?
Solved

Remote Access in Server 2008 R2

Posted on 2010-11-19
15
Medium Priority
?
4,442 Views
Last Modified: 2012-05-10
I'm looking for a walkthrough / steps on implementing a remote access solution using Remote Desktop Web Access (Server 2008 R2) with RD Gateway and Threat Management Gateway  2010 (or Unified Access Gateway), using RSA SecurID as the authentication mechanism.

So here's my thought process so far:

     1. RSA fully supports Server 2008 R2 with authentication agents and IIS web agents.
     2. RSA SecurID is natively supported in TMG 2010.
     3. TMG / IIS fully support the passing of authentication cookies with SecurID.

Now, can someone confirm or refute that RSA SecurID pass-through authentication can be acheived with the ActiveX control to a RD Session Host server that has the RSA Authentication Agent installed?

I have done dozens of searches, and there is a lot of random information floating out there. I'm essentially trying to figure out if I can setup a secure remote access system where the users only have to enter a username and the RSA SecurID Passcode ONCE. I am aware that this IS possible with Citrix products, but can it be done with native Microsoft products?

Please provide any supporting blogs, websites, articles with responses.

Thank you in advance!

Grant
0
Comment
Question by:grantsewell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
15 Comments
 
LVL 10

Accepted Solution

by:
simonlimon earned 2000 total points
ID: 34184315
I would try using Kerberos Constrained delegation.

Authenticate the user on the TMG RSA and pass a Kerberos Ticket to the Gateway Server.  But this requires that TMG and REmote access gateway are both members of the same domain.

 This article can help you:

http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part2.html

I don't really know why are RADIUS options greyed out in the article. Maybe they are not defined. I would definitely try using this as it is a MS mechanism and should work and be less complicated than cookie passing.
0
 
LVL 7

Author Comment

by:grantsewell
ID: 34187654
Ideally, I would like to use TMG protection and not require users to provide a Windows password in addition to the tokencode.

It seems like no Microsoft products support the "Windows Password Integration" feature of the RSA authentication agents, like the Citrix Web Interface does. To be able to pass the initial kerberos ticket, I would need to prompt the user for a third prompt at the gateway - their windows password.
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34187836
If you use Kerberos delegation, the user authenticates only with his One Time password. He is never prompted for his windows credentials.

TMG authenticates the user using RSA SecurID and then uses Kerberos to log the user to a backend application.

The user should only enter his username and OTP, and enter the application without entering anything else.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Author Comment

by:grantsewell
ID: 34188892
It would be great if this would work, however TMG does not support the RSA SecurID "Windows Password Integration" feature that is common in many of their authentication agents. Because of this, the user is authenticated to the RSA Authentication Server only, and not to a Windows domain controller, so no kerberos ticket is ever created.

Many of the documents I've found reference adding the Windows password authentication box to the TMG prompts to provide the necessary authentication (try a search for "RSA SecurID TMG Exchange 2007 Web Access"). Although this does achieve the necessary result and security level, it's an extra burden on my users that I'd like to avoid, if possible. I find it hard to believe this is a difficult addition or integration to the TMG server, but the more I read, the more I'm realizing that's just the harsh reality.

As I said, this feature is supported in the Citrix XenApp web interface, which would allow a single authentication mechanism of username / tokencode.
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34188999
I have done similar scenarios, albeit using ActivIdentity OTP server, which functions as a RADIUS server.

TMG listener was configured to use RADIUS authentication, user was authenticated on TMG using OTP through RADIUS. TMG was allowed for delegation to specific services (http/server.domain.local) in Active Directory using any Authentication method. Hence the name protocol Transition- user is authenticated using one protocol and logged in using another.

When a user authenticaticates using Radius, TMG then obtains a ticket for that users and logs him in a backend web application.

This worked with RADIUS, I don't see any reason why this couldn't work with RSA?

This is a pretty lenghty article on the subject, but it is worth the effort :)
http://technet.microsoft.com/sl-si/library/bb794858(en-us).aspx
0
 
LVL 7

Author Comment

by:grantsewell
ID: 34191032
Wow, actually you're right, I think this might work. I'm going to start putting this together in my lab and see what happens.

HTTP delegation will work for the web access interface - but won't I need different delegation for the RemoteApp / RDP connections?
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34192326
I haven't really tried it with TSgateway or RemoteAPP, but it works with OWA, and Web servers using integrated authentication.

Maybe this article will point you in the right direction:
http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx

This has some info too.

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/b69b242c-4fa7-4142-bf45-c1e82f66ccd0
0
 
LVL 7

Author Comment

by:grantsewell
ID: 34192504
The first article does explain it - in addition to HTTP I'll need to delegate the TERMSRV property. With that in Active Directory, and the ISA server acting on behalf of the client, I shouldn't need to make changes to the local clients.

Incidentally, I initiated the second reference you gave (TechNet Forum) more than 2 years ago. :) You can see I've been working on this for a long time!

I'm going to work through this in a lab tomorrow. I'll post back with my results. Thanks!
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34194513
haha, the world is small indeed. Let me know how it goes.
0
 
LVL 7

Author Comment

by:grantsewell
ID: 34199575
Well, after some scrobbling, the KCD test did work - I'm able to pass authentication to the web page with a single logon (using SecurID). However, I'm still receiving a second prompt for Windows Authentication for the TS Gateway upon launching a remote app or desktop.

I setup delegation from the Gateway server to the RDS server using the TERMSRV service type.
I setup delegation from the TMG server to the Gateway server using the http service type.

Any ideas?
0
 
LVL 7

Author Comment

by:grantsewell
ID: 34200404
OK - so according to this article: http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.

So unless we can pass a pre-authenticated cookie from TMG to the web page, it looks like there will always be another prompt for the gateway.
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34214280
Yes, I guess MS says, that you really will have to type credentials twice.

Other option could be to use smartcards and an Enterpise PKI and see how that works.
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34214311
Also, you will need RDC 7.0

For Web Single Sign-On to work, the requirement is to have RDP Client 7.

Please refer to this post : http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx.

Kashif [MSFT]
0
 
LVL 7

Author Closing Comment

by:grantsewell
ID: 34475229
The overall solution is not available within the parameters of my question, but this partial answer and discussion did bring us to that realization, and I learned a new skill. Thanks!
0
 

Expert Comment

by:planbsupport
ID: 35779482
have a look at this ... did not read it in depth but it seems to address your concerns...

http://www.forefrontblog.nl/2011/05/06/publishing-rds-web-rsa-and-preventing-direct-logon/ 
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question