How to Protect RD Web Access with AuthAnvil
NOTE: To configure AuthAnvil Single Sign On for automatic logins to RD Web Access 2012 and 2012 R2 see this guide
Purpose of this Guide
To instruct users on the configuration steps necessary to integrate AuthAnvil Two Factor Authentication support into the RD Web Access Logon Page.
This guide is intended for consultants and administrators with a need to add strong authentication to their Remote Desktop Services infrastructure.
- Windows Server 2008 R2, 2012, or 2012 R2 with RD Web Access configured and working.
- A working AuthAnvil Two Factor Auth Server that has already been configured as per the AuthAnvil Installation Guide.
Formally called TSWeb, RD Web Access is Microsoft’s web portal solution that allows you to publish applications over the web using RD RemoteApp. Imagine when you have needed to open an Office document while at home, only to find you do not have the same version as you do at work. Or when you need to work on your Simply Accounting journal entries, but don’t have time to drive into the office. With RD Web, that isn’t a problem.
Obviously, this can be a great risk to your business. Allowing applications to run remotely from the web is only as secure as the password. Someone who is able to share, steal or circumvent a password can gain complete access to the application, and more importantly the data, pretending to be you.
One way to reduce this risk is to enforce a requirement for the user to prove their identity through strong two-factor authentication (2FA). And this is where AuthAnvil Two Factor Auth comes in.
When a user browses to the RD Web Portal, they are confronted with their typical domain credentials along with a request for their next AuthAnvil passcode. In this way, you can gain the benefit of identity assurance while at the same time using the same business workflow as you have before for RD Web Access. Below is a picture showing this in action:
Of course, our RDWeb Logon Agent also has the ability of using risk based authentication decisions. You can selectively decide if certain users can gain access without the need of an AuthAnvil Two Factor Auth credential. In this way, you have the fine grained control that you need to roll out strong authentication to your remote users in a staged manner.
Configuring RD Web Access to support AuthAnvil Two Factor Authentication
Step 2 – Back up the existing RD Web login.aspx page, located by default at C:\Windows\Web\RDWeb\Pages\en-US\login.aspx.
Step 3 – Edit sasURL, siteID, ipWhiteList, and usersNotRequiring2FA variables at the top of login.aspx to match your network’s settings.
NOTE: The usersNotRequiring2FA variable is a comma separated list of usernames that needs to match the users’ Active Directory username (without the domain portion).
NOTE: ipWhiteList is a comma-seperated list of IPv4 ranges in CIDR format. IE. 192.168.1.0/24 will whitelist the 192.168.1.0 network.
Step 4 – Copy the AuthAnvil.dll file to the RD Web Logon Site’s bin directory, located by default at: C:\Windows\Web\RDWeb\Pages\Bin
NOTE: Ensure that the AuthAnvil.dll file is not a blocked DLL. Right-click on the DLL, select Properties, and at the bottom of the dialog box click “Unblock”.
Step 5 – Replace the existing RD Web login.aspx page with the login.aspx page from the RD Web Logon Agent Package.
NOTE: When copying the RD Web Logon Agent files into the appropriate directories, ensure that the logon agent files are set to inherit NTFS permissions.
Step 6 – Navigate to the RD Web logon page, and log in using your Active Directory username (which must match your AuthAnvil username), Active Directory password, and AuthAnvil passcode.
NOTE: The RDWeb Logon Agent will automatically strip the domain portion of the username before attempting an AuthAnvil authentication, meaning that the domain will not affect authentication. ie. “DOMAIN\username” will authenticate to AuthAnvil 2FA as “username”.