Hi everybody,
I've been struggeling with this problem for a few weeks now and can't find a way to solve it.
We have an RD farm (Server 2012) which consists of two Remote Desktop Servers with Connection Broker and Web Access.
I've recently published a new server, containing RD Gateway and Web Access in our perimeter network.
Now we've got restrictions that OTP/2FA must be used for the external deployment and we've decided to go for a solution from Gemalto.
The "program" is called IDConfim and the server is called SA Server (Strong Authentication).
Also it's important that NO ISA/TMG server is supposed to be used, the OTP/2FA is supposed to work seamless with the Web Access/Gateway.
After hours discuss we came to a point were their NPS agent setup would be the only way to accomplish our goals.
The setup is supposed to be like this:
LAN:
1 DC (2008 R2)
RD Farm (2012)
1 SA Server (2012)
DMZ:
RD Gateway/Web Access (2012)
Were Gateway and Web Access should forward the authentications with NPS to the NPS agent on the SA server.
When you print your AD account to authenticate you add the 6 digits of OTP which you recieve from you mobile app.
Initially this seems to work, the Gateway forwards the request to the remote NPS server, BUT only if you write the correct AD password
(without the OTP extension).
If you write the correct AD password the authentication is forwarded to out SA Servern and it's beeing rejeced because the password doesn't
contain the correct OTP extension.
The problem comes here.
When you write you AD password along with the OTP extension you get a Windows Security error in the eventlog (On thw Gateway server) like this:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user
Account Domain: domain
Failure Information:
Failure Reason: Unknown username or password.
Status: 0xc000006d
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: server
Source Network Address: 192.168.x.x
Source Port: 63003
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
What i can see it's a NTLM error, but hey?! aren't we supposed to forward all authentication handeling to the remote NPS server?
The problem is that no matter what i try the above problem stays there.
Is it not possible to just forward ALL authentication handeling to a remote server?
The only solution I've found to get it working someday in the future is this:
"Remote Desktop Pluggable Authentication and Authorization", which is supposed to be introduced in 2012 R2.
Also this link describes it:
http://archive.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=rdsdev&ReleaseId=3745
Please, bring me some answers before my head explodes! :)
PS, long question = maybe some errors, ask me if something is unclear.