HOWTO: Secure VMware Horizon with Azure MFA through its NPS Extension

How To...

This week, one of my customers is switching to Azure multi-factor authentication as their only multi-factor authentication solution for their employees. As the organization leverages VMware Horizon, this implementation needs to be switched to Azure MFA as well.

Here’s how we secured their VMware Horizon implementation with Azure MFA through the Azure MFA NPS Extension:

 

Why use multi-factor authentication for Horizon?

Organizations face multiple challenges, including (but not limited to):

  • tackling current consumer cloud adoption problems
  • adhering to privacy regulations
  • achieving productivity

 

User cloud adoption problems

Today’s cloud applications and services allow sign-ins with email addresses, as it’s currently the only truly global identifier for people. However, as cloud applications and services are breached, credential sets fall in the hands of malicious people. Though credential stuffing attacks, they will use these leaked credentials and try them on your organization’s public facing applications and services.

Privacy regulations

To adhere to privacy regulations, organizations deploy virtual desktop solutions to provide secure means to achieve productivity with the organization’s sensitive data. There are many virtual desktop solutions in the market today, but VMware’s Horizon product is the popular choice for organizations.

1 + 1 = ?

However, when a malicious person gains access to the ‘secure’ productivity platform of an organization through stuffed credentials. the organization has a big problem.

Multiple MFA methods

With Microsoft cloud services on the rise, another problem might also arise: disparate multi-factor authentication methods for users. It’s counter-intuitive for people to have to use one multi-factor authentication method for one system or platform the organization uses, and another method for another. The hassle of keeping more than one method up to date for people who change phone numbers and/or phones yearly grows exponentially with each multi-factor authentication method added.

Note:
In my opinion, administrators should get used to multiple multi-factor authentication methods and solutions to avoid getting locked out by single multi-factor authentication solution acting up.

 

Getting ready

Before following the below steps, make sure you meet the following prerequisites:

  • Implement one or more additional Windows Server-based virtual machines to act as the Network Protection Services (NPS) Server(s) for Horizon. Make sure they run Windows Server 2016, or up. Implement the server on the same network as the Active Directory Domain Controllers.
  • Provide network connectivity between the new NPS Server(s) and the Horizon implementation. Take care of any routes and firewall configurations. Horizon View’s Connection Server(s) need access to the NPS Server(s) using UDP1812 and UPD1813.
  • Provide network connectivity between the new NPS Server(s) and Azure Active Directory. The NPS Server(s) need TCP80 and TCP443 access to these addresses:
      • https://adnotifications.windowsazure.com
      • https://login.microsoftonline.com
      • https://credentials.azure.com
      • https://provisioningapi.microsoftonline.com
      • https://aadcdn.msauth.net
      • https://*.nuget.org
      • https://nuget.cdn.azure.cn
  • You need the credentials for an account in Active Directory to join the NPS Server(s) to Active Directory.
  • You need the credentials to sign in to the NPS Server with an account that has local administrator privileges.
  • You need the credentials to sign in to the Horizon implementation with an account that has administrator privileges and access to Horizon Console.
  • You need the credentials for an account in Azure Active Directory that has the Global Administrator role.
  • Make sure all user accounts in Active Directory who will use Azure MFA with Horizon are synchronized to Azure Active Directory.
  • Make sure all persons who will use Horizon with Azure MFA have completed their one-time registration for Azure Multi-factor Authentication and are assigned the Azure AD Premium P1 stand-alone subscription license or a license bundle that includes Azure AD Premium P1.
  • Download the latest version of the NPS Extension for Azure MFA and place it on the disk of the NPS Server(s), so it’s available for installation.
  • Download the Visual C++ Redistributable Packages for Visual Studio 2013 (X64) and place it on the disk of the NPS Server(s), so it’s available for installation.

 

How to get the Azure AD Tenant ID

The installation of the Azure MFA Adapter needs the Azure AD tenant ID as input. To get this ID, follow these steps:

  • Open a web browser.
  • Navigate to the Azure AD Portal.
  • Sign in with an Azure AD account that has privileges to access the Azure AD data.
    As one of the prerequisites is the credentials of an Azure AD account with Global Administrator privileges, you can use that account, but you may opt to use a lesser privileged Azure AD account.
  • Perform multi-factor authentication, when prompted.
  • In the left navigation pane, click on Azure Active Directory.
  • In Azure Active Directory’s navigation pane, click on Properties.
  • Copy the value from the Tenant ID field.
  • Close the web browser.

 

How to install the NPS Server

Follow these steps to install the NPS Server with the required components:

  • Sign in to the NPS Server wit local administrator privileges.
  • Start an elevated Windows PowerShell session and issue the following line of Windows PowerShell to join the Windows Server installation to Active Directory:
  • Add-Computer-DomainName"nlan.local"
  • Restart-Computer
  • After the Windows Server installation reboots, sign in with an Active Directory account that provides local administrator privileges to the NPS Server.
  • Start an elevated Windows PowerShell session.
  • Run the following line of Windows PowerShell to install the Network Protection and Authentication Server (NPAS) role:
  • Install-WindowsFeatureNPAS-IncludeManagementTools
  • Run the following line of
    Windows PowerShell to install the AzureAD PowerShell
    Module. Follow the on-screen instructions.
  • Install-module AzureAD
  • Run the Visual C++ Redistributable Package for Visual Studio 2013 to install it. Follow the on-screen instructions.
  • Run setup.exe from the NPS Extension for Azure MFA to install it. Follow the on-screen instructions.
  • Run the following lines of Windows PowerShell to configure the Azure MFA NPS Extension:
  • cd ”c:\ProgramFiles\Microsoft\AzureMfa\Config"
  • .\AzureMfaNpsExtnConfigSetup.ps1
  • When prompted, sign in with the Azure AD account with Global Administrator privileges.
  • Paste the Azure AD tenant ID.
  • Close the PowerShell window.

Repeat the above steps on the second NPS Server.

 

How to configure the NPS Server

Follow these steps to configure the NPS Server settings:

  • Now, Open the Network Policy Server management console from either Server Manager’s Tools menu, or the Administrative Tools folder in the Start Menu.
  • Right-click the NPS (Local) node in the top left corner of the navigation screen and click on the Register server in Active Directory menu item.
  • Next, right-click on the Radius Clients node in the navigation screen. Click New.
    The New RADIUS Client window appears.
  • Make these changes:
    • Select the Enable this RADIUS client option.
    • Specify a meaningful value in the Friendly name: field.
    • Define the IP address or fully qualified domain name for  the Horizon View Connection Server you’d want to configure with Azure MFA in the Adress (IP or DNS): field.
    • Specify a shared secret in the Shared secret: and the Confirm shared secret: fields, that will be used to obfuscate the traffic between the Horizon Connection Server and the NPS Server.
    • Click OK.
  • Create RADIUS clients for each Horizon Connection Server you’d want to configure.
  • Next, right-click on the Network Policies node in the navigation screen.
  • Duplicate the default Connections to other access servers network policy.
  • Assign priority 1.
  • Make two changes in the duplicated network policy:
    1. Check the Policy enabled option in the Policy State area.
    2. Check the Grant access. Grant access if the connection request matches this policy option in the Access Permission area.

AzureMFA NPS Settings (click for original screenshot)

  • Save the network policy by clicking OK.
  • Close the Network Policy Server management console.
  • Sign out.

 

How to configure VMware Horizon

On the Horizon View Management Server(s), configure the following settings:

  • Open Horizon Administrator.
  • Navigate to View Configuration, then to Servers.
  • On the Connection Servers tab, select a server instance to (re)configure.
  • Click Edit.
  • Click on the Authentication tab.
  • In the Advanced Authentication section, select RADIUS from the drop-down list for the 2-factor authentication value.
  • Enable the option Enforce 2-factor and Windows user name matching.
  • Enable the option Use the same user name and password for RADIUS and Windows authentication.
  • Click the Manage Authenticators… button
    The Manage Authenticators screen appears.
  • Click the Add or Edit button in the Manage Authenticators screen.
    The Edit RADIUS Authenticator modal screen appears.
  • On the Primary Authentication Server tab, specify the following settings:
    • Specify the hostname or IP-address for the NPS Server
    • For the Authentication type:, specify MSCHAP2.
    • Paste the RADIUS shared secret as the Shared Secret: value.
    • For the Server timeout: value, specify 10 seconds.
    • For the Max attempts: value, specify 1.

Azure MFA Horizon Settings (click for original screenshot)

  • To specify a second NPS Server with the Azure MFA NPS Extension installed, repeat the steps on the Secondary Authentication Server tab.
  • Click OK.
  • Close Horizon Console.

 

Concluding

The Azure MFA NPS Extension proves to be a splendid way to provide multi-factor authentication to VMware Horizon implementations. Now, credential stuffing attacks by malicious persons aren’t something to worry about anymore for the sensitive data handled in Horizon implementations.

Further reading

Download the NPS Extension for Azure MFA
Configure Firewalls for RADIUS Traffic
Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication  Enable Two-Factor Authentication in Horizon Administrator

6 Responses to HOWTO: Secure VMware Horizon with Azure MFA through its NPS Extension

  1.  

    The downside of using Azure mfa with nps is that you cannot use Conditional Access and the CA policies. You have any specific guidance on this?

    • Technically, there are six methods to publishing on-premises web-based applications with multi-factor authentication:

      1. Using the publishing feature on Web Application Proxy servers
      2. Using Azure AD App Proxy
      3. Using the AAA/PAM feature on a routing appliance like an F5 BIG-IP or Citrix NetScaler
      4. Using the AAA/PAM feature of the web-application itself and an RPT to AD FS
      5. Using the AAA/PAM feature of the web-application itself and an RPT to Azure AD
      6. Using RADIUS authentication

      Some scenarios are better suited for certain functionality than others, some are more costly.
      Some scenarios are more politically acceptable, some play nicer within the current infrastructure.

      The choice was made. The consequence is Conditional Access and Identity Protection are not available to them.
      Instead of leveraging Conditional Access to determine per-condition MFA, every sign-in requires MFA to Horizon.

       
  2.  

    You could use Azure MFA server (i know its sort of end of life) and use it for RADIUS , then you can use Conditional Access for AAD/O365. Users registered for MFA via MFA Server are not enabled/enforced.

    • I would not recommend MFA Server.
      When you use Azure MFA Server, you end up with two registrations; one in MFA Server, one in Azure MFA.

      With the Azure MFA NPS Extension, the registration is good for Conditional Access, Azure AD Identity Protection, Azure AD Self-service Password Reset and, in this case, enforced for Horizon.
      Note: the enforcement for Horizon is through the NPS Extension, not the old PhoneFactor portal.

       
  3.  

    Hey,

    TLS1.0/1.1 support has been removed from the PoSH gallery so some following the guide will hit errors when running the config script without Powershell set to use TLS1.2. TLS1.2 can be set via [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

    Thanks for the guide, really helpful.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.