I've installed a server with Remote Desktop Gateway role and configured it according to guidance in http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/. This works fine when I accept or reject the phone call within 30 seconds. If the MFA server doesn't respond within those 30 seconds the Remote Desktop Gateway service hangs itself and needs a restart to start working again (it also doesn't shut down gracefully, needs to time out).
I've set the Remote Radius Server timeouts to different values between 20 and 90 seconds but this timeout seems to be hardcoded somewhere as suggested in https://social.technet.microsoft.com/Forums/en-US/cbcb46e3-9dc4-4079-a254-d5d8a0f78b95/remote-desktop-gateway-authentication-timeout-change?forum=winserverTS (original post is old but newest post is in regards to Azure MFA)
I've tried installing again from scratch with Windows Server 2012R2, with just Windows 2012. I've also tried different setups:
- Local NPS proxying to MFA server
- Central NPS proxying to MFA server
- Local NPS proxying to MFA which proxies to Central NPS
They all work but all have the same 30 second limit and my Remote Desktop Gateway service hangs.
Looking around on the internet it looks like there are people that have this working so I'm not sure what the difference is between their setup and mine or if they've never tested this scenario. I think the 30 seconds timeout should be enough for just voice call authentication without PIN if I can just stop my RDG service from dying.