Hello,

Recently we were asked to look into utilising Azure MFA to be the on-premises 2FA provider for a customer's vWorkspace environment. Azure MFA is a very cool solution for 2FA that can integrate with IIS authentication to secure Microsoft IIS web applications, RADIUS authentication, LDAP authentication, and Windows authentication and there is a wealth of material out there to reference, including this blog post from Freek Berson & Kristin L. Griffin.

Initially we looked at using RADIUS authentication, with the vWorkspace Broker and Web Access server sending RADIUS requests to the MFA server. However there was an incompatibility that we couldn't surmount, so we looked at using the IIS Authentication built into MFA instead.

What follows is a guide of how to set this up, note there is no extra work to do in the vWorkspace console!

Firstly, follow and digest the step by step instructions here on setting up the on-premises MFA server.

*You may have to install the MFA server instance on your Web Access server, you'll see why further down.

*You will also have to install the Web Service SDK, then the Mobile App Service if you want to use the Mobile App, more details here

Once you have your MFA server built and your users imported;

  1. Within the MFA console, set your user(s) to use the preferred verification method, SMS, Call or Mobile App. Make sure the phone number is added and the user is enabled. In this case, I'm going to use the Mobile App.

2. Enable IIS Authentication from the main page of the MFA console.

3. Now, as your Web Access site should be hosted on 2008 R2 or above you will need to enable the Native Module on the Web Access site:

*This is why you need to install the MFA server on the same server as your vWorkspace web access server, as there doesn't appear to be a way to select a different server. I'm happy to be corrected on this!

4. Now depending on the login settings that you have set up for the vWorkspace console, you will either set up Form-Based or HTTP IIS authentication in MFA.

a) If you do not have any credential pass through enable on the web access site (Kerberos) then you will need to select Form-Based

i) Click Add

ii) Check the box for require MFA user match (as long as all your users are imported and are required to Two Factor authenticate on this web access site).

iii) Enter the Web Access site like so:

http://localhost/WA

Where WA is your web access site name.

This should automatically configure everything for you by pulling through the username and password variables and the request format.

iv) Once added, click to edit to open up the settings and change the application name to be "vWorkspace" or "VDI" or something that the end user will relate to and understand.

 

b) If you have credentials pass through enabled (SSO) then you will need to select the HTTP tab  

i) Click Add

ii) Check the box for require MFA user match (as long as all your users are imported and are required to Two Factor authenticate on this web access site).

iii) Enter the Web Access site like so:

http://localhost/WA

iv) Change the application name to "vWorkspace" or other and make any changes that you wish (timeouts, session, cookie)

5. Make any changes to the Mobile App text or the SMS text under Company settings e.g.

 

6. Now attempt to login to your vWorkspace Web Access site using your AD username and password

At this stage you will be authenticated in the Active Directory and the MFA server will generate your 2FA verification (call, SMS or Mobile App) 

 7.On my cherished Nokia Lumia 920, I will get an almost immediate toast notification from the MFA Windows Phone App:

    

 8. Hit Verify and your list of apps will appear, ready for access.

 

One thing I must mention, is the fact that using this method will withdraw the ability to use the "Two-Factor Authentication" Advanced Target that is built into vWorkspace, you will also not be able set "require all users to be two-factor authenticated" in the broker settings.

However, should your specific need be to Two-Factor Authenticate external users alone and not internal users, then you can create an advanced target like so:

So only internal (internal subnet) users and Users who come in through your web access site (which is authenticated by MFA) will get access to the applications that you assign to that advanced target.

 

That's it!  Any questions, feel free to drop them in the comments below!

Thanks goto Freek Berson for his help validating this solution!

 

Cheers, Sam