Hi,
I'm working on a solution with the Fortiweb and a RDS Gateway and 2FA (fortiauthenticator).
I've got the 2FA part working with the RDS Gateway. Users get a login page and after they are authenticated they are redirected to the RDWEB page. All is fine.
Now i got a security issue where users are able to bypass the 2FA.
When you access the RDWEB page and click on a RDP session a RDP link is downloaded to the client. In normal situation this is opened immediately. Now when i log out and click on the RDP link can authenticate directly to the RDS Gateway, and are bypassing the Fortiweb Authentication page and the 2FA. This is always posible, even several days after the last login.
I Configured a session cookie timeout, but this does not seem to fix this issue. I think i am missing something like a session timeout or something.
FortiWeb-VM 5.50,build0697
Any help is appreciated!
Regards, Alex
Alex Wassink
NSE4,5,7,8 CCNP, ACMP, VCP6-NV
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you using security groups for 2FA?
With security groups, are you refering to the fortiauthenticator ?
The direct opening of the RDP file does not get authenticated against the Fortiauthenticator, but this goes straight to the RDS Gateway, there it is authenticated against AD. (so no 2fa)
The Fortiweb is stil in the middle of the connection but does not stop this direct connection..
Alex Wassink
NSE4,5,7,8 CCNP, ACMP, VCP6-NV
I figured it out, When the RDP link is opened it goes to another folder witch does not have authentication on it so that's why it is passing it. If i put authentication on that folder "RDP over https" is not working anymore.
This is because Authentication is not passed from the browser to the RDP application (mstsc) You should see it like you click on a link in chrome and a firefox page is opened. an all new application so an all new authentication process. So an authentication cookie does not work in this situation.
Does anyone know if you can authenticate a session regardless of which application makes the initial connection ? so when you open a second browser (this case RDP/mstsc) you do not have to authenticate again ?
Alex Wassink
NSE4,5,7,8 CCNP, ACMP, VCP6-NV
I am a little confused on your deployment and layout. I also see that you were able to resolve part of the problem. Can you go into more detail on the part of the issue that still exists?
Mike Pruett
It's sort of resolved, as i know now what is happening with the application. i can authenticate the second request, but then the application does not work anymore. It is actually as (badly) designed by Microsoft.
The setup is as followed;
First the browser is authenticated by fortiweb for the RDWeb (IIS) then a second connection is made via the RDP application (MSTSC) to the RDGateway. The second connection needs to be authenticated again because it is a new connection coming from a new source application.
So now a new question appears, how can i make this work so when the change from the browser to the RDP application is made, the RDP application does not need to be authenticated again ?
Regards, Alex
Alex Wassink
NSE4,5,7,8 CCNP, ACMP, VCP6-NV
alex Wassink wrote:Hello Alex we are dealing with the same problem.I figured it out, When the RDP link is opened it goes to another folder witch does not have authentication on it so that's why it is passing it. If i put authentication on that folder "RDP over https" is not working anymore.
This is because Authentication is not passed from the browser to the RDP application (mstsc) You should see it like you click on a link in chrome and a firefox page is opened. an all new application so an all new authentication process. So an authentication cookie does not work in this situation.
Does anyone know if you can authenticate a session regardless of which application makes the initial connection ? so when you open a second browser (this case RDP/mstsc) you do not have to authenticate again ?
Can you give information about the folder for the rdp link where you need to put authentication on to resolve this issue ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1546 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.