RD Gateway: Most secure approach to authenticate users against remote domain

active-directoryremote desktopremote-desktop-serviceswindows-server-2008-r2

I need to perform authentication on a Remote Desktop Gateway against a remote domain.

We have an internal corporate network with the domain corpdomain. Additionally there is a network at a remote datacenter site with the domain dcdomain. Machines on dcdomain are accessed via remote desktop using a remote desktop gateway rdgateway(using local accounts on each machine).

What I want to achive is that users in corpdomain can authenticate against the rd gateway using their corpdomain account.

So the rdgateway must be able to authenticate users in the remote domain corpdomain. This has to be achieved with minimal security impact for corpdomain.

As RD gateway does not support RADIUS authentication the two possibilities that came into my mind are:

  • Establishing a one way trust from dcdomain to corpdomain. Let authentication run over WAN (protected via VPN or SSL if possible)
  • Placing a RODC of corpdomain in the dcdomain network. Using a one-way trust between the domains. So rdgateway could authenticate against this RODC locally.

There will not be a high number of authentication so the caching functionality for authentications on RODC would not be important. From a security perspective what would be the approach to prefer?

Are there any alternatives?

Best Answer

I think you're on the right track with everything you've said. There really isn't any easier way to get the kind of authentication scenario you're looking for.

Assuming that the physical security in the datacenter is reasonable I think both choices you've outlined have roughly the same exposure. The read-only domain controller (RoDC) being at the datacenter means less latency during logon. You can query the msDS-RevealedList value if the RoDC is compromised to determine your password exposure.

Ideally, if you're able to disable the NTLM protocols and live off Kerberos entirely your exposure in the event of an attacker sniffing traffic in the datacenter will be minimized, too.

If the physical security of the datacenter were in question I'd disable cached credentials on all the machines in the datacenter and authenticate users across a VPN connection. There's sense putting an RoDC there if somebody could walk off with it. I'd be looking for a different datacenter, though, if that were the case.

Related Topic