Multi-Factor Authentication (2FA/MFA) for RD Web Access

Last updated on June 10, 2025

Overview of MFA for Remote Desktop Web Access

Rublon MFA for RD Web connector adds Two-Factor Authentication (2FA) to Microsoft Remote Desktop Web Access logons. When a user attempts to log in to RD Web Access with Rublon 2FA enabled, they have to first provide their credentials and then select an Authentication Method from Rublon Prompt. Depending on the chosen method of authentication, the second factor of authentication looks slightly different, but in the end, if a user confirms their identity, they are logged in to RD Web Access. Users who do not complete the Two-Factor Authentication process are denied access.

Rublon MFA for Remote Desktop Web connector also adds Two-Factor Authentication (2FA) to RD Web Client and RD Web Feed logons. Mobile Push and Email Link authentication methods can be used to authenticate to these products.

Note that RD Web Access is used only to download data about remote resources (RDP files). To secure the connection to a remote resource, use Rublon MFA for RD Gateway or Rublon MFA for Windows Logon and RDP.

Demo Video

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	✔	N/A
Passcode	✔	N/A
SMS Passcode	✔	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	✔	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Before you start

Ensure that you have a well-tested, working, and running Remote Desktop Web Access before installing Rublon MFA for RD Web.

Rublon MFA for Remote Desktop Web supports the following operating systems:

• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

Required Components

• .NET Framework, version 4.6
• Installed and well-tested Remote Desktop Web Access 
• An up-to-date Windows Server
• Open Outbound Port 443 for https://core.rublon.net on the machine where RD Web Access is installed

Pre-Installation Steps

1. Sign in to the Rublon Admin Console.

2. Click Applications on the left.

3. Click Add.

4. Set a name for your application, e.g. RD Web Access.

5. Set Type to Remote Desktop Web Access.

6. Click Save to create a new application.

7. Copy and save the values of System Token and Secret Key. You are going to need them later.

8. Download Rublon MFA for RD Web by clicking the following link:

Download the Rublon MFA for RD Web installer

Installation of MFA for Remote Desktop Web Access

1. Run the installer with administrator rights.

2. On the first page of the installer, read about the product you are about to install.

• If this is the first time you are installing the connector, click Next.

• If this is not the first time you are installing the connector on this endpoint, you will be able to either update the current installation or do a clean installation.
  • Update current installation: If you choose to update the current installation, you will not be able to change any old options in the installer. However, if a new option has been introduced in this version of the installer, you will be able to change its value before the installation begins. The Update current installation option is recommended for those who want to update the connector to a newer version but want to keep all current settings.
  • Clean installation: If you choose to do a clean installation, continue with the steps in this section.

3. Enter the API credentials (System Token and Secret Key) from your application of type Remote Desktop Web Access in the Applications tab of the Rublon Admin Console and click Next.

Parameter	Description
System Token	System Token of your application in the Rublon Admin Console. Paste the value you noted down before.
Secret Key	Secret Key of your application in the Rublon Admin Console. Paste the value you noted down before.
API Address	Keep the default https://core.rublon.net unless you want to explicitly change the Rublon API Server URL.

4. Check the configuration options you want and click Next. Refer to the following image and table.

Option	Description
Use proxy	Check this option to enable proxy. When checked, the next page after clicking Next will ask you for more details about the proxy. When unchecked, the page that asks for proxy details will not appear.

5. If you checked Use proxy on the previous page, you will see an additional page asking you to enter proxy details. After filling in the details, click Next. Refer to the following image and table.

Option	Description
Proxy Host	The address of the proxy server.
Proxy Port	The port on which the proxy server is operating.
Proxy Username	The username of the HTTP proxy server user. Optional. Fill in if verification by username is required.
Proxy Password	The password of the HTTP proxy server user. Optional. Fill in if required for verification.

6. Check the bypass options you want and click Next. Refer to the following image and table.

Option	Description
Bypass MFA when it cannot be performed	Check to bypass MFA when the Rublon API is reachable but cannot perform MFA (e..g, too many requests).

7. Rublon MFA for RD Web is ready to install.

Rublon MFA for RD Web performs the following steps during installation:

• Adds configuration settings to Windows Registry.
• Installs the application on the system in a defined location. It is not possible to change this path.
• Starts the installer of the required additional packages: Microsoft Visual C++ 2015-2019 Redistributable (x64). Note that Rublon for RD Web requires the Microsoft Visual C ++ 2015-2019 Redistributable (x64) package to work. The RD Web installer will install this package automatically if it does not exist in the system. If the package exists in the system, the installer will omit this step and will not print info about it on the Ready to install page.

8. Click Install to install Rublon MFA for Remote Desktop Web.

9. After a successful installation, the installer informs you that your installation is complete. Check View log if you want and click Finish.

Configuration of MFA for Remote Desktop Web Access

You can change the settings of Rublon MFA for Remote Desktop Web in Windows Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Rublon\RDWeb. You do not have to stop RD Web Access before making any changes. The changes you made will be applied automatically during your next login.

Value	Description	Default Value
RublonApiServer	The server of the Rublon API.	The address that was entered during installation. Always use https://core.rublon.net unless instructed otherwise by Rublon Support.
SystemToken	A string value gathered from Rublon Admin Console, for the Remote Desktop Web Access application type.	The value that was entered during installation.
SecretKey	A string value gathered from Rublon Admin Console, for the Remote Desktop Web Access application type.	The value that was entered during installation.
ProxyHost	The address of the proxy server. Optional.	The value that was entered during installation or none.
ProxyMode	You need to set at least two parameters for the proxy to work: ProxyHost and ProxyPort. If you add both of these parameters, then the proxy will be automatically activated (and ProxyMode will be set to 1). If you only specify ProxyHost or only specify ProxyPort, registry changes will be made, but ProxyMode will be set to 0, meaning the proxy will not be active. Set ProxyMode to 0 to disable the proxy. The password of the HTTP proxy server user. Optional.	1 if the Use proxy checkbox was checked during installation; 0 otherwise.
ProxyPassword	The password of the HTTP proxy server user. Optional.	The value that was entered during installation or none.
ProxyPort	The port on which the proxy server is operating. Optional.	The value that was entered during installation or none.
ProxyUsername	The username of the HTTP proxy server user. Optional.	The value that was entered during installation or none.
FailMode	Defines whether the user is to be logged in when the 2FA authorization cannot be performed due to technical reasons. Possible values: bypass – user is logged in when there is invalid configuration or no connection to the Rublon API deny – user is blocked when there is invalid configuration or no connection to the Rublon API safe – an alternative for bypass, user is logged in secure – an alternative for deny, user is blocked	bypass/safe if the Bypass MFA when it cannot be performed checkbox was checked during installation; deny/secure otherwise.
SendUPN	If set to 1, Rublon looks up the Universal Principal Name (UPN) in the Active Directory and sends the UPN to the Rublon API as Rublon username (e.g., user@domain.com). If set to 0, Rublon sends sAMAccountName as Rublon username, e.g., Domain\user. Possible values: 1 – enables sending UPN to Rublon 0 – disables sending UPN to Rublon Suppose you set SendUPN to 1, but Rublon cannot find the User Principal Name (UPN) for a given user in Active Directory. In that case, Rublon denies access and adds appropriate information to the logs.	0
DebugRequests	When set to 1, enables detailed logging of requests and responses in communication with the Rublon API. Set to 1 only if requested by Rublon’s Customer Support.	0
AuthCookieLifeDuration	The maximum lifetime of a Rublon session cookie in seconds. This value must be a positive integer. You can enter the value in the key as a String.	The default maximum lifetime of a Rublon session cookie is 28800 seconds. However, AuthCookieLifeDuration is not added to Windows Registry by default. You must add it yourself if you want to change this value.
MaxRublonAuthWaitTime	The maximum waiting time for the completion of Rublon authentication in the RD Web application in seconds. This value must have the same value as executionTimeout in the C:\Windows\web\rdweb\web.config file.	The default maximum waiting time for the completion of Rublon authentication is 600 seconds. However, MaxRublonAuthWaitTime is not added to Windows Registry by default. You must add it yourself if you want to change this value.
SecretSessionKey	Rublon cookie signing key. Do not reveal the value of this key to anybody. If the key leaks, generate a new one.	A random key is automatically generated during installation.
SecretStorageKey	Key for signing temporary files created by connector. Do not reveal the value of this key to anybody. If the key leaks, generate a new one.	A random key is automatically generated during installation.
SessionDataDir	Applicable only to High Availability installations, e.g., Load Balancer on the front end and several duplicate RD Web instances on the back end. A path to a shared network folder accessible to all RD Web instances where the connector session files will be stored. Refer to High Availability (HA) Configuration to learn more. Supports both Universal Naming Convention (UNC) paths and local paths.	SessionDataDir is not added to Windows Registry by default. You must add it yourself if you want to change this value.

Logging

You can change the logging settings in the log4Net.config file located in the folder, in which you installed Rublon MFA for Remote Desktop Web (C:\Rublon\RDWeb\ by default).

All logging changes are immediately applied, and a restart of RD Web Access is not necessary.

Change the log file path

By default, the log file is located in C:\Rublon\RDWeb\RublonRDWebAccess.log. You can change this path by following the steps below.

1. Open the log4Net.config file and look for the following line:
<file value=”${SystemDrive}\\Rublon\\RDWeb\\RublonRDWebAccess.log” />

2. Replace ${SystemDrive}\\Rublon\\RDWeb\\RublonRDWebAccess.log with a new path.

3. From now on, any Rublon authentication process information will be logged to a new file.

Change logging level

The amount of information logged to the log file can be adjusted using the so-called logging levels. 

1. Open the log4Net.config file and look for the following entry:

<root>
<level value="DEBUG" />

2. Change the default DEBUG value to one of the following values:

• ALL – logs everything
• DEBUG – logs detailed information about the logging process
• INFO – logs info, warnings, and errors 
• WARN – logs warnings and errors
• ERROR – logs errors only
• OFF – turns off logging

High Availability (HA) Installation & Configuration

The Rublon MFA for RD Web connector uses the so-called Rublon session files that allow Rublon to perform MFA. In the case of a High Availability installation, e.g., Load Balancer on the front end and several duplicate RD Web instances on the back end, it is necessary to configure a shared network folder accessible to all RD Web instances, where the Rublon session files will be stored.

Refer to the following instructions:

1. Create a shared network folder accessible to all RD Web instances.

2. On each RD Web instance, map the shared folder to a disk drive, e.g., Z:. 

3. The IIS server user must have write permissions to this folder.

4. On every RD Web instance:

1. Install the Rublon MFA for the RD Web connector (version 1.5.1 or higher).
2. Set a path to the shared folder by adding a new parameter to HKEY_LOCAL_MACHINE\SOFTWARE\Rublon\RDWeb in Windows Registry.
   Value Type: String
   Value Name: SessionDataDir
   Value Data: Z: (or the full UNC path to the shared folder in the form: \\server_name\folder_name)

5. Set a common secretStorageKey for all RD Web instances:

• Rublon protects session files using HMAC-SHA256.
• The secret storage key is generated during installation.
• Copy the SecretStorageKey from the Windows Registry from one RD Web instance and paste it as the secretStorageKey of all other instances.

Updating MFA for Remote Desktop Web Access

If you have already installed Rublon MFA for RD Web and would like to update it to a newer version, open the new installation file and go through the installation process again. Your settings from the previous version will be kept.

You do not have to uninstall the old version of Rublon MFA for RD Web before updating it.

You do not have to specify the installation parameters again if you are updating Rublon MFA for RD Web.

Uninstallation of MFA for Remote Desktop Web Access

Run unis000.exe located in C:\Program Files\Rublon\RDWeb\ as administrator to uninstall Rublon MFA for RD Web.

Alternatively, open Apps & features, select Rublon for RD Web, and click Uninstall.

MFA for Remote Desktop Web Access Login Example

The following example portrays Rublon 2FA login to Remote Desktop Web Access set up on an IIS server. The Remote Desktop Web Access URL is https://server_fqdn/RDWeb/Pages/en-US/login.aspx where server_fqdn is a fully qualified domain name of the server you are using.

1. Provide your login credentials and click Sign in.

2. A window will appear with various 2FA options from Rublon. Let’s choose Mobile Push.

3. You will receive a Mobile Push authentication request. Tap APPROVE.

4. You will be successfully logged in.

MFA for Remote Desktop Web Client

The Rublon MFA for Remote Desktop Web connector also adds MFA to Remote Access Web Client logins. To learn more, refer to Rublon MFA for RD Web Client.

MFA for RD Web Feed

The Rublon MFA for RD Web connector adds Multi-Factor Authentication (MFA) to RD Web Feed (RemoteApp and Desktop Connections) logins. With Rublon 2FA enabled, a Mobile Push authentication request is sent automatically to the user’s phone when they log in to the RD Web Feed. If the user has not enrolled their account, an Email Link is sent instead. No Rublon Prompt will be displayed during such a promptless login experience.

2FA for RD Web Feed Login Example

The following example portrays Rublon 2FA login to RD Web Feed.

1. Open Access RemoteApp and Desktops.

2. Provide the connection URL and click Next.

The connection URL has the following form: https://server_fqdn/RDWeb/feed/webfeed.aspx where server_fqdn is a fully qualified domain name of the server you are using.

3. Click Next.

4. A Windows Security dialog will open. Provide your credentials and click OK.

5. A progress bar will appear on the log-in window and Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

6. After successful Rublon authentication, remote resources are added to the local Windows system and available in the Start menu.

Troubleshooting

• If you have a problem or question, refer to Rublon MFA for RD Web – FAQ first.
• Look up your log file located in C:\Rublon\RDWeb\RublonRDWebAccess.log by default and send the file to Rublon Support along with a description of your issue.
• If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon MFA for Remote Desktop Web – Release Notes

Rublon MFA for Remote Desktop Web – FAQ

Rublon MFA for Remote Desktop Web – Download

Rublon MFA for Remote Desktop Web Client