000012381 - How to enable SecurID on Terminal Services Gateway

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012381
Applies ToRSA Authentication Agent 7.0.1
RSA Authentication Agent 7.0.2
Terminal Services Gateway Access
TS Gatway access
IssueHow to enable SecurID on Terminal Services Gateway
How to enable SecurID on Terminal Server Web Access
Windows 2008 server
Microsoft Vista
Resolution

RSA Agent 7.0.1 (no longer under Primary Support) works on Windows 2008 only, not Windows 2008 R2.  RSA Agent 7.0.2 can be used on Windows 2008 R2 and Non-R2.


 


Terminal Services Gateway is a feature of Windows Server 2008 which allows pre-authentication of users accessing Terminal Services remotely. For example, if the corporation has applications hosted as terminal services, and users need to access those from outside the company premises or outside the firewall, Terminal Services Gateway provides pre-authentication to control what terminal servers a user can access based on credentials and policy.


The logical layout of this installation will look as follows:


 


 



 


 


First, please follow instructions from Microsoft to ensure that this setup works to satisfaction. When the remote desktop initiates a RDP connection to the Application, the user is properly challenged for his credentials by the ?destination? machine. Also ensure that the In-Firewall access is as expected.


To specify a TS Gateway server, follow these steps:


  1. Click Start, click All Programs, click Accessories, click Communication, and then click Remote Desktop Connection.
  2. Click Options, click the Advanced tab, and then click Settings.
  3. Click Use these TS Gateway server settings, type the server name in the Server name box, and then select one of the following logon methods from the Logon methods list:

    • Allow me to select later
        This option lets you select a logon method when you connect.
    • Ask for password
        This option prompts you for a password when you connect.
    • Smart card
        This option prompts you to insert a smart card when you connect.
  4. Click to select or click to clear the Bypass TS Gateway server for local addresses check box. By selecting this check box, you prevent the traffic that is moving to and from local network addresses from being routed through the TS Gateway server. This makes the connection faster. For details see http://support.microsoft.com/kb/925876

Now in case the ?destination? machine is a Windows 2008 or a Vista (SP1) machine, the RSA Authentication Agent 7.0.1. should be installed on it, and the agent will cause the person to be additionally challenged for RSA SecurID credentials. No additional configuration is required on the Agent.


The logical layout after installing RSA Authentication Agent will look as follows:


 



Remote Desktop Connection 6.1 includes Windows Network Level Authentication (NLA). If this feature is enabled when you attempt to connect to a remote computer, you see a prompt to authenticate before you can establish a remote connection. If you use NLA with an RSA SecurID credential provider configured on the remote computer, you see two prompts to authenticate before you can access the remote desktop. One prompt opens from the local computer and the other opens from the remote computer. This is not caused by the RSA Authentication Agent application. It is a limitation of the how Microsoft implements Network Level Authentication when you use a third-party credential provider.


 


There can be more than one prompt from Windows depending on the architecture, and the final challenge will be from RSA SecurID. Once you enter your account information and successfully authenticate through each prompt, you can access the remote computer.



NOTE: Network Level Authentication is enabled by default for Windows Vista and Windows Server 2008 operating systems.


1. Install RSA Authentication Agent 7.0.1 on Terminal server.
2. Enable Challenge "users in  a group" option in security center.
3. Log on to the machine using a securID challenged user.


The user can access the Terminal Server by two ways:


  a. Terminal Client / RDP
  b. TA Web Access using http://<TSWeb Access Server>/ts/en-US/Default.aspx


The browser can be launched from any machine running Windows XP, Vista or Windows 2008 to connect to a machine with RSA Authentication Agent 7.0.1



Login01 -- Takes windows password




Login02 -- Takes windows password




Login03 -- Takes RSA passcode



 
Expected login prompts when RSA Authentication Agent 7.0.1 is installed on Terminal Server


Terminal Service Remote Desktop Connection
------------------------------------------------------------
 
RDC Client       WinAgent2k8     Result
 
Win2k8/Vista   Win2k8               Dual Login ( Login02  and Login03 screens come )
XP-SP3            Win2k8               Single Login ( Login03 screen comes )
 
 Terminal Services Web Access


-------------------------------------------------


RDC Client        WinAgent2k8    Result
 
Win2k8/Vista    Win2k8              Triple Login ( Login01,  Login02 and Login03 screens come)
XP-SP3             Win2k8              Dual Login ( Login02 and Login03 screens come)


Note: Multiple authentication prompts when accessing a remote computer using Network Level AuthenticationProblem: Network Level Authentication (NLA) is a new Microsoft feature in Remote Desktop Connection 6.1 (RDC 6.1). If enabled, the local client will prompt the user to authenticate before establishing the remote connection. When using NLA with an RSA SecurID credential provider configured on the remote host, the user will be prompted twice to authenticate ? once by the local client and once by the remote host. This is a limitation of Microsoft?s NLA implementation when using third party credential providers and is not an RSA product defect.


With NLA enabled there are two prompts.  One prompt from the network authentication and one for the Gina authentication. See the release notes below.


Multiple authentication prompts appear when accessing a remote computer that uses Network Level Authentication
Tracking Number: 11983, 118420
Problem: Remote Desktop Connection 6.1 includes Windows Network Level Authentication (NLA). If this feature is enabled when you attempt to connect to a remote computer, you see a prompt to authenticate before you can establish a remote connection. If you use NLA with an RSA SecurID credential provider configured on the remote computer, you see two prompts to authenticate before you can access the remote desktop. One prompt opens from the local computer and the other opens from the remote computer. This is not caused by the RSA Authentication Agent application. It is a limitation of the how Microsoft implements Network Level Authentication when you use a third-party credential provider. Once you enter your account information and successfully authenticate through each prompt, you can access the remote computer.
NOTE: Network Level Authentication is enabled by default for Windows Vista and Windows Server 2008 operating systems. You can manually enable it on Windows XP SP3 operating systems. For more information on using Network Level Authentication, see the Microsoft web site.


Remote Desktop connection does not give SecurID prompt 

Legacy Article IDa46045

Attachments

    Outcomes