Skip to main content
Skip table of contents

Microsoft Remote Desktop Gateway RADIUS integration

A Remote Desktop Gateway-based infrastructure relies on NPS to authenticate users. The following steps are necessary to configure NPS to use inWebo RADIUS servers to authenticate users with multi-factor authentication in addition to the traditional login / password.


InWebo connections must respect the following format Domain\sAMAccountname.

Install the Remote Desktop Gateway infrastructure and required roles:

Configure inWebo to accept authentication requests issued by NPS

On the inWebo management console

  • go the “Secure Sites” tab

  • in the “Connectors” column click on “Add a connector of type” and select “Radius Push”

  • Fill in the “IP Address” field with the IP of the public interface of your device (or NAT address if behind a firewall).

  • Enter the “secret” configured previously on NPS.

  • Validate your connector configuration by pressing “Add” or “Update” button.

Point to be noted: “Any configuration or modification made to your RADIUS connector will be applied at the start of the next hour”.

Configure inWebo RADIUS servers on NPS

In NPS MMC, (Microsoft Management Console)

  • expand "NPS (local)> RADIUS Clients and Servers".

  • Select “Remote RADIUS Server Groups” and double click on “TS GATEWAY SERVER GROUP” to edit it.

In the “TS GATEWAY SERVER GROUP” Properties window,

  • Click on “Add” to configure the inWebo RADIUS servers.

In the “Add RADIUS Server” window

On the "Address" tab

  • provide the IP or DNS address of the inWebo RADIUS server

  • click on "Verify" to solve it.

RADIUS recommended Addresses and pair configuration

In most of RADIUS client configurations, you will have to choose one of the following pair of RADIUS servers to have failover:

inWebo Radius server addresses :

(See RADIUS integration and redundancy for additional details and configuration)

On the "Authentication / Accounting" tab

  • Configure a “Shared secret”
    (That same secret should be also provided on the inWebo platform later)

In the “Load Balancing” tab, change the timeout as follows.

  • For “Push” RADIUS mode: Configure NPS to send authentication requests every 30 seconds and fallback to another server after 1 failed attempts.

(For more details: check the following documentation: RADIUS integration and redundancy )

Repeat both operations to add a secondary server. Setting the same Weight and Priority while implement a load balancing between both servers.

Configure NPS policies to forward authentication requests to inWebo RADIUS servers


  • Navigate to "NPS (local)> Policies> Connection request policies"

  • Double click on "TS GATEWAY SERVER GROUP" to modify it.


In the “Settings” tab:

  • Go to “Authentication”, in the “Forwarding Connection Request” section

    • Select “Forward requests to the following remote RADIUS server group for authentication”.

    • Make sure that “TS GATEWAY SERVER GROUP” is selected.

  • Go to "Attribute", in the “Specify a Realm Name" section

    • Select "User-Name" attribute and click on Add

    • in the “Find” field → ^DOMAIN\\ (Uppercase)

    • in the “Replace with” field → leave it empty

    • Click on OK

  • Click on Apply to validate the configuration

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.