How to set up Multi-Factor Authentication on RDP

Configure MFA for RDP easily with specialized services

How to

Reading time icon 4 min. read

Calendar icon Updated on

by Milan Stanojevic 

updated on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Key notes

  • To use multi-factor authentication on RDP you can always rely on third-party services.
  • If you prefer Microsoft products, you can also use Azure to set up MFA.
multi factor authentication rdp
Password management is a key element in providing security for all the users within your organization. ADSelfService Plus is the solution that offers all the features to provide:
  • Security for remote and local access with 2FA
  • Reports on users’ password self-service activities
  • Instant password reset alerts to users
  • Access to the password reset/account unlock portal from users’ mobile devices

Get now the best password management tool for your business.

Many are using Remote Desktop Protocol to access remote PCs, and if you want to take your security to a new level, we suggest using multi-factor authentication for RDP.

MFA is extremely useful, and if you’re using VPNs, be sure to check our guide on how to set up MFA for VPN. Setting multi-factor authentication doesn’t have to be difficult; in today’s guide, we will show you the best ways to do it.

How can I set up multi-factor authentication in RDP?

1. Use ADSelfService Plus

  1. Log in to the ADSelfService Plus admin portal.
  2. Next, navigate to Configuration and then choose Multi-factor Authentication. Lastly, pick Authenticators Setup.
  3. Click on Choose the Policy and select the desired one.
  4. Configure the authenticators according to your organization’s needs.
     
  5. Next, head over to Configuration. Choose Multi-factor Authentication and then select MFA for Endpoints.
  6. In the MFA for Machine Login section, check Enable _ factor authentication for machine login. After that, choose the authentication factors that you want to use.
  7. Lastly, select the desired authentication methods and click on Save Settings.

Do not hesitate to give it a try as well!

ManageEngine AdSelfService Plus

Enhance the security of your organization and secure remote sessions with AdSelfService Plus.
Check price Get it now

2. Use Azure Multi-Factor Authentication

Configure the Remote Desktop Gateway

  1. Open RD Gateway Manager, right-click the desired server, and choose Properties.
  2. Head to the RD CAP Store tab and choose Central server running NPS.
  3. Add one or more Azure Multi-Factor Authentication Servers as RADIUS servers. You can do that by entering the server’s IP address.
  4. Lastly, create a shared secret for each server.

Change the timeout policy

  1. Open NPS and head to the RADIUS Clients and Server. Next, select Remote RADIUS Server Groups.
  2. Choose TS GATEWAY SERVER GROUP and go to the Load Balancing tab.
  3. Locate the following settings: Number of seconds without response before request is considered dropped and Number of seconds between requests when server is identified as unavailable. Set them to 30-60 seconds.
  4. Lastly, go to the Authentication/Account tab and check if RADIUS ports match the MFA Server ports.

If you want to exclude a user from MFA on Azure, this guide will come in handy.

Prepare NPS for MFA authentication

  1. Right-click RADIUS Clients and select New.
  2. Now add Azure Multi-Factor Authentication Server as RADIUS client. Choose a Friendly name and specify a shared secret.
  3. Now head to the Policies menu and select Connection Request Policies.
  4. Right-click the TS GATEWAY AUTHORIZATION POLICY and choose Duplicate Policy.
  5. Open the new policy and head to the Conditions tabs.
  6. Add a condition that matches the Client Friendly Name with the Friendly name.
  7. Now head to the Settings tab and choose Authentication.
  8. After that change the Authentication Provider to Authenticate requests on this server.
  9. Lastly, ensure the new policy is set above the original policy in Connection Request Policies. This will prevent loop conditions from occurring.

Configure Azure Multi-Factor Authentication

  1. Open Azure Multi-Factor Authentication Server and select RADIUS.
  2. Now check the Enable RADIUS authentication.
  3. Navigate to the Clients tab and make sure that ports match the ones configured in NPS. After that, click Add.
  4. Add the RD Gateway server IP address, application name, and a shared secret. Keep in mind that the secret needs to be the same on both Azure Multi-Factor Authentication Server and RD Gateway.
  5. Go to the Target tab and select the RADIUS server(s).
  6. Click on Add and enter the IP address, shared secret, and ports of the NPS server.

Setting up multi-factor authentication for RDP can be complicated, depending on your service.

However, some services are more straightforward to configure than others, so use the ones that match your needs. To find suitable software for these needs, we suggest using one of these multi-factor authentication software tools.

What methods do you use for MFA for RDP? Let us know in the comments section below.

More about the topics: Remote Desktop Connection

Milan Stanojevic

Milan Stanojevic Shield

Windows Toubleshooting Expert

Milan has been enthusiastic about technology ever since his childhood days, and this led him to take interest in all PC-related technologies. He's a PC enthusiast and he spends most of his time learning about computers and technology. Before joining WindowsReport, he worked as a front-end web developer. Now, he's one of the Troubleshooting experts in our worldwide team, specializing in Windows errors & software issues.