|Applies To||RSA Authentication Agent 7.0.1|
RSA Authentication Agent 7.0.2
Terminal Services Gateway Access
TS Gatway access
|Issue||How to enable SecurID on Terminal Services Gateway|
How to enable SecurID on Terminal Server Web Access
Windows 2008 server
RSA Agent 7.0.1 (no longer under Primary Support) works on Windows 2008 only, not Windows 2008 R2. RSA Agent 7.0.2 can be used on Windows 2008 R2 and Non-R2.
Terminal Services Gateway is a feature of Windows Server 2008 which allows pre-authentication of users accessing Terminal Services remotely. For example, if the corporation has applications hosted as terminal services, and users need to access those from outside the company premises or outside the firewall, Terminal Services Gateway provides pre-authentication to control what terminal servers a user can access based on credentials and policy.
The logical layout of this installation will look as follows:
First, please follow instructions from Microsoft to ensure that this setup works to satisfaction. When the remote desktop initiates a RDP connection to the Application, the user is properly challenged for his credentials by the ?destination? machine. Also ensure that the In-Firewall access is as expected.
To specify a TS Gateway server, follow these steps:
Now in case the ?destination? machine is a Windows 2008 or a Vista (SP1) machine, the RSA Authentication Agent 7.0.1. should be installed on it, and the agent will cause the person to be additionally challenged for RSA SecurID credentials. No additional configuration is required on the Agent.
The logical layout after installing RSA Authentication Agent will look as follows:
Remote Desktop Connection 6.1 includes Windows Network Level Authentication (NLA). If this feature is enabled when you attempt to connect to a remote computer, you see a prompt to authenticate before you can establish a remote connection. If you use NLA with an RSA SecurID credential provider configured on the remote computer, you see two prompts to authenticate before you can access the remote desktop. One prompt opens from the local computer and the other opens from the remote computer. This is not caused by the RSA Authentication Agent application. It is a limitation of the how Microsoft implements Network Level Authentication when you use a third-party credential provider.
There can be more than one prompt from Windows depending on the architecture, and the final challenge will be from RSA SecurID. Once you enter your account information and successfully authenticate through each prompt, you can access the remote computer.
1. Install RSA Authentication Agent 7.0.1 on Terminal server.
The user can access the Terminal Server by two ways:
a. Terminal Client / RDP
The browser can be launched from any machine running Windows XP, Vista or Windows 2008 to connect to a machine with RSA Authentication Agent 7.0.1
Terminal Service Remote Desktop Connection
RDC Client WinAgent2k8 Result
Note: Multiple authentication prompts when accessing a remote computer using Network Level AuthenticationProblem: Network Level Authentication (NLA) is a new Microsoft feature in Remote Desktop Connection 6.1 (RDC 6.1). If enabled, the local client will prompt the user to authenticate before establishing the remote connection. When using NLA with an RSA SecurID credential provider configured on the remote host, the user will be prompted twice to authenticate ? once by the local client and once by the remote host. This is a limitation of Microsoft?s NLA implementation when using third party credential providers and is not an RSA product defect.
With NLA enabled there are two prompts. One prompt from the network authentication and one for the Gina authentication. See the release notes below.
Multiple authentication prompts appear when accessing a remote computer that uses Network Level Authentication
|Legacy Article ID||a46045|