Azure pre-authentication to a Devolutions Server data source in Remote Desktop Manager

Azure pre-authentication requires a unique configuration. To use this feature with Remote Desktop Manager, admins must activate the authentication on the desired Devolutions Server, configure several settings in Microsoft Entra admin center, and set up an Azure app proxy.

In this topic:

Installing and configuring a private connector

  1. In the Microsoft Entra admin center browser interface, navigate to Global Secure AccessConnectConnectors, then activate Global Secure Access in your tenant.
    Global Secure Access activation
    Global Secure Access activation
  2. Go to Private Network connectorsTraffic forwarding and toggle the Private access profile option.
    Private access profile
    Private access profile
  3. Then head to Private Network connectors once more, and click on Download connecter service.
    Download connecter service
    Download connecter service
  4. Once the connecter service is downloaded, run the installation program, login with the Azure prompt, and wait for the installation to finish (the service may be shown as unavailable during this time).

When running on a Windows Server, make sure to turn off IE Enhanced Configuration or make Microsoft Edge the default browser (without enhanced configuration). Otherwise the Azure login prompt will most likely fail without allowing all of the required URLs.

Additionally, the Windows connector service must have TLS 1.2 enabled before installation. Adding the below to a notepad file with the .reg extension and double-clicking will import the necessary values into the registry. Then a restart of the server is necessary before running the connector installation.

Configuring an Azure app proxy

Here are the prerequisites to the next few steps for configuring Azure pre-authentication to Devolutions Server data source in Remote Desktop Manager:

  • Devolutions Server is v.2024.2.4.x or above.
  • Remote Desktop Manager is v.2024.2.4.x or above.
  • A P1 license for the Private Network functionality.
  • The URL of Devolutions Server must not be the root, i.e. https://myserver.com/dvls and not https://myserver.com

Any changes made may take 3-5 minutes to take effect. Be aware of that when testing changes.

  1. In the Azure portal, navigate to Microsoft Entra IDApp registrations, and click on New registration.
    Create a new registration
    Create a new registration
  2. Enter the app registration name and leave all other values by default.
    New app registration name
    New app registration name
  3. Next, head to Microsoft Entra IDEnterprise applications. Click on the newly created app registration, go to Application Proxy, and fill the following required fields:
  • Internal URL: This is the root of the IIS server hosting the DVLS (generally http://localhost/dvls or similar).
  • External URL: Defaults to the app registration name.
  • Pre Authentication: Set to Microsoft Entra ID.
  • Connector Group: The connector group to target.
    App proxy information – Basic
    App proxy information – Basic
  1. Next, navigate to the Advanced tab. Ensure that all options are unchecked or set to default, excepted Validate Backend SSL certificate which can be left on if needed.
    App proxy information – Advanced
    App proxy information – Advanced
  2. Go back to Microsoft Entra IDApp registrations, and click on the application to configure. If the app is not listed, it may be necessary to click on All applications to access it as the view is set to Owned applications by default.
  3. In the Authentication screen, click on the Add a platform button. Three new platforms need to be created: Web, Single-page application, and Mobile and desktop applications. Start by creating a Web platform.
    Creating plaforms
    Creating plaforms
  4. Enter the Redirect URL, which should be the same as the root External URL. While on this page, check the options for Access Tokens and ID tokens in the Implicit grant and hybrid flows section. Click Configure to continue.
    Configuring Web platform
    Configuring Web platform
  5. With the first platform added, click the Add a platform button once more and choose Single-page application. Enter the Redirect URI, which should be the same as the External URL, with the following appended to the end: /dvls/api/external-provider-response (replace the /dvls/ with the URL of the desired Devolutions Server instance). Finally, click Configure to continue.
    Configuring single-page application platform
    Configuring single-page application platform
  6. With the second platform added, click the Add a platform button once more and choose Mobile and desktop applications. Enter http://localhost exactly in the Custom redirect URIs field. Leave all other values unchecked (if there are any) and click the Configure button.
    Configuring Desktop + devices platform
    Configuring Desktop + devices platform
  7. With the three platforms created, scroll to the bottom of the Authentication page and toggle Allow public client flows before clicking on Save.
    Allowing public client flows
    Allowing public client flows
  8. Now go to API permissions and click the Add a permission button.
    Add API permission
    Add API permission
  9. Choose Delegated permissions, and toggle the User.Read permission under User. Click Add permissions.
    Add User.Read permission
    Add User.Read permission
  10. Click on the Grant admin consent for tenant button and confirm by clicking Yes.
    Grant admin consent for tenant
    Grant admin consent for tenant
  11. Next, navigate to Expose an API and click on Add next to Application ID URI. Then enter the same URI as the External URL of your Application Proxy, and add the base URI.
    Add application ID URI – step 1
    Add application ID URI – step 1
    Add application ID URI – step 2
    Add application ID URI – step 2
  12. Click on Add a scope and enter the following:
  • Scope name: user_impersonation
  • Who can consent: Admins and users
  • Admin consent display name: Access DVLS
  • Admin consent description: Allow the application to access DVLS on behalf of the signed-in user.
  • User consent display name: Access DVLS
  • User consent description: Allow the application to access DVLS on behalf of the sign-in user.
    Add a scope – step 1
    Add a scope – step 1
    Add a scope – step 2
    Add a scope – step 2
  1. Next, go to App roles and click the Create app role button. Two roles need to be created: User and msiam_access.
    Create app role
    Create app role
  2. On the Create app role screen, fill the fields below, and check the case under Do you want to enable this app role?.
  • Display name: User
  • Allowed member types: Users/Groups
  • Value: User
  • Description: User
    Fill user information
    Fill user information
  1. With the first role created, once again click on Create app role, fill the fields below, and check the case under Do you want to enable this app role? like before.
  • Display name: msiam_access
  • Allowed member types: Users/Groups
  • Value: msiam_access
  • Description: msiam_access
    Fill msiam information
    Fill msiam information
  1. Go to Manifest and modify the value for “accessTokenAcceptedVersion” to 2. Click the Save button.
    Set accessTokenAcceptedVersion to 2
    Set accessTokenAcceptedVersion to 2
  2. Go back to Microsoft Entra IDEnterprise applications. Click on the newly created app registration and navigate to Users and groups. Click on Add user/group.
    Add user/group
    Add user/group
  3. Select the user or group and the role should auto-populate to User. Click the Assign button to finish assigning the permissions.
    Assign desired permissions
    Assign desired permissions

Configuring Remote Desktop Manager

With Azure configured, and after waiting at least 5 minutes from the last configuration change, open Remote Desktop Manager.

  1. Go to FileData sources.
    Remote Desktop Manager data sources
    Remote Desktop Manager data sources
  2. Locate the Devolutions Server data source to modify and click the Edit button. Enter the following:
  • Host: The same value as the External URI with the DLVS server suffix.
  • Username: The same as the DVLS username, not necessarily the same as the Azure user (unless using “Use pre-authentication user for DVLS connection”). Then check Use pre-authentication proxy and, optionally,*** Use pre-authentication proxy for DVLS connection*** (if Microsoft Authentication is already checked).
  1. The configuration is then completed, and Azure Microsoft login should open in an embedded window or system browser (may occur twice if an embedded window appears and once more in a system browser prior to DVLS authentication). Once this is done, a prompt for DVLS authentication should appear.

Additional notes

HTTP2 may need to be disabled on Windows Server 2019 or later in the WinHTTP component for Kerberos Constrained Delegation to properly work. Run the following PowerShell command and restart the server for the change to take effect:

Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\' -Name EnableDefaultHTTP2 -Value 0

Ensuring TLS 1.2 is enabled

Additionally, the Windows connector service must have TLS 1.2 enabled before installation. Adding the below to a notepad file with the .reg extension and double-clicking will import the necessary values into the registry. A restart of the server is then necessary before running the connector installation.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

A secret is configured automatically upon Application Proxy App creation. Deleting it will break pre-authentication and may necessitate recreation of the entire application proxy.