Following the steps below to configure two-factor authentication for Windows RDP sessions
From RSA authentication Manager side:
1.To enable RSA API authentication
- Login to RSA Authentication Manager, navigate to Setup > System Settings > RSA SecurID Authentication API in the Security Console, check the "Enable Authentication API" box, and note the generated Access ID and Access Key.
2.Create an agent for the MFA machine using the FQDN on RSA authentication manager.
- In the RSA Manager Console, click Access > Authentication Agents > Add New.
- From the Security Domain drop-down menu, select the security domain to which you want to add the new agent. Under Authentication Agent Basics, do the following:
- For Hostname, enter a new hostname for the agent host, and then click Resolve IP.
Reference:
From RDP machine side:
Please follow the steps below to install and configure the RSA MFA Agent on the RDP machine:
1.Install the RSA MFA Agent
Download and install the MFA agent on the RDP machine
Reference document attached:RSA MFA Agent 2.3.5 for Microsoft Windows Installation and Administration Guide | RSA Community
2.Test MFA Login
Once the installation is complete, perform a test login to confirm that MFA authentication is working successfully.
3.Import RSA Root Certificate
Ensure that the RSA Manager Root Certificate Authority (CA) certificate is installed.
Use the Microsoft Management Console (mmc.exe) to import the trusted root certificate.
4.Configure Group Policy Settings
Open the Group Policy Editor (gpedit.msc) on the RDP machine and ensure the following policies are configured:
- Specify an Authentication Manager Agent Name.
- Enable RSA authentication. (don't enable this policy until you make sure that test online authentication is going successfully)
- Specify the RSA Authentication API key.
- Specify the RSA Authentication API REST URL.
- RSA Challenge group.
5.Please update the local authentication settings using the Group Policy Editor (gpedit.msc) on the target machine.
Reference screenshot:
Add the any one of the exe name on the fully-qualified application path
Example: rsa.exe
6. Please update the RSA settings on the RDP machine using the Group Policy Editor (gpedit.msc).
Reference screenshot: 
Add the exact name of the agent as specified in the the RSA manager console:
Add the RSA authentication manager API key:
Add the RSA authentication manager name with port 5555.
Example: https://rsaprodserver.abc.com:5555
7.Please follow the steps below to test the RDP connection with RSA two-factor authentication:
- Open the Command Prompt as an administrator on the MFA agent machine.
- Run the following command to force a Group Policy update:
- gpupdate /force
- After the policy update completes, attempt to establish an RDP connection from any local machine.
- Upon logging into Windows, you should be prompted to enter your RSA two-factor authentication (TFA) password.
Kindly confirm if the RSA TFA prompt appears as expected.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article