Remote Desktop Gateway Service - New MFA Requirements

If needed, follow the Remote Desktop Gateway service tutorials to set up your Remote Desktop Session:

• Configure Remote Desktop Gateway on Windows
• Configure Remote Desktop Gateway on macOS

Remote Desktop Gateway Service - MFA Requirements

To better secure the Queen's network, the RDG service now requires MFA (Multi-Factor Authentication). Service users must have MFA configured on their Queen's NetID account to successfully connect to the RDG Service. There are two options for MFA:

1. Microsoft Authenticator - push notification (recommended)
2. Phone call

One of these methods must be set to the Primary MFA setting. You can check your primary MFA option by visiting https://mysignins.microsoft.com/security-info and looking at the Default sign-in method: 

Logging on to Remote Desktop Gateway

If you have a Remote Desktop session and MFA configured properly when logging in to Remote Desktop Gateway:

1. You will be prompted for your NetID/Password.
2. The remote connection dialogue box on a Windows machine will sit at "initiating remote connection..." and for Macs "Configuring Gateway..." (You will not see any prompt or message to perform MFA).
3. Check the Authenticator app for a prompt or listen for a phone call from the MFA service.
4. When you get the MFA prompt on your phone, complete the steps required.
5. The Remote Desktop Gateway connection will initiate.
6. The Remote Desktop connection to the remote computer will complete.

Troubleshooting Log On Issues

If you fail to perform MFA within 60 seconds of the prompt:

1.  The remote connection status box will quietly fail/close the connection with no error message.

If you are not using the correct MFA method:

1. You will be prompted for your NetID/password.
2. Log-on will fail immediately with “Remove Desktop can’t connect to the remote computer for one of these reasons... contact your network administrator for assistance.”
   

If you are using an account that does not have MFA configured (generic/service account/new faculty/staff/student):

1. The connection will work - no MFA prompt will be required to fulfill until you have MFA configured.

If you are using a special AD Admin account to connect to both the Gateway and Server:

1. The remote connection dialogue box on a Windows machine will sit at "initiating remote connection..." and for Macs "Configuring Gateway......"  for 60 seconds and quietly fail/close the connection screen. 

Note: Some special administrator or service accounts will not work with MFA/RDG service - a Queen's staff/student/faculty NetID account should be used to log into the Gateway. A different account can be used to log into your remote computer after successfully authenticating against the gateway service.

Reconnecting after network break/timeout:

1. When your session times out or there is a network interruption, you will be prompted to log into the gateway again to re-establish connection. This will require performing MFA again.

Alternatives to Remote Desktop Gateway

If you need your primary MFA method to be a one time passcode/hardware token/SMS token, you must use one of these alternative methods to remote into Queen's network environment:

• Campus VPN service
  • If you are travelling or working off-campus, Queen's recommends using the virtual private network (VPN) to securely access University resources such as Active Directory. To this end, Queen's offers FortiClient VPN, published by FortiNet, to eligible users.
• Windows Virtual Desktop (WVD)
  • Windows Virtual Desktop (WVD) allows Queen's faculty and staff to access a Windows desktop via the Internet. The virtual desktop includes Microsoft Office applications and provides users with access to departmental file shares without a VPN connection.