Solved

Remote Access in Server 2008 R2

Posted on 2010-11-19
15
4,351 Views
Last Modified: 2012-05-10
I'm looking for a walkthrough / steps on implementing a remote access solution using Remote Desktop Web Access (Server 2008 R2) with RD Gateway and Threat Management Gateway  2010 (or Unified Access Gateway), using RSA SecurID as the authentication mechanism.

So here's my thought process so far:

     1. RSA fully supports Server 2008 R2 with authentication agents and IIS web agents.
     2. RSA SecurID is natively supported in TMG 2010.
     3. TMG / IIS fully support the passing of authentication cookies with SecurID.

Now, can someone confirm or refute that RSA SecurID pass-through authentication can be acheived with the ActiveX control to a RD Session Host server that has the RSA Authentication Agent installed?

I have done dozens of searches, and there is a lot of random information floating out there. I'm essentially trying to figure out if I can setup a secure remote access system where the users only have to enter a username and the RSA SecurID Passcode ONCE. I am aware that this IS possible with Citrix products, but can it be done with native Microsoft products?

Please provide any supporting blogs, websites, articles with responses.

Thank you in advance!

Grant
0
Comment
Question by:grantsewell
  • 7
  • 7
15 Comments
 
LVL 10

Accepted Solution

by:
simonlimon earned 500 total points
Comment Utility
I would try using Kerberos Constrained delegation.

Authenticate the user on the TMG RSA and pass a Kerberos Ticket to the Gateway Server.  But this requires that TMG and REmote access gateway are both members of the same domain.

 This article can help you:

http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part2.html

I don't really know why are RADIUS options greyed out in the article. Maybe they are not defined. I would definitely try using this as it is a MS mechanism and should work and be less complicated than cookie passing.
0
 
LVL 7

Author Comment

by:grantsewell
Comment Utility
Ideally, I would like to use TMG protection and not require users to provide a Windows password in addition to the tokencode.

It seems like no Microsoft products support the "Windows Password Integration" feature of the RSA authentication agents, like the Citrix Web Interface does. To be able to pass the initial kerberos ticket, I would need to prompt the user for a third prompt at the gateway - their windows password.
0
 
LVL 10

Expert Comment

by:simonlimon
Comment Utility
If you use Kerberos delegation, the user authenticates only with his One Time password. He is never prompted for his windows credentials.

TMG authenticates the user using RSA SecurID and then uses Kerberos to log the user to a backend application.

The user should only enter his username and OTP, and enter the application without entering anything else.
0
 
LVL 7

Author Comment

by:grantsewell
Comment Utility
It would be great if this would work, however TMG does not support the RSA SecurID "Windows Password Integration" feature that is common in many of their authentication agents. Because of this, the user is authenticated to the RSA Authentication Server only, and not to a Windows domain controller, so no kerberos ticket is ever created.

Many of the documents I've found reference adding the Windows password authentication box to the TMG prompts to provide the necessary authentication (try a search for "RSA SecurID TMG Exchange 2007 Web Access"). Although this does achieve the necessary result and security level, it's an extra burden on my users that I'd like to avoid, if possible. I find it hard to believe this is a difficult addition or integration to the TMG server, but the more I read, the more I'm realizing that's just the harsh reality.

As I said, this feature is supported in the Citrix XenApp web interface, which would allow a single authentication mechanism of username / tokencode.
0
 
LVL 10

Expert Comment

by:simonlimon
Comment Utility
I have done similar scenarios, albeit using ActivIdentity OTP server, which functions as a RADIUS server.

TMG listener was configured to use RADIUS authentication, user was authenticated on TMG using OTP through RADIUS. TMG was allowed for delegation to specific services (http/server.domain.local) in Active Directory using any Authentication method. Hence the name protocol Transition- user is authenticated using one protocol and logged in using another.

When a user authenticaticates using Radius, TMG then obtains a ticket for that users and logs him in a backend web application.

This worked with RADIUS, I don't see any reason why this couldn't work with RSA?

This is a pretty lenghty article on the subject, but it is worth the effort :)
http://technet.microsoft.com/sl-si/library/bb794858(en-us).aspx
0
 
LVL 7

Author Comment

by:grantsewell
Comment Utility
Wow, actually you're right, I think this might work. I'm going to start putting this together in my lab and see what happens.

HTTP delegation will work for the web access interface - but won't I need different delegation for the RemoteApp / RDP connections?
0
 
LVL 10

Expert Comment

by:simonlimon
Comment Utility
I haven't really tried it with TSgateway or RemoteAPP, but it works with OWA, and Web servers using integrated authentication.

Maybe this article will point you in the right direction:
http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx

This has some info too.

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/b69b242c-4fa7-4142-bf45-c1e82f66ccd0
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 7

Author Comment

by:grantsewell
Comment Utility
The first article does explain it - in addition to HTTP I'll need to delegate the TERMSRV property. With that in Active Directory, and the ISA server acting on behalf of the client, I shouldn't need to make changes to the local clients.

Incidentally, I initiated the second reference you gave (TechNet Forum) more than 2 years ago. :) You can see I've been working on this for a long time!

I'm going to work through this in a lab tomorrow. I'll post back with my results. Thanks!
0
 
LVL 10

Expert Comment

by:simonlimon
Comment Utility
haha, the world is small indeed. Let me know how it goes.
0
 
LVL 7

Author Comment

by:grantsewell
Comment Utility
Well, after some scrobbling, the KCD test did work - I'm able to pass authentication to the web page with a single logon (using SecurID). However, I'm still receiving a second prompt for Windows Authentication for the TS Gateway upon launching a remote app or desktop.

I setup delegation from the Gateway server to the RDS server using the TERMSRV service type.
I setup delegation from the TMG server to the Gateway server using the http service type.

Any ideas?
0
 
LVL 7

Author Comment

by:grantsewell
Comment Utility
OK - so according to this article: http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.

So unless we can pass a pre-authenticated cookie from TMG to the web page, it looks like there will always be another prompt for the gateway.
0
 
LVL 10

Expert Comment

by:simonlimon
Comment Utility
Yes, I guess MS says, that you really will have to type credentials twice.

Other option could be to use smartcards and an Enterpise PKI and see how that works.
0
 
LVL 10

Expert Comment

by:simonlimon
Comment Utility
Also, you will need RDC 7.0

For Web Single Sign-On to work, the requirement is to have RDP Client 7.

Please refer to this post : http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx.

Kashif [MSFT]
0
 
LVL 7

Author Closing Comment

by:grantsewell
Comment Utility
The overall solution is not available within the parameters of my question, but this partial answer and discussion did bring us to that realization, and I learned a new skill. Thanks!
0
 

Expert Comment

by:planbsupport
Comment Utility
have a look at this ... did not read it in depth but it seems to address your concerns...

http://www.forefrontblog.nl/2011/05/06/publishing-rds-web-rsa-and-preventing-direct-logon/
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Local Printing Using Remote Desktop Windows 7 sometimes has issues with printing to a local printer using a Remote Desktop Connection (RDC). The 1st step is to verify that printers are checked on the Local Resources tab of the Remote Desktop C…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now