This week, one of my customers is switching to Azure multi-factor authentication as their only multi-factor authentication solution for their employees. As the organization leverages VMware Horizon, this implementation needs to be switched to Azure MFA as well.
Here’s how we secured their VMware Horizon implementation with Azure MFA through the Azure MFA NPS Extension:
Why use multi-factor authentication for Horizon?
Organizations face multiple challenges, including (but not limited to):
- tackling current consumer cloud adoption problems
- adhering to privacy regulations
- achieving productivity
User cloud adoption problems
Today’s cloud applications and services allow sign-ins with email addresses, as it’s currently the only truly global identifier for people. However, as cloud applications and services are breached, credential sets fall in the hands of malicious people. Though credential stuffing attacks, they will use these leaked credentials and try them on your organization’s public facing applications and services.
To adhere to privacy regulations, organizations deploy virtual desktop solutions to provide secure means to achieve productivity with the organization’s sensitive data. There are many virtual desktop solutions in the market today, but VMware’s Horizon product is the popular choice for organizations.
1 + 1 = ?
However, when a malicious person gains access to the ‘secure’ productivity platform of an organization through stuffed credentials. the organization has a big problem.
Multiple MFA methods
With Microsoft cloud services on the rise, another problem might also arise: disparate multi-factor authentication methods for users. It’s counter-intuitive for people to have to use one multi-factor authentication method for one system or platform the organization uses, and another method for another. The hassle of keeping more than one method up to date for people who change phone numbers and/or phones yearly grows exponentially with each multi-factor authentication method added.
In my opinion, administrators should get used to multiple multi-factor authentication methods and solutions to avoid getting locked out by single multi-factor authentication solution acting up.
Before following the below steps, make sure you meet the following prerequisites:
- Implement one or more additional Windows Server-based virtual machines to act as the Network Protection Services (NPS) Server(s) for Horizon. Make sure they run Windows Server 2016, or up. Implement the server on the same network as the Active Directory Domain Controllers.
- Provide network connectivity between the new NPS Server(s) and the Horizon implementation. Take care of any routes and firewall configurations. Horizon View’s Connection Server(s) need access to the NPS Server(s) using UDP1812 and UPD1813.
- Provide network connectivity between the new NPS Server(s) and Azure Active Directory. The NPS Server(s) need TCP80 and TCP443 access to these addresses:
- You need the credentials for an account in Active Directory to join the NPS Server(s) to Active Directory.
- You need the credentials to sign in to the NPS Server with an account that has local administrator privileges.
- You need the credentials to sign in to the Horizon implementation with an account that has administrator privileges and access to Horizon Console.
- You need the credentials for an account in Azure Active Directory that has the Global Administrator role.
- Make sure all user accounts in Active Directory who will use Azure MFA with Horizon are synchronized to Azure Active Directory.
- Make sure all persons who will use Horizon with Azure MFA have completed their one-time registration for Azure Multi-factor Authentication and are assigned the Azure AD Premium P1 stand-alone subscription license or a license bundle that includes Azure AD Premium P1.
- Download the latest version of the NPS Extension for Azure MFA and place it on the disk of the NPS Server(s), so it’s available for installation.
- Download the Visual C++ Redistributable Packages for Visual Studio 2013 (X64) and place it on the disk of the NPS Server(s), so it’s available for installation.
How to get the Azure AD Tenant ID
The installation of the Azure MFA Adapter needs the Azure AD tenant ID as input. To get this ID, follow these steps:
- Open a web browser.
- Navigate to the Azure AD Portal.
- Sign in with an Azure AD account that has privileges to access the Azure AD data.
As one of the prerequisites is the credentials of an Azure AD account with Global Administrator privileges, you can use that account, but you may opt to use a lesser privileged Azure AD account.
- Perform multi-factor authentication, when prompted.
- In the left navigation pane, click on Azure Active Directory.
- In Azure Active Directory’s navigation pane, click on Properties.
- Copy the value from the Tenant ID field.
- Close the web browser.
How to install the NPS Server
Follow these steps to install the NPS Server with the required components:
- Sign in to the NPS Server wit local administrator privileges.
- Start an elevated Windows PowerShell session and issue the following line of Windows PowerShell to join the Windows Server installation to Active Directory:
- After the Windows Server installation reboots, sign in with an Active Directory account that provides local administrator privileges to the NPS Server.
- Start an elevated Windows PowerShell session.
- Run the following line of Windows PowerShell to install the Network Protection and Authentication Server (NPAS) role:
- Run the following line of
Windows PowerShell to install the AzureAD PowerShell
Module. Follow the on-screen instructions.
- Install-module AzureAD
- Run the Visual C++ Redistributable Package for Visual Studio 2013 to install it. Follow the on-screen instructions.
- Run setup.exe from the NPS Extension for Azure MFA to install it. Follow the on-screen instructions.
- Run the following lines of Windows PowerShell to configure the Azure MFA NPS Extension:
- cd ”c:\ProgramFiles\Microsoft\AzureMfa\Config"
- When prompted, sign in with the Azure AD account with Global Administrator privileges.
- Paste the Azure AD tenant ID.
- Close the PowerShell window.
Repeat the above steps on the second NPS Server.
How to configure the NPS Server
Follow these steps to configure the NPS Server settings:
- Now, Open the Network Policy Server management console from either Server Manager’s Tools menu, or the Administrative Tools folder in the Start Menu.
- Right-click the NPS (Local) node in the top left corner of the navigation screen and click on the Register server in Active Directory menu item.
- Next, right-click on the Radius Clients node in the navigation screen. Click New.
The New RADIUS Client window appears.
- Make these changes:
- Select the Enable this RADIUS client option.
- Specify a meaningful value in the Friendly name: field.
- Define the IP address or fully qualified domain name for the Horizon View Connection Server you’d want to configure with Azure MFA in the Adress (IP or DNS): field.
- Specify a shared secret in the Shared secret: and the Confirm shared secret: fields, that will be used to obfuscate the traffic between the Horizon Connection Server and the NPS Server.
- Click OK.
- Create RADIUS clients for each Horizon Connection Server you’d want to configure.
- Next, right-click on the Network Policies node in the navigation screen.
- Duplicate the default Connections to other access servers network policy.
- Assign priority 1.
- Make two changes in the duplicated network policy:
- Check the Policy enabled option in the Policy State area.
- Check the Grant access. Grant access if the connection request matches this policy option in the Access Permission area.
- Save the network policy by clicking OK.
- Close the Network Policy Server management console.
- Sign out.
How to configure VMware Horizon
On the Horizon View Management Server(s), configure the following settings:
- Open Horizon Administrator.
- Navigate to View Configuration, then to Servers.
- On the Connection Servers tab, select a server instance to (re)configure.
- Click Edit.
- Click on the Authentication tab.
- In the Advanced Authentication section, select RADIUS from the drop-down list for the 2-factor authentication value.
- Enable the option Enforce 2-factor and Windows user name matching.
- Enable the option Use the same user name and password for RADIUS and Windows authentication.
- Click the Manage Authenticators… button
The Manage Authenticators screen appears.
- Click the Add or Edit button in the Manage Authenticators screen.
The Edit RADIUS Authenticator modal screen appears.
- On the Primary Authentication Server tab, specify the following settings:
- Specify the hostname or IP-address for the NPS Server
- For the Authentication type:, specify MSCHAP2.
- Paste the RADIUS shared secret as the Shared Secret: value.
- For the Server timeout: value, specify 10 seconds.
- For the Max attempts: value, specify 1.
- To specify a second NPS Server with the Azure MFA NPS Extension installed, repeat the steps on the Secondary Authentication Server tab.
- Click OK.
- Close Horizon Console.
The Azure MFA NPS Extension proves to be a splendid way to provide multi-factor authentication to VMware Horizon implementations. Now, credential stuffing attacks by malicious persons aren’t something to worry about anymore for the sensitive data handled in Horizon implementations.
Download the NPS Extension for Azure MFA
Configure Firewalls for RADIUS Traffic
Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication Enable Two-Factor Authentication in Horizon Administrator