Issue with RDM when using MFA enabled NPS for RD Gateway
We use an RD Gateway that authenticates against an MFA enabled NPS (RADIUS) server. At each connection through the gateway, an MFA prompt appears on our phones. It works great MOST of the time.
Here's my issue...
When I miss the MFA prompt, RDM spins until the connection times out, but subsequent connection attempts for that server entry or any others that use the same RD Gateway do not trigger an MFA prompt. Only when I exit out of RDM (having to close any and all open sessions), reopen RDM and try to the connect again, am I getting an MFA prompt.
Is there some sort of client side information or token that is being held on to and passed to the RD Gateway that isn't cleared out until the console is closed?
If I configure a standard non-RDM RDP session to go through the gateway, I can miss and even deny the MFA prompts, and I'll have no issue getting another prompt when I try again immediately.
Thanks!
All Comments (1)
Hi,
I have to admit my knowledge in RDP MFA with the RD Gateway is quite limited, can you elaborate on the type of deployment you have? Does restarting RDM work? Is it using smartcards for MFA? We've had an issue recently with a customer reporting that his smartcard wasn't getting properly disconnected in RDP sessions until RDM was restarted, but mstsc.exe with the external mode works. We've unfortunately been unable to figure out the root cause of the problem, and I wouldn't be surprised if there's a bug in the Microsoft RDP ActiveX that doesn't free all smartcard-related resources until the parent process is terminated.
Here's the best guide I could find for a similar RD Gateway + MFA setup, maybe use it as a comparison to describe your own deployment.
Best regards,
Marc-André Moreau