Start a new topic
In Progress

MFA for Secure Gateway

=== Feature Enhancement Request ===

We're trying out the Multifactor Authentication (MFA, a.k.a, two-factor or 2FA) feature on the Document Store on Royal Server.  It works great!  But that's not quite what we needed.

Can we do MFA on the Royal Server Secure Gateway?  For instance, when the engineers arrive in the morning they would have to MFA to get their first connection through the Secure Gateway but after that, all new sessions would go through the Secure Gateway without re-checking the MFA.

There should probably be a setting for Maximum-Session-Time to time-out the session and force the MFA to repeat.  We'd probably set ours to 30 hours or something to let users get a full day's work in.  

We use Duo Security here but the Microsoft Authenticator is a valid second option for us.

Thank you.

11 people like this idea

@Wolfgang Bäck: right now we plan to enable the already existing MFA providers we support for the document store. Regarding Azure MFA: I'm not sure if we can easily integrate it like the other providers but I kindly ask you to create a dedicated feature request for that and if you happen to know resources like docs for SDKs on how to integrate it in other apps, please include that as well. Thanks!

Any news on when this will arrive?

This will be in the next major version of Royal Server. A beta version will be available in the next few weeks.

Will you have a true Multifactor Authentication (MFA, a.k.a, two-factor or 2FA) feature for your Royal Server Gateway?  One that works for Windows and Linux connections?  If so, when?  We are being pressured by our security team to MFA solution for RDP and SSH connection or to abandon Royal Server completely for another solution that has MFA.  We need firm dates and not "next major version release". My company has over 100K+ users with multiple Royal Server Gateways for multiple domains. We need MFA, because its an industry standard.

Hi Christopher,

yes the Google TOTP and Duo will be applicable to the Document Store AND Secure Gateway Connections. Regarding release date, I'm not sure what I can tell you, we can ship it when it's ready. Implementing something like this takes time and needs to be tested. I hope it will be on time for you.


Do you have details on how this MFA will work? [ yes the Google TOTP and Duo will be applicable to the Document Store AND Secure Gateway Connections. ]  We don't leverage the Document Store feature, because our various users are limited to specific servers within our environments. Each user runs RoyalTS locally from their laptops and connects to our many Royal Server URLs (different domains) to access PROD or DEV environments.  We obviously leverage our VPN to hit these URLs, but our security team is reporting the VPN requirement will not pass the new security standards.  We need VPN, two different domain accounts (one to pass the gateway and one to access the servers) and the RDP /SSH method has to be MFA.

Will your new enhancement to Royal Server afford us that level of MFA?

Do you have whitepapers on your MFA solution or a demo video>?

Hi Christopher,

the MFA feature for Secure Gateway will work the same same as it works currently for our Document Store:

You can enroll a user for MFA by specifying for which feature this MFA configuration is valid (required for Document Store, required for Secure Gateway) and a caching time for a successful second factor code (in order to not bother users too much. On the Royal TS/X side: If you try to open a connection that has a Secure Gateway connection configured the Royal Server requests the code from the second factor (TOTP, Duo) if this user is configured for MFA and Secure Gateway. If the user is not able to enter the correct MFA code within 3 tries, the connection request is rejected. The caching time is configurable on a per-user-basis (in order to restrict e.g. external employees to a much smaller timeframe)

Let me know if this helps for now.



Do you have a demo\video of this MFA feature for Secure Gateway currently pinned to the Document Store?

How its setup and configured?


Thank you again for assisting all of us with this need.  If possible, please see that all the folks on this thread are given the opportunity to test the BETA version that will be available in the next few weeks.  I'm sure that we are all ready and willing to test this new feature, but also, testing the solution and having a tangible solution onsite, in our labs, will assist in keeping the wolves at bay that REQUIRE an MFA RDP solution ASAP.

Thank you again,

Looks like this is the Royal Server V5 BETA Version now.

I just want to say I've installed damn. I am so impressed with how this is implemented! Great work on this!

Only suggest I can think to make really is on the "Opening Tunnel....."  I would love to see a "Awaiting 2FA" or something like that. 

Other than this, honestly excellent job here. 

Thanks for the kind words, Robert! I'm glad the implementation works well for you.

Since the MFA code prompt is triggered by a custom authentication request on the SSH protocol level, we actually don't know if a MFA code will be requested until we get the authentication request on the client side. Therefore it will not be possible to figure this out beforehand and let the client display a different message at that point. Sorry!

Is the beta implementing MFA available now ? If so what's the process for getting it ?

Hi Stephen,

you can find our beta versions here:

Docs are still a work in progress but can be found here:

Please make sure you test beta versions on non-production/non-critical machines and make backups of your files/settings before you proceed.


okay, finally got this working today and first impressions are good.

A few suggestions

1) When adding the MFA users and the standard windows "Select Users or Groups" comes up, it would be good to default to Entire directory if the server is in a domain. An alternate would be to detect where in the tree the last search was performed from and repeat the use of that node unless changed. 

Adding a number of domain users gets old real quick when having to keep switching from the local server to the domain :(

2) I'd like the ability to add both the user_id and the cache timeout to the MFA userlist via the column chooser. In general I think you should have the option of seeing every value presented in the user that exists in the edit field for a user

All in all this is really promising and I'm looking forward to seeing where it ends up ! It helps enormously with the sell job to management both of Royal TS and RoyalServer

Hey Stefan,

Any idea on when this will come out of beta and into the stable version?

Login or Signup to post a comment