RDS: Remote Desktop Gateway with NPS and Cross domain identities.
This post is about configuring a Remote Desktop Gateway in Resource Domain A while consuming the identities from Identity domain B.
Setup:
- NPS in Domain A
- RDG in domain A
- MFA in Domain A
Requirements a "TWO-WAY trust" with selective authentication (or wide if you have no security risks)
It won't be possible to authenticate users from domain B in Domain A via the RDG until the computer account has gotten the permission "Allow to authenticate" on the domain controllers in Domain B.
The simplest way to achieve this is by going to properties on the "Domain Controllers" OU in users and computers in domain B (RSAT tools) and going to the security Tab. (if you don't see the security tab in users and computers then make sure you've enabled "advanced features" under the view selection.)
Then when you're in the security tab click the bottom advanced button. This will open the "Advanced Security Settings for Domain Controllers" window. Next you click the add button. Select the Principal Button / Link and select the Global group / computer (A global group containing all the computers in domain A you want to to be able to authorize users from domain B).
Make sure the type is set to "Allow"! Then under Applies to: select the Descendant computers object. then look in the big list that shows for the "Allow to authenticate" flag and mark it.
Reboot the NPS servers to make it work. You might need to reboot other servers to.
You've now setup the working RDG authentication. IF you're using NPS for custom authentication purposes make sure that when you're looking in the "Network Policies" of the NPS configuration that the conditions you have created are not nested in one group for validation. Why? Because if you're using a selective trust the NPS can't look in the cross domain global group. Make sure you add Group A and Group B separate in the policy. It would look something like:
Condition: Users Groups
Value: Domain A\Group A (domain A users) OR Domain B\group B (domain B users)
Setup:
- NPS in Domain A
- RDG in domain A
- MFA in Domain A
Requirements a "TWO-WAY trust" with selective authentication (or wide if you have no security risks)
It won't be possible to authenticate users from domain B in Domain A via the RDG until the computer account has gotten the permission "Allow to authenticate" on the domain controllers in Domain B.
The simplest way to achieve this is by going to properties on the "Domain Controllers" OU in users and computers in domain B (RSAT tools) and going to the security Tab. (if you don't see the security tab in users and computers then make sure you've enabled "advanced features" under the view selection.)
Then when you're in the security tab click the bottom advanced button. This will open the "Advanced Security Settings for Domain Controllers" window. Next you click the add button. Select the Principal Button / Link and select the Global group / computer (A global group containing all the computers in domain A you want to to be able to authorize users from domain B).
Make sure the type is set to "Allow"! Then under Applies to: select the Descendant computers object. then look in the big list that shows for the "Allow to authenticate" flag and mark it.
Reboot the NPS servers to make it work. You might need to reboot other servers to.
You've now setup the working RDG authentication. IF you're using NPS for custom authentication purposes make sure that when you're looking in the "Network Policies" of the NPS configuration that the conditions you have created are not nested in one group for validation. Why? Because if you're using a selective trust the NPS can't look in the cross domain global group. Make sure you add Group A and Group B separate in the policy. It would look something like:
Condition: Users Groups
Value: Domain A\Group A (domain A users) OR Domain B\group B (domain B users)
Reacties
Een reactie posten