In First article of this series we discussed the general concept of Azure Multi-Factor Authentication and how it’s work.
In second part of this series we went more deeper in the technical aspects of the implementation of Azure MFA by taking an example of how to secure your remote desktop connection through Azure Multi-Factor authentication and we prepared the azure tenant and the Azure MFA provider.
In this part, we will continue our demo of integrating remote desktop connection (RDP) with Azure MFA by installing the Azure MFA server in the same server we need to secure it.
In this demo we have a server called Secure-Server with windows server 2008 r2 joined to the domain, we need to secure the remote desktop connection to it by installing the MFA server in it.
In this demo, I assumed that the MFA provider is already prepared, for more information read our previous article.
So let’s start the installation of the MFA:
Just to remind you, the below three snapshots show you how to download the MFA setup and generate the credentials which we explained in the previous article:
Now after the download of MFA completed, double click in the setup file, choose the installation path and click Next:
wait a seconds for the installation to complete:
once the installation finish click Finish:
A new Wizard will appear as below, Click Next:
Now enter the Email and Password credentials which we obtained before from the MFA provider, if you forget how to obtain it please read our previous post, if the credentials expired you can re-generate it again, once you fill the required information click Next:
Now, MFA server will try to communicate with Azure MFA Provider as below:
Ops, we received an error message as shown below ” Unable to communicate with the Multi-factor Authentication POP, The Multi-factor Authentication server could not be activated … etc“, this error is normal if you use an proxy to access internet, in this case you must verify three things if you use a proxy server:
1- Your proxy is set correctly in the server (in IE browser).
2- Run CMD as administrator, write the following command:
netsh winhttp import proxy source=ie
3- MFA server must be able to communicate on port 443 outbound to the following:
If outbound firewalls are restricted on port 443, the following IP address ranges will need to be opened:
IP Subnet Netmask IP Range 220.127.116.11/25 255.255.255.128 18.104.22.168 – 22.214.171.124 126.96.36.199/25 255.255.255.128 188.8.131.52 – 184.108.40.206 220.127.116.11/25 255.255.255.128 18.104.22.168 – 22.214.171.124
If you are not using Azure Multi-Factor Authentication Event Confirmation features and if users are not authenticating with the Multi-Factor Auth mobile apps from devices on the corporate network the IP ranges can be reduced to the following:
IP Subnet Netmask IP Range 126.96.36.199/29 255.255.255.248 188.8.131.52 – 184.108.40.206 220.127.116.11/29 255.255.255.248 18.104.22.168 – 22.214.171.124 126.96.36.199/29 255.255.255.248 188.8.131.52 – 184.108.40.206
After we set a proxy rules, I tried another time to activate the MFA as below:
finally, its verified successfully, Now the wizard will ask you to create new MFA group or choose existing one, since it’s first MFA server to be deployed, give any meaningful name for the new group as below, also note that the group used to manage more than MFA servers and enable replication between the servers if there is a need, Click Next:
Uncheck enable replication between servers option and click Next:
Now, you can select what application need to integrate it with Azure MFA, the last option is remote desktop, you can select it and click Next, but in our demo we will click cancel to configure the remote desktop from the MFA console, click Cancel.
Now, go to star menu and click on Multi-Factor Authentication Server icon:
Azure MFA server is loading as below:
After a while the console appear, this is the MFA server console that you can manage the MFA setup, in the status option it display that the server Secure-Server.demo.lab is online which is the same server we need to secure the RDP connection on it and the MFA server at the same time:
Choose the server name and terminal services as an application option, check the “Enable” option, now if you will apply all users in AD to use MFA check the “Require Multi-Factor Authentication user match” option, if not leave it uncheck as below, click OK:
The MFA is configured to secure the RDP in that server, it mentioned that the server need to be restarted to take the effect, click OK and wait before restart to continue the configuration:
Now go to Users icon to add the users you need to apply MFA authentication on them, click in Import from Active Directory button as below:
choose the users you need and click Import as below:
The users successfully imported as below, click OK:
the new users appear in the console, there is a warning icon beside each user, this warning because the user must enabled for MFA manual, by default when you import the user it will be not enabled for MFA automatically, double click in any user:
fill the required information as below:
– choose MFA to be phone call, Text Message or mobile app … etc. we will choose for this demo a phone call option.
-check the enabled option.
Finally, Click Apply:
note after we check the enable option the warning icon disappear, do the same for all users you need:
after I prepared all users, the users appear in the console without the warning icon, to test the configuration choose any user and click the test button:
provide the password and click test:
wait a while:
Now, the user should receive a call, if he end the call the authentication will be refused because it will considered that another person try to use his/her credentials, if the user click (#) he/she confirm that he is the one trying to access the server:
After I clicked (#), the test completed as belwo:
Now, after I restarted the machine to take effect, I try to access the server remotely as below:
I tried to login with the administrator user:
Now the welcome page start:
during the login and within the welcome page I received a call from Microsoft MFA, I answered the call and end it direct:
I received another call from Microsoft MFA, but this time I press (#) key:
Because I press the (#) key I confirmed for Microsoft that I am the same person who try to login now, so I successfully login to the server as below:
So in this article we tried to demonstrate how to install the MFA server and integrate it with the remote desktop connection (RPD).
In next article we will show you how to customize the MFA setup by using Fraud alert, changing the received call voice, generate a reports … etc.