Forum Discussion

tiwang's avatar
tiwang
Icon for Nimbostratus rankNimbostratus
Nov 10, 2014

2 factor authentication for MS RDP terminalService published trough the F5

Long time ago I was involved in a project where we should show how we could implement 2 factor authentication for Microsoft terminal server gw - published trough the F5 on the internet. We here went for the native MS RDP client using MS TerminalServer GW - this gives the best user experience. We also wanted to use RSA SecureID as second factor for two factor auth. But we the faced a problem since there wasn't any where in this client to enter the token code. We ended up in mis-using the TS GW password field for token input ;-) It worked but this wasn't a solution that was useable for a production environment.

 

But how could this else be solved? We have to use the native MS Windows RDP client because it is a public offered service where we don't want to deploy "extra" sw to clients around the world - and the native MS Windows RDP client gives the best user-experience

 

Any suggestions?

 

best regards /ti

 

APM
application delivery
design
devops
iRules
LTM
security

3 Replies

Sort By
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Nov 10, 2014

    Can't we create a 2 factor authentication action before the RDP resource access action? The logon page to capture both login credentials, AD and 2FA.

     

  • tiwang's avatar
    tiwang
    Icon for Nimbostratus rankNimbostratus
    Nov 10, 2014

    Well - that is also what I am considering myself right now - and afterwards launch a RDP client with ip adresse of the ts gw - maybe assign a ACL with client ip and port Just trying to build myself a lab right now with 11.3 and see if I can expect that I am able to launch a rdp client on the pc from the f5 with the correct addresses etc

     

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Nov 10, 2014

    You are using a token based auth so probably 6 fixed characters? If so you can always have the password concatenated together (XXXXXXYYYYYYYYY). You can then use the VPE to split the password field after the first 6 characters and then pass the RSA token to RSA auth then the AD password to AD Auth.

     

    Seth