In our environment we used the Fortiweb in front of the RDS Gateway. This takes care of the 2FA.
This works fine. The only problem is the SSO part, i did not found out yet how to push the credentials to the RDP part of the connection. (the connection is devided into 2 parts, first the RDWEB authentication (IIS) and then a RDP, AD authentication.)
@vcuramichael, It is also possible to do this with the NPS and forward the radius request to the Fortiauthenticator. This works fine, only as far as i know there is no SSO yet. this because of the RDP authentication is different then the RDWEB authentication part.
Another thing to consider is the RDP part, without 2FA you click on the RDP link and the RDP link is downloaded to the client. this RDP link can also be opened directly without going to the RDWEB web page. With 2FA you only authenticate with 2FA against the RDWEB, not the RDP. so when you open the RDP link localy you bypass the 2FA. I have not found a solution for this yet..
There is 1 workaround and that is not doing the 2FA against the RDS gateway, but do this in the RDS Servers. So the first authentication is on the website, and when you click the link you are presented by the RDP login where you use the Tokencode to login.
I have been trying to have NPS forward radius requests to FA and it does, the only issue is the request doesn't have the User-password attribute in it and I always get invalid password. Can you point me to the right direction? How did you get two factor authentication for RDS having NPS forward the authentication to an external radius?
@Ahmed, Did you try to put the tokencode+password in the password field at the logon page ? The NPS webpage does not have a field for the token code. (as i know of)
@Benji, we noticed that a setup with the fortiweb was not the best from a user point of view. this because we could not provide sso. What we did eventually was use the RDS WEB for normal user id password authentication, and use the fortiauthenticator agent on the rdp servers for the token authentication.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.