter a username and the RSA SecurID Passcode ONCE. I am aware that this IS possible with Citrix products, but can it be done with native Microsoft products?
Please provide any supporting blogs, websites, articles with responses.
Thank you in advance!
Grant
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you use Kerberos delegation, the user authenticates only with his One Time password. He is never prompted for his windows credentials.
TMG authenticates the user using RSA SecurID and then uses Kerberos to log the user to a backend application.
The user should only enter his username and OTP, and enter the application without entering anything else.
TMG authenticates the user using RSA SecurID and then uses Kerberos to log the user to a backend application.
The user should only enter his username and OTP, and enter the application without entering anything else.
ASKER
It would be great if this would work, however TMG does not support the RSA SecurID "Windows Password Integration" feature that is common in many of their authentication agents. Because of this, the user is authenticated to the RSA Authentication Server only, and not to a Windows domain controller, so no kerberos ticket is ever created.
Many of the documents I've found reference adding the Windows password authentication box to the TMG prompts to provide the necessary authentication (try a search for "RSA SecurID TMG Exchange 2007 Web Access"). Although this does achieve the necessary result and security level, it's an extra burden on my users that I'd like to avoid, if possible. I find it hard to believe this is a difficult addition or integration to the TMG server, but the more I read, the more I'm realizing that's just the harsh reality.
As I said, this feature is supported in the Citrix XenApp web interface, which would allow a single authentication mechanism of username / tokencode.
Many of the documents I've found reference adding the Windows password authentication box to the TMG prompts to provide the necessary authentication (try a search for "RSA SecurID TMG Exchange 2007 Web Access"). Although this does achieve the necessary result and security level, it's an extra burden on my users that I'd like to avoid, if possible. I find it hard to believe this is a difficult addition or integration to the TMG server, but the more I read, the more I'm realizing that's just the harsh reality.
As I said, this feature is supported in the Citrix XenApp web interface, which would allow a single authentication mechanism of username / tokencode.
I have done similar scenarios, albeit using ActivIdentity OTP server, which functions as a RADIUS server.
TMG listener was configured to use RADIUS authentication, user was authenticated on TMG using OTP through RADIUS. TMG was allowed for delegation to specific services (http/server.domain.local)
When a user authenticaticates using Radius, TMG then obtains a ticket for that users and logs him in a backend web application.
This worked with RADIUS, I don't see any reason why this couldn't work with RSA?
This is a pretty lenghty article on the subject, but it is worth the effort :)
http://technet.microsoft.com/sl-si/library/bb794858(en-us).aspx
TMG listener was configured to use RADIUS authentication, user was authenticated on TMG using OTP through RADIUS. TMG was allowed for delegation to specific services (http/server.domain.local)
When a user authenticaticates using Radius, TMG then obtains a ticket for that users and logs him in a backend web application.
This worked with RADIUS, I don't see any reason why this couldn't work with RSA?
This is a pretty lenghty article on the subject, but it is worth the effort :)
http://technet.microsoft.com/sl-si/library/bb794858(en-us).aspx
ASKER
Wow, actually you're right, I think this might work. I'm going to start putting this together in my lab and see what happens.
HTTP delegation will work for the web access interface - but won't I need different delegation for the RemoteApp / RDP connections?
HTTP delegation will work for the web access interface - but won't I need different delegation for the RemoteApp / RDP connections?
I haven't really tried it with TSgateway or RemoteAPP, but it works with OWA, and Web servers using integrated authentication.
Maybe this article will point you in the right direction:
http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx
This has some info too.
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/b69b242c-4fa7-4142-bf45-c1e82f66ccd0
Maybe this article will point you in the right direction:
http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx
This has some info too.
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/b69b242c-4fa7-4142-bf45-c1e82f66ccd0
ASKER
The first article does explain it - in addition to HTTP I'll need to delegate the TERMSRV property. With that in Active Directory, and the ISA server acting on behalf of the client, I shouldn't need to make changes to the local clients.
Incidentally, I initiated the second reference you gave (TechNet Forum) more than 2 years ago. :) You can see I've been working on this for a long time!
I'm going to work through this in a lab tomorrow. I'll post back with my results. Thanks!
Incidentally, I initiated the second reference you gave (TechNet Forum) more than 2 years ago. :) You can see I've been working on this for a long time!
I'm going to work through this in a lab tomorrow. I'll post back with my results. Thanks!
haha, the world is small indeed. Let me know how it goes.
ASKER
Well, after some scrobbling, the KCD test did work - I'm able to pass authentication to the web page with a single logon (using SecurID). However, I'm still receiving a second prompt for Windows Authentication for the TS Gateway upon launching a remote app or desktop.
I setup delegation from the Gateway server to the RDS server using the TERMSRV service type.
I setup delegation from the TMG server to the Gateway server using the http service type.
Any ideas?
I setup delegation from the Gateway server to the RDS server using the TERMSRV service type.
I setup delegation from the TMG server to the Gateway server using the http service type.
Any ideas?
ASKER
OK - so according to this article: http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
So unless we can pass a pre-authenticated cookie from TMG to the web page, it looks like there will always be another prompt for the gateway.
If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.
So unless we can pass a pre-authenticated cookie from TMG to the web page, it looks like there will always be another prompt for the gateway.
Yes, I guess MS says, that you really will have to type credentials twice.
Other option could be to use smartcards and an Enterpise PKI and see how that works.
Other option could be to use smartcards and an Enterpise PKI and see how that works.
Also, you will need RDC 7.0
For Web Single Sign-On to work, the requirement is to have RDP Client 7.
Please refer to this post : http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx.
Kashif [MSFT]
For Web Single Sign-On to work, the requirement is to have RDP Client 7.
Please refer to this post : http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx.
Kashif [MSFT]
ASKER
The overall solution is not available within the parameters of my question, but this partial answer and discussion did bring us to that realization, and I learned a new skill. Thanks!
have a look at this ... did not read it in depth but it seems to address your concerns...
http://www.forefrontblog.nl/2011/05/06/publishing-rds-web-rsa-and-preventing-direct-logon/
http://www.forefrontblog.nl/2011/05/06/publishing-rds-web-rsa-and-preventing-direct-logon/
ASKER
It seems like no Microsoft products support the "Windows Password Integration" feature of the RSA authentication agents, like the Citrix Web Interface does. To be able to pass the initial kerberos ticket, I would need to prompt the user for a third prompt at the gateway - their windows password.