Hi,
We are now being asked for multi-factor authentication for our Server Essentials VPN and RDP services. I gave the MFA extension for NPS a try in a test environment and could not get it to work, even with a fair amount of Microsoft support helping with configuring Network Policy Server. The way Server Essentials incorporates NPS seems unique and even MS has a hard time with it.
I understand there is a way to use Duo to get MFA for Remote Desktop, but I do not think Duo has a way to route both Anywhere Access VPN and Remote Desktop with MFA. That and the fact that it is yet another expense.
Our existing test and production environments are already using Azure MFA, AD Connect and hold Azure Premium AD seats. Kind of a long shot here but thought I'd ask.
Eugene Palmer
An update for anyone interested, I now have MFA for Remote Desktop working but not VPN yet. The environment has a WSE2016 and a 2019 member server with both Remote Desktop and VPN services originally working as Server Essentials.
Mostly following these instructions- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
which states clearly that you cannot install the MFA_NPS extension on the gateway itself, you must have a second server, which we do.
-so adapting for WSE2016
Installed NPS on the member 2019 server
Installed the MFA_NPS extension on the member 2019 and ran the config script.
Added the Remote Desktop Gateway Manager role to the WSE2016 using dism /online/Enable-Feature:Gateway-UI (disabled by default in Server Essentials)
Add 2019 member to the WSE2016 gateway as the Central Network Policy Server>Central Server running NPS with Shared Secret
On the WSE2016 NPS add the member 2019 server to the Remote Radius Server>TS Gateway Server Group
On the WSE2016 NPS point the Connection Request>TS Gateway Authorization Policy>Authentication>Settings>TS Gateway Server Group
On the member 2019 NPS added the WSE2016 as a Radius Client with the shared secret.
At this point I realized that the member 2019 is now the NPS central store and that WSE2016 is not longer handling policy so I exported the existing configuration from the WSE2016 NPS and imported it into the member 2019 NPS. Created the RDG_CAP per the instructions and moved it to the top. Now the member 2019 is handling policy with the MFA_NPS Extension.
I am using the Microsoft Authentication App on an iPhone and at this point when I initiate a Remote Desktop session I am able to do the Primary Authenication with Username-Password, then the logon text file comes up (set in the WSE2016 Gateway>Messaging), then when approved the Secondary Authentication through the App is initiated. After approval on the Authenticator App I get to the remote desktop.
I have disabled all but the TS Gateway Authorization Policy on the WSE2016 NPS including all of the Network Policies showing that it is now only functioning as a gateway.
Adding the Adavanced>Access-Request messages must contain the Message-Authenticator attribute to both 2019>Radius client and WSE2016 Remote Radius Server doesn't seem to do anything.
However, at this point I cannot get a VPN connection going, I think I will have to add the Routing & Remote Access role to the member server and have it handle the VPN connection.