• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Company · Blog · Newsletter · Events · Partner Program

Downloads      Support      Security     Admin Login
Rublon

Rublon

Secure Remote Access

  • Product
    • Regulatory Compliance
    • Use Cases
    • Rublon Reviews
    • Authentication Basics
    • What is MFA?
    • Importance of MFA
    • User Experience
    • Authentication Methods
    • Rublon Authenticator
    • Remembered Devices
    • Logs
    • Single Sign-On
    • Access Policies
    • Directory Sync
  • Solutions
    • MFA for Remote Desktop
    • MFA for Remote Access Software
    • MFA for Windows Logon
    • MFA for Linux
    • MFA for Active Directory
    • MFA for LDAP
    • MFA for RADIUS
    • MFA for SAML
    • MFA for RemoteApp
    • MFA for Workgroup Accounts
    • MFA for Entra ID
  • Customers
  • Industries
    • Financial Services
    • Investment Funds
    • Retail
    • Technology
    • Healthcare
    • Legal
    • Education
    • Government
  • Pricing
  • Docs
Contact Sales Free Trial

Multi-Factor Authentication (2FA/MFA) for RD Web Access

Multi-Factor (MFA) and Two-Factor Authentication (2FA) for Remote Desktop Web Access (RD Web) on Microsoft Windows Server

April 22, 2021 By Rublon Authors

Last updated on June 10, 2025

Overview of MFA for Remote Desktop Web Access

Rublon MFA for RD Web connector adds Two-Factor Authentication (2FA) to Microsoft Remote Desktop Web Access logons. When a user attempts to log in to RD Web Access with Rublon 2FA enabled, they have to first provide their credentials and then select an Authentication Method from Rublon Prompt. Depending on the chosen method of authentication, the second factor of authentication looks slightly different, but in the end, if a user confirms their identity, they are logged in to RD Web Access. Users who do not complete the Two-Factor Authentication process are denied access.

Rublon MFA for Remote Desktop Web connector also adds Two-Factor Authentication (2FA) to RD Web Client and RD Web Feed logons. Mobile Push and Email Link authentication methods can be used to authenticate to these products.

Note that RD Web Access is used only to download data about remote resources (RDP files). To secure the connection to a remote resource, use Rublon MFA for RD Gateway or Rublon MFA for Windows Logon and RDP.

Demo Video

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push ✔ N/A
WebAuthn/U2F Security Key ✔ N/A
Passcode ✔ N/A
SMS Passcode ✔ N/A
SMS Link ✔ N/A
Phone Call ✔ N/A
QR Code ✔ N/A
Email Link ✔ N/A
YubiKey OTP Security Key ✔ N/A

Before you start

Ensure that you have a well-tested, working, and running Remote Desktop Web Access before installing Rublon MFA for RD Web.

Rublon MFA for Remote Desktop Web supports the following operating systems:

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Note

All editions of Windows Server are supported, including Windows Server Essentials.

Required Components

  • .NET Framework, version 4.6
  • Installed and well-tested Remote Desktop Web Access 
  • An up-to-date Windows Server
  • Open Outbound Port 443 for https://core.rublon.net on the machine where RD Web Access is installed

Pre-Installation Steps

1. Sign in to the Rublon Admin Console.

2. Click Applications on the left.

3. Click Add.

4. Set a name for your application, e.g. RD Web Access.

5. Set Type to Remote Desktop Web Access.

6. Click Save to create a new application.

7. Copy and save the values of System Token and Secret Key. You are going to need them later.

8. Download Rublon MFA for RD Web by clicking the following link:

Download the Rublon MFA for RD Web installer

Installation of MFA for Remote Desktop Web Access

1. Run the installer with administrator rights.

2. On the first page of the installer, read about the product you are about to install.

  • If this is the first time you are installing the connector, click Next.
Image showing the first page of RD Web installer
  • If this is not the first time you are installing the connector on this endpoint, you will be able to either update the current installation or do a clean installation.
    • Update current installation: If you choose to update the current installation, you will not be able to change any old options in the installer. However, if a new option has been introduced in this version of the installer, you will be able to change its value before the installation begins. The Update current installation option is recommended for those who want to update the connector to a newer version but want to keep all current settings.
    • Clean installation: If you choose to do a clean installation, continue with the steps in this section.
Image of RD Web Access installer showing choosing between update current installation and clean installation

3. Enter the API credentials (System Token and Secret Key) from your application of type Remote Desktop Web Access in the Applications tab of the Rublon Admin Console and click Next.

ParameterDescription
System TokenSystem Token of your application in the Rublon Admin Console.

Paste the value you noted down before.
Secret KeySecret Key of your application in the Rublon Admin Console.

Paste the value you noted down before.
API AddressKeep the default https://core.rublon.net unless you want to explicitly change the Rublon API Server URL.

4. Check the configuration options you want and click Next. Refer to the following image and table.

Image showing the use proxy checkbox during installation of RD Web MFA
OptionDescription
Use proxyCheck this option to enable proxy.

When checked, the next page after clicking Next will ask you for more details about the proxy.

When unchecked, the page that asks for proxy details will not appear.

5. If you checked Use proxy on the previous page, you will see an additional page asking you to enter proxy details. After filling in the details, click Next. Refer to the following image and table.

Image showing setting up proxy credentials for RD Web
OptionDescription
Proxy HostThe address of the proxy server.
Proxy PortThe port on which the proxy server is operating.
Proxy UsernameThe username of the HTTP proxy server user.

Optional. Fill in if verification by username is required.
Proxy PasswordThe password of the HTTP proxy server user.

Optional. Fill in if required for verification.

6. Check the bypass options you want and click Next. Refer to the following image and table.

Image showing bypass configuration for Rublon MFA for RD Web Access installer
OptionDescription
Bypass MFA when it cannot be performedCheck to bypass MFA when the Rublon API is reachable but cannot perform MFA (e..g, too many requests).

7. Rublon MFA for RD Web is ready to install.

Rublon MFA for RD Web performs the following steps during installation:

  • Adds configuration settings to Windows Registry.
  • Installs the application on the system in a defined location. It is not possible to change this path.
  • Starts the installer of the required additional packages: Microsoft Visual C++ 2015-2019 Redistributable (x64). Note that Rublon for RD Web requires the Microsoft Visual C ++ 2015-2019 Redistributable (x64) package to work. The RD Web installer will install this package automatically if it does not exist in the system. If the package exists in the system, the installer will omit this step and will not print info about it on the Ready to install page.
Image showing Rublon MFA for Remote Desktop Web Access is ready to install

8. Click Install to install Rublon MFA for Remote Desktop Web.

Image showing the RD Web connector is being installed

9. After a successful installation, the installer informs you that your installation is complete. Check View log if you want and click Finish.

Image showing a successful installation

Note

If you are experiencing problems with the installer, please refer to our FAQ.

Configuration of MFA for Remote Desktop Web Access

You can change the settings of Rublon MFA for Remote Desktop Web in Windows Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Rublon\RDWeb. You do not have to stop RD Web Access before making any changes. The changes you made will be applied automatically during your next login.

Value Description Default Value
RublonApiServer The server of the Rublon API. The address that was entered during installation.

Always use https://core.rublon.net unless instructed otherwise by Rublon Support.
SystemToken A string value gathered from Rublon Admin Console, for the Remote Desktop Web Access application type. The value that was entered during installation.
SecretKey A string value gathered from Rublon Admin Console, for the Remote Desktop Web Access application type. The value that was entered during installation.
ProxyHost The address of the proxy server. Optional. The value that was entered during installation or none.
ProxyMode You need to set at least two parameters for the proxy to work: ProxyHost and ProxyPort.

If you add both of these parameters, then the proxy will be automatically activated (and ProxyMode will be set to 1).

If you only specify ProxyHost or only specify ProxyPort, registry changes will be made, but ProxyMode will be set to 0, meaning the proxy will not be active.

Set ProxyMode to 0 to disable the proxy.

The password of the HTTP proxy server user. Optional.
1 if the Use proxy checkbox was checked during installation; 0 otherwise.
ProxyPassword The password of the HTTP proxy server user. Optional. The value that was entered during installation or none.
ProxyPort The port on which the proxy server is operating. Optional. The value that was entered during installation or none.
ProxyUsername The username of the HTTP proxy server user. Optional. The value that was entered during installation or none.
FailMode Defines whether the user is to be logged in when the 2FA authorization cannot be performed due to technical reasons.

Possible values:
bypass – user is logged in when there is invalid configuration or no connection to the Rublon API
deny – user is blocked when there is invalid configuration or no connection to the Rublon API
safe – an alternative for bypass, user is logged in
secure – an alternative for deny, user is blocked
bypass/safe if the Bypass MFA when it cannot be performed checkbox was checked during installation; deny/secure otherwise.
SendUPN If set to 1, Rublon looks up the Universal Principal Name (UPN) in the Active Directory and sends the UPN to the Rublon API as Rublon username (e.g., user@domain.com).

If set to 0, Rublon sends sAMAccountName as Rublon username, e.g., Domain\user.

Possible values:
1 – enables sending UPN to Rublon
0 – disables sending UPN to Rublon

Suppose you set SendUPN to 1, but Rublon cannot find the User Principal Name (UPN) for a given user in Active Directory. In that case, Rublon denies access and adds appropriate information to the logs.
0
DebugRequests When set to 1, enables detailed logging of requests and responses in communication with the Rublon API.

Set to 1 only if requested by Rublon’s Customer Support.
0
AuthCookieLifeDuration The maximum lifetime of a Rublon session cookie in seconds.

This value must be a positive integer. You can enter the value in the key as a String.
The default maximum lifetime of a Rublon session cookie is 28800 seconds.

However, AuthCookieLifeDuration is not added to Windows Registry by default. You must add it yourself if you want to change this value.
MaxRublonAuthWaitTime The maximum waiting time for the completion of Rublon authentication in the RD Web application in seconds.

This value must have the same value as executionTimeout in the C:\Windows\web\rdweb\web.config file.
The default maximum waiting time for the completion of Rublon authentication is 600 seconds.

However, MaxRublonAuthWaitTime is not added to Windows Registry by default. You must add it yourself if you want to change this value.
SecretSessionKey Rublon cookie signing key.

Do not reveal the value of this key to anybody. If the key leaks, generate a new one.
A random key is automatically generated during installation.
SecretStorageKey Key for signing temporary files created by connector.

Do not reveal the value of this key to anybody. If the key leaks, generate a new one.
A random key is automatically generated during installation.
SessionDataDir Applicable only to High Availability installations, e.g., Load Balancer on the front end and several duplicate RD Web instances on the back end.

A path to a shared network folder accessible to all RD Web instances where the connector session files will be stored. Refer to High Availability (HA) Configuration to learn more.

Supports both Universal Naming Convention (UNC) paths and local paths.
SessionDataDir is not added to Windows Registry by default. You must add it yourself if you want to change this value.

Logging

You can change the logging settings in the log4Net.config file located in the folder, in which you installed Rublon MFA for Remote Desktop Web (C:\Rublon\RDWeb\ by default).

All logging changes are immediately applied, and a restart of RD Web Access is not necessary.

Change the log file path

By default, the log file is located in C:\Rublon\RDWeb\RublonRDWebAccess.log. You can change this path by following the steps below.

1. Open the log4Net.config file and look for the following line:
<file value=”${SystemDrive}\\Rublon\\RDWeb\\RublonRDWebAccess.log” />

2. Replace ${SystemDrive}\\Rublon\\RDWeb\\RublonRDWebAccess.log with a new path.

3. From now on, any Rublon authentication process information will be logged to a new file.

Note

If you have authenticated via Rublon, but no new file has been created, make sure the access to the path is not restricted.

If you do not see any entries in the log file, make sure the logging level is set to at least info.

Change logging level

The amount of information logged to the log file can be adjusted using the so-called logging levels. 

1. Open the log4Net.config file and look for the following entry:

<root>
<level value="DEBUG" />

2. Change the default DEBUG value to one of the following values:

  • ALL – logs everything
  • DEBUG – logs detailed information about the logging process
  • INFO – logs info, warnings, and errors 
  • WARN – logs warnings and errors
  • ERROR – logs errors only
  • OFF – turns off logging

High Availability (HA) Installation & Configuration

The Rublon MFA for RD Web connector uses the so-called Rublon session files that allow Rublon to perform MFA. In the case of a High Availability installation, e.g., Load Balancer on the front end and several duplicate RD Web instances on the back end, it is necessary to configure a shared network folder accessible to all RD Web instances, where the Rublon session files will be stored.

Refer to the following instructions:

1. Create a shared network folder accessible to all RD Web instances.

2. On each RD Web instance, map the shared folder to a disk drive, e.g., Z:. 

3. The IIS server user must have write permissions to this folder.

4. On every RD Web instance:

  1. Install the Rublon MFA for the RD Web connector (version 1.5.1 or higher).
  2. Set a path to the shared folder by adding a new parameter to HKEY_LOCAL_MACHINE\SOFTWARE\Rublon\RDWeb in Windows Registry.
    Value Type: String
    Value Name: SessionDataDir
    Value Data: Z: (or the full UNC path to the shared folder in the form: \\server_name\folder_name)

5. Set a common secretStorageKey for all RD Web instances:

  • Rublon protects session files using HMAC-SHA256.
  • The secret storage key is generated during installation.
  • Copy the SecretStorageKey from the Windows Registry from one RD Web instance and paste it as the secretStorageKey of all other instances.

Note

Rublon creates temporary session files during authentication and then deletes them after the user completes authentication. Each file size is only about 400B. But to be extra safe, we recommend you ensure the allowed max size of the shared folder is larger than 1024B multiplied by the number of RD Web users.

Note

If you are getting one of the following errors:

Error occurred Access to the path ‘<path>’ is denied. while reading session data, trying next time

Blocking access to the RDWeb since the following error occurred:   System.UnauthorizedAccessException: Access to the path '<path>' is denied.

Ensure that the IIS server user has write permissions to the path.

Updating MFA for Remote Desktop Web Access

If you have already installed Rublon MFA for RD Web and would like to update it to a newer version, open the new installation file and go through the installation process again. Your settings from the previous version will be kept.

You do not have to uninstall the old version of Rublon MFA for RD Web before updating it.

You do not have to specify the installation parameters again if you are updating Rublon MFA for RD Web.

Uninstallation of MFA for Remote Desktop Web Access

Run unis000.exe located in C:\Program Files\Rublon\RDWeb\ as administrator to uninstall Rublon MFA for RD Web.

Alternatively, open Apps & features, select Rublon for RD Web, and click Uninstall.

MFA for Remote Desktop Web Access Login Example

The following example portrays Rublon 2FA login to Remote Desktop Web Access set up on an IIS server. The Remote Desktop Web Access URL is https://server_fqdn/RDWeb/Pages/en-US/login.aspx where server_fqdn is a fully qualified domain name of the server you are using.

1. Provide your login credentials and click Sign in.

2. A window will appear with various 2FA options from Rublon. Let’s choose Mobile Push.

3. You will receive a Mobile Push authentication request. Tap APPROVE.

4. You will be successfully logged in.

MFA for Remote Desktop Web Client

The Rublon MFA for Remote Desktop Web connector also adds MFA to Remote Access Web Client logins. To learn more, refer to Rublon MFA for RD Web Client.

MFA for RD Web Feed

The Rublon MFA for RD Web connector adds Multi-Factor Authentication (MFA) to RD Web Feed (RemoteApp and Desktop Connections) logins. With Rublon 2FA enabled, a Mobile Push authentication request is sent automatically to the user’s phone when they log in to the RD Web Feed. If the user has not enrolled their account, an Email Link is sent instead. No Rublon Prompt will be displayed during such a promptless login experience.

Note

To use Rublon 2FA for RD Web Feed, ensure the following:

1. The user is enrolled in the Rublon Admin Console.

2. The Mobile Push or Email Link authentication method is enabled in the Policy assigned to the RD Web Access application in the Rublon Admin Console.

Note

The maximum waiting times for completing authentication methods for RD Web Feed are as follows:

• Mobile Push: 3 minutes

• Email Link: 16 minutes

These times cannot be changed. After the given time has elapsed, the user will be denied access or bypassed depending on the FailMode parameter.

Note

Rublon 2FA will only be performed for RD Web Feed actions that trigger the Windows Security dialog credentials login.

2FA for RD Web Feed Login Example

The following example portrays Rublon 2FA login to RD Web Feed.

1. Open Access RemoteApp and Desktops.

2. Provide the connection URL and click Next.

The connection URL has the following form: https://server_fqdn/RDWeb/feed/webfeed.aspx where server_fqdn is a fully qualified domain name of the server you are using.

3. Click Next.

4. A Windows Security dialog will open. Provide your credentials and click OK.

5. A progress bar will appear on the log-in window and Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

6. After successful Rublon authentication, remote resources are added to the local Windows system and available in the Start menu.

Troubleshooting

  • If you have a problem or question, refer to Rublon MFA for RD Web – FAQ first.
  • Look up your log file located in C:\Rublon\RDWeb\RublonRDWebAccess.log by default and send the file to Rublon Support along with a description of your issue.
  • If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon MFA for Remote Desktop Web – Release Notes

Rublon MFA for Remote Desktop Web – FAQ

Rublon MFA for Remote Desktop Web – Download

Rublon MFA for Remote Desktop Web Client

Filed Under: Documentation

Primary Sidebar

Contents

  • Overview of MFA for Remote Desktop Web Access
  • Demo Video
  • Supported Authentication Methods
  • Before you start
    • Required Components
  • Pre-Installation Steps
  • Installation of MFA for Remote Desktop Web Access
  • Configuration of MFA for Remote Desktop Web Access
    • Logging
      • Change the log file path
      • Change logging level
  • High Availability (HA) Installation & Configuration
  • Updating MFA for Remote Desktop Web Access
  • Uninstallation of MFA for Remote Desktop Web Access
  • MFA for Remote Desktop Web Access Login Example
  • MFA for Remote Desktop Web Client
  • MFA for RD Web Feed
    • 2FA for RD Web Feed Login Example
  • Troubleshooting
  • Related Posts
Try Rublon for Free
Start your 30-day Rublon Trial to secure your employees using multi-factor authentication.
No Credit Card Required


Footer

Product

  • Regulatory Compliance
  • Use Cases
  • Rublon Reviews
  • Authentication Basics
  • What is MFA?
  • Importance of MFA
  • User Experience
  • Authentication Methods
  • Rublon Authenticator
  • Remembered Devices
  • Logs
  • Single Sign-On
  • Access Policies
  • Directory Sync

Solutions

  • MFA for Remote Desktop
  • MFA for Windows Logon
  • MFA for Remote Access Software
  • MFA for Linux
  • MFA for Active Directory
  • MFA for LDAP
  • MFA for RADIUS
  • MFA for SAML
  • MFA for RemoteApp
  • MFA for Workgroup Accounts
  • MFA for Entra ID

Industries

  • Financial Services
  • Investment Funds
  • Retail
  • Technology
  • Healthcare
  • Legal
  • Education
  • Government

Documentation

  • 2FA for Windows & RDP
  • 2FA for RDS
  • 2FA for RD Gateway
  • 2FA for RD Web Access
  • 2FA for SSH
  • 2FA for OpenVPN
  • 2FA for SonicWall VPN
  • 2FA for Cisco VPN
  • 2FA for Office 365

Support

  • Knowledge Base
  • FAQ
  • System Status

About

  • About Us
  • Blog
  • Events
  • Co-funded by the European Union
  • Contact Us

  • Facebook
  • GitHub
  • LinkedIn
  • Twitter
  • YouTube

© 2025 Rublon · Imprint · Legal & Privacy · Security

  • English