mirror of
https://github.com/jakobadam/RDSFactor.git
synced 2025-08-03 15:01:49 +02:00
Update README.md
Proof-reading; minor adjustments.
This commit is contained in:
Dan Villiom Podlaski Christiansen
parent
eced66f18a
commit
4e9e84fda0
1 changed files with 29 additions and 9 deletions
38
README.md
38
README.md
|
|
@ -4,11 +4,23 @@ Two-factor authentication for Remote Desktop Services (RDS).
|
|||
|
||||
RDS Factor consist of two components:
|
||||
* A server component that talks RADIUS with RD Web and the RD Gateway.
|
||||
* An updated version of the RD Web pages that interacts with the RADIUS server and an opt-in multi-factor form.
|
||||
* An updated version of the RD Web pages that interacts with the
|
||||
RADIUS server and an opt-in multi-factor form.
|
||||
|
||||
RDS Factor works by sending an SMS to users -- after they authenticate with username / password -- which when entered allow them entrance to RD Web. When users click on an applicaiton in RD Web a window is opened in the gateway for that user. In that way, users that are not authenticated via RD Web can't get access through RD Gateway. Compare this to the standard RDS setup, where there is no way to share state between RD Web and RD Gateway, meaning that the gateway is always open for user / password only authentication.
|
||||
RDS Factor works by sending an SMS to the user after they've
|
||||
authenticated with their user name and password. The SMS contains a
|
||||
key which when entered, allow them entrance to RD Web. Clicking on an
|
||||
application in RD Web opens a window in the gateway for that user. In
|
||||
that way, users that are not authenticated via RD Web cannot access
|
||||
the RD Gateway. Compare this to the standard RDS setup, where there is
|
||||
no way to share state between RD Web and RD Gateway, meaning that the
|
||||
gateway is always allows logging in the credentials.
|
||||
|
||||
It is also possible to disable two factor authentication in RDS Factor. In this case, RDS Factor still maintains state between RD Web and RD Gateway, ensuring that users *must* have logged into RD Web before connections are allowed through the gateway. That means custom multi-factor authenticators can be put in front of RD Web and also protect the gateway.
|
||||
You can also disable two-factor authentication in RDS Factor. In this
|
||||
case, RDS Factor maintains state between RD Web and RD Gateway,
|
||||
ensuring that users *must* have logged into RD Web before connections
|
||||
are allowed through the gateway. This allows custom multi-factor
|
||||
authenticators in front of RD Web to also protect the gateway.
|
||||
|
||||
Tested on Windows 2012 R2.
|
||||
|
||||
|
|
@ -18,7 +30,11 @@ An RDS setup. There are many options for orchestrating the RDS setup; the minima
|
|||
* Active Directory; and
|
||||
* RDS with Gateway component enabled
|
||||
|
||||
Use 'Active Directory Users and Computers' to add a mobile number to relevant LDAP users in the Active Directory. The tools is not installed pr. default. It's located under `Add Roles -> Features -> Remote Server Administration Tools -> AD DS Tools -> AD DS Snap-Ins And Command-Line Tools`
|
||||
Use 'Active Directory Users and Computers' to add a mobile number to
|
||||
relevant LDAP users in the Active Directory. The tool is not installed
|
||||
per default; you can find it in `Add Roles -> Features -> Remote
|
||||
Server Administration Tools -> AD DS Tools -> AD DS Snap-Ins And
|
||||
Command-Line Tools`
|
||||
|
||||
## Installation
|
||||
|
||||
|
|
@ -36,8 +52,8 @@ C:\RDSFactor> install-web.bat
|
|||
```
|
||||
|
||||
After install go and configure the application in IIS. `RDWeb -> Pages -> Application Settings`. You should configure the following settings:
|
||||
* `RadiusSecret` Shared secret — of your own chosing — used for encrypting RADIUS traffic
|
||||
* `RadiusServer` IP of the radius server
|
||||
* `RadiusSecret` Shared secret -- of your own chosing -- used for encrypting RADIUS traffic
|
||||
|
||||
### RADIUS server installation
|
||||
|
||||
|
|
@ -52,7 +68,8 @@ After install go and configure the server. Open the file `RDSFactor/server/bin/r
|
|||
* `ADField` LDAP attribute to use for looking up the user's phonenumber
|
||||
* `EnableOTP` Boolean (0|1) that indicates whether to use the 2. factor for auth
|
||||
* `Debug` Enable debug output to `RDSFactor/server/bin/release/log.txt`
|
||||
* `{client}={shared secret}` IP of RD Web and shared secret -- same as `RadiusSecret`-- for encryption
|
||||
* `{client}={shared secret}` IP of RD Web and shared secret — same as
|
||||
`RadiusSecret` — for encryption
|
||||
* `Provider` URL of SMS provider. RDS Factor inserts the number and a message in the two variable, `***NUMBER***` and `***TEXTMESSAGE***`, in the provider URL. An example URL using the SMS gateway cpsms: https://www.cpsms.dk/sms/?username=myuser&password=mypassword&recipient=***NUMBER***&message=***TEXTMESSAGE***&from=CPSMS
|
||||
|
||||
To reload the configuration restart the RADIUS server service by running
|
||||
|
|
@ -74,9 +91,12 @@ C:\RDSFactor\server\bin\Release> log.txt
|
|||
|
||||
## Acknowledgements
|
||||
|
||||
* Claus Isager - for the first Open Source two factor RDS authenticator; which this project is based upon.
|
||||
* Nikolay Semov - for the core RADIUS server
|
||||
* Claus Isager — for the first open source two-factor RDS
|
||||
authenticator, the basis for this project.
|
||||
* Nikolay Semov — for the core RADIUS server
|
||||
|
||||
## License
|
||||
|
||||
RDS Factor is an open source project, sponsored by [Origo Systems A/S](https://origo.io), under the GNU general public license version 3.
|
||||
RDS Factor is an open source project, sponsored by
|
||||
[Origo Systems A/S](https://origo.io), and released under terms of the
|
||||
GNU General Public License, version 3.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue