Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4473
  • Last Modified:

Remote Access in Server 2008 R2

I'm looking for a walkthrough / steps on implementing a remote access solution using Remote Desktop Web Access (Server 2008 R2) with RD Gateway and Threat Management Gateway  2010 (or Unified Access Gateway), using RSA SecurID as the authentication mechanism.

So here's my thought process so far:

     1. RSA fully supports Server 2008 R2 with authentication agents and IIS web agents.
     2. RSA SecurID is natively supported in TMG 2010.
     3. TMG / IIS fully support the passing of authentication cookies with SecurID.

Now, can someone confirm or refute that RSA SecurID pass-through authentication can be acheived with the ActiveX control to a RD Session Host server that has the RSA Authentication Agent installed?

I have done dozens of searches, and there is a lot of random information floating out there. I'm essentially trying to figure out if I can setup a secure remote access system where the users only have to enter a username and the RSA SecurID Passcode ONCE. I am aware that this IS possible with Citrix products, but can it be done with native Microsoft products?

Please provide any supporting blogs, websites, articles with responses.

Thank you in advance!

Grant
0
grantsewell
Asked:
grantsewell
  • 7
  • 7
1 Solution
 
simonlimonCommented:
I would try using Kerberos Constrained delegation.

Authenticate the user on the TMG RSA and pass a Kerberos Ticket to the Gateway Server.  But this requires that TMG and REmote access gateway are both members of the same domain.

 This article can help you:

http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part2.html

I don't really know why are RADIUS options greyed out in the article. Maybe they are not defined. I would definitely try using this as it is a MS mechanism and should work and be less complicated than cookie passing.
0
 
grantsewellAuthor Commented:
Ideally, I would like to use TMG protection and not require users to provide a Windows password in addition to the tokencode.

It seems like no Microsoft products support the "Windows Password Integration" feature of the RSA authentication agents, like the Citrix Web Interface does. To be able to pass the initial kerberos ticket, I would need to prompt the user for a third prompt at the gateway - their windows password.
0
 
simonlimonCommented:
If you use Kerberos delegation, the user authenticates only with his One Time password. He is never prompted for his windows credentials.

TMG authenticates the user using RSA SecurID and then uses Kerberos to log the user to a backend application.

The user should only enter his username and OTP, and enter the application without entering anything else.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
grantsewellAuthor Commented:
It would be great if this would work, however TMG does not support the RSA SecurID "Windows Password Integration" feature that is common in many of their authentication agents. Because of this, the user is authenticated to the RSA Authentication Server only, and not to a Windows domain controller, so no kerberos ticket is ever created.

Many of the documents I've found reference adding the Windows password authentication box to the TMG prompts to provide the necessary authentication (try a search for "RSA SecurID TMG Exchange 2007 Web Access"). Although this does achieve the necessary result and security level, it's an extra burden on my users that I'd like to avoid, if possible. I find it hard to believe this is a difficult addition or integration to the TMG server, but the more I read, the more I'm realizing that's just the harsh reality.

As I said, this feature is supported in the Citrix XenApp web interface, which would allow a single authentication mechanism of username / tokencode.
0
 
simonlimonCommented:
I have done similar scenarios, albeit using ActivIdentity OTP server, which functions as a RADIUS server.

TMG listener was configured to use RADIUS authentication, user was authenticated on TMG using OTP through RADIUS. TMG was allowed for delegation to specific services (http/server.domain.local) in Active Directory using any Authentication method. Hence the name protocol Transition- user is authenticated using one protocol and logged in using another.

When a user authenticaticates using Radius, TMG then obtains a ticket for that users and logs him in a backend web application.

This worked with RADIUS, I don't see any reason why this couldn't work with RSA?

This is a pretty lenghty article on the subject, but it is worth the effort :)
http://technet.microsoft.com/sl-si/library/bb794858(en-us).aspx
0
 
grantsewellAuthor Commented:
Wow, actually you're right, I think this might work. I'm going to start putting this together in my lab and see what happens.

HTTP delegation will work for the web access interface - but won't I need different delegation for the RemoteApp / RDP connections?
0
 
simonlimonCommented:
I haven't really tried it with TSgateway or RemoteAPP, but it works with OWA, and Web servers using integrated authentication.

Maybe this article will point you in the right direction:
http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx

This has some info too.

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/b69b242c-4fa7-4142-bf45-c1e82f66ccd0
0
 
grantsewellAuthor Commented:
The first article does explain it - in addition to HTTP I'll need to delegate the TERMSRV property. With that in Active Directory, and the ISA server acting on behalf of the client, I shouldn't need to make changes to the local clients.

Incidentally, I initiated the second reference you gave (TechNet Forum) more than 2 years ago. :) You can see I've been working on this for a long time!

I'm going to work through this in a lab tomorrow. I'll post back with my results. Thanks!
0
 
simonlimonCommented:
haha, the world is small indeed. Let me know how it goes.
0
 
grantsewellAuthor Commented:
Well, after some scrobbling, the KCD test did work - I'm able to pass authentication to the web page with a single logon (using SecurID). However, I'm still receiving a second prompt for Windows Authentication for the TS Gateway upon launching a remote app or desktop.

I setup delegation from the Gateway server to the RDS server using the TERMSRV service type.
I setup delegation from the TMG server to the Gateway server using the http service type.

Any ideas?
0
 
grantsewellAuthor Commented:
OK - so according to this article: http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.

So unless we can pass a pre-authenticated cookie from TMG to the web page, it looks like there will always be another prompt for the gateway.
0
 
simonlimonCommented:
Yes, I guess MS says, that you really will have to type credentials twice.

Other option could be to use smartcards and an Enterpise PKI and see how that works.
0
 
simonlimonCommented:
Also, you will need RDC 7.0

For Web Single Sign-On to work, the requirement is to have RDP Client 7.

Please refer to this post : http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx.

Kashif [MSFT]
0
 
grantsewellAuthor Commented:
The overall solution is not available within the parameters of my question, but this partial answer and discussion did bring us to that realization, and I learned a new skill. Thanks!
0
 
planbsupportCommented:
have a look at this ... did not read it in depth but it seems to address your concerns...

http://www.forefrontblog.nl/2011/05/06/publishing-rds-web-rsa-and-preventing-direct-logon/ 
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now