Skip to content

Microsoft RDS with Mideye+ App

Introduction

The purpose of this integration guide is to provide guidelines on how to integrate Mideye Touch-Accept with Remote Desktop Services 2016, 2019, and 2022.

Requirements and Limitations

  • Touch Accept with the Mideye+ app on Android and iPhone requires Mideye Server release 4.7.2 or later.
  • Magic Link Authentication (No app required) requires Mideye Server release 6.1.4 or later, and a port opening for your outgoing IP in your firewall and Mideye Central system.
  • RDG on Windows Server 2022 with KB5040268 update requires Mideye Server release 6.4.4 or later.

Important

Since RDS or RDG does not handle Challenge-Response packages, it is only possible to use the Mideye+ App or Magic Link Touch Accept to log in to RDS shared applications. The user will not be prompted to use the app when logging in to the RDS webpage. Multi-factor authentication occurs when the user opens the connection to the application via RDG.

Prerequisites

  • A functional RDS environment installed with a Remote Desktop Gateway. (This server will have an NPS installed, referred to as RDS-NPS in the documentation.)
  • The correct version of Mideye Server for the required use case.
  • A second NPS Server, either on the Mideye Server or another server. (This is referred to as Remote-NPS in the documentation.)
  • Mideye Server up and running with LDAP connection and a connection to the Mideye Central System.
  • If Magic Links are used, the Mideye Server requires an HTTPS connection to mas.mideyecloud.se.
  • All shared secrets should be the same since the Mideye Server is simply proxying the requests between the NPSs.

Warning

If the Mideye Server is pointed to the RDS-NPS instead of the Remote-NPS, it will create an infinite loop of packet forwarding. Therefore, another NPS server is required.

How It Works

  1. The user logs in to the RDS webpage with a username and password.
  2. The user downloads the RDP file and opens it, then types the username and password and connects.
  3. The RDP file contains information about RDGateway and sends the login to the Remote Desktop Gateway.
  4. The Remote Desktop Gateway sends the login to the RDS-NPS, which is installed locally together with the RDG service.
  5. The RDS-NPS forwards traffic to the Mideye Server.
  6. The Mideye Server proxies the RADIUS request to the Remote-NPS.
  7. The Remote-NPS verifies the user based on the policies set on the server, such as domain user group requirements.
  8. The Remote-NPS sends an Access Accept message if the user is in the correct domain user group.
  9. The Mideye Server checks the phone number in Active Directory.
  10. The Mideye Server sends a notification to the Mideye+ application or a Magic Link via SMS, which the user can then accept or reject.
  11. The Mideye Server sends the accept or reject response to the RDS-NPS.
  12. The RDS-NPS forwards the response to the Remote Desktop Gateway.
  13. The user's application is either opened or declined depending on whether they are in the correct group and have accepted the login via Mideye+ or Magic Link.

Network Policy Server (NPS)

An NPS must be configured and added to the LDAP profile on the Mideye Server. Please refer to the section Network Policy Server in the reference guide for instructions on how to add and configure an NPS. Be advised that this NPS is not the same as the one installed on the Remote Desktop Gateway. Instead, the NPS used by the Mideye Server must be installed on a different server.

1. Remote Desktop Gateway Configuration

  1. Open the Remote Desktop Gateway Manager from Server Manager, right-click the server, and select "Properties."
  2. Navigate to “RD CAP Store” and select “Central server running NPS.”
  3. Enter the hostname or IP address of the Mideye Server and click “Add.” Add a shared secret.
  4. Change authentication to “Central server running NPS” and add the Mideye Server.

Important

This shared secret should be noted and later used when adding the RD Gateway as a RADIUS client in Mideye Server and adding the Mideye Server to Remote-NPS.

2. RDS-NPS Configuration

Since RD Gateway does not support RADIUS natively, it uses the local Network Policy Server to send RADIUS requests. The default timeouts on the RDS-NPS are too low and need to be adjusted.

These adjustments are required to prevent the RD Gateway from timing out before the two-step verification is completed.

  1. On the RD Gateway server, open NPS and navigate to the "RADIUS Clients and Servers" menu in the left column, then select “Remote RADIUS Server Groups.”
  2. Select the “TS GATEWAY SERVER GROUP.”
  3. In the "Authentication/Accounting" tab, verify that the RADIUS port matches the Mideye Server's RADIUS ports.
  4. In the "Load Balancing" tab, edit the Number of seconds without response before request is considered dropped and Number of seconds between requests when server is identified as unavailable to 35 seconds.

3. Remote-NPS Configuration

  1. In Server Manager, open Network Policy Server from the Tools menu.
  2. Expand RADIUS Clients and Servers, then right-click RADIUS Clients and select “New.”
  3. Choose a friendly name (this is used in the connection policy), enter the IP of the Mideye Server, and specify the shared secret from step 1. Remote Desktop Gateway Configuration.

  1. Create a new connection policy for the Mideye Server. Example configuration:

    • Name: mideye_connection_policy
    • Type of network access server: Remote Desktop Gateway
    • Add Conditions:
      • NAS Port Type: Virtual (VPN)
      • Client Friendly Name: MIDEYE_SERVER (This should be the same as the name of the RADIUS client)
    • Authentication: Authenticate requests on this server

  2. Click Next, Next, and Finish to complete the wizard.

  3. Create a new network policy for the Mideye Server. Example configuration:

    • Name: mideye_network_policy
    • Type of network access server: Remote Desktop Gateway
    • Select Condition:
      • User Groups: DEV\rdg_users (Select the domain group that can access RDG apps)
    • Access Granted
    • Authentication Methods: Only check “Allow clients to connect without negotiating an authentication method”

  4. Click Next, Next, and Finish to complete the wizard.

4. Configure Mideye Server

4.1 Add RADIUS Shared Secret for RDS-NPS in Mideye Server

  1. Log in to the Mideye WebGUI.
  2. Expand RADIUS Settings and click RADIUS Shared Secrets.
  3. Create a new shared secret with the IP of the RDS server and the shared secret noted in 1. Remote Desktop Gateway Configuration.
  4. In the left menu, select RADIUS Clients and add a new RADIUS client.
  5. Set a friendly name, and the IP should be the RDS-NPS IP (the same as in the shared secret step 4.1.3).
  6. In the User Repositories tab, select your configured LDAP Server.
  7. In the Username Filtering tab, select the filter method PREFIX.
  8. Save and select Network Policy Server from the left pane.

Troubleshooting

  • Verify that all shared secrets are the same:
    • RDS-NPS Remote RADIUS Server Group (for connecting to Mideye)
    • Mideye Server RADIUS Shared Secrets (for allowing RDS-NPS)
    • Mideye Server Network Policy Server (for connecting to Remote-NPS)
    • Remote-NPS RADIUS Client (to allow Mideye Server)
  • Verify that all servers can be reached on port UDP 1812.
  • If the user receives a touch accept but can't connect to the RDG session, there may be an issue with the connection from Mideye Server to RDS-NPS.
  • If the Remote-NPS rejects the Mideye Server user, it could be due to one of the following:
    • Incorrect shared secret in Mideye Server or Remote-NPS
    • Incorrect IP in the Remote-NPS RADIUS Client
    • Client Friendly Name is incorrect in mideye_connection_policy
    • User is not in the User Groups specified in mideye_network_policy
    • The authentication method “Allow clients to connect without negotiating an authentication method” is not selected in the mideye_network_policy.