Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons.
This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.
Duo Authentication for Windows Logon supports both client and server operating systems.
Servers (GUI and core installs):
Duo Authentication for Windows Logon also requires .NET Framework 4.5 or later. If the correct .NET version is not present on your system then Duo setup prompts you to install the .NET Framework.
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate Microsoft RDP in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)
Download the Duo Authentication for Windows Logon Installer Package.
Add your first user to Duo, either manually or using bulk enrollment. The username should match your Windows logon name. Install Duo Mobile and add your account to it so you can use Duo Push. If the user logging in to Windows after Duo is installed does not exist in Duo, the user may not be able to log in.
Run the Duo Authentication for Windows Logon installer with administrative privileges. Accept the license agreement and enter your integration key, secret key, and API hostname when prompted:
|Bypass Duo authentication when offline (FailOpen)||Enable this option to allow user logon without completing two-factor authentication if the Duo Security cloud service is unreachable.|
|Use auto push to authenticate if available||Automatically send a Duo Push or phone call authentication request after primary credential validation.|
|Only prompt for Duo authentication when logging in via RDP||Leave this option unchecked to require Duo two-factor authentication for console and RDP sessions. If enabled, console logons do not require 2FA approval.|
|Enable Smart card support||Select this option to permit use of the Windows smart card login provider as an alternative to Duo authentication.|
To test your setup, attempt to log in to your newly-configured system as a user enrolled in Duo.
The Duo authentication prompt appears after you successfully submit your Windows credentials. When auto-push is enabled (the default option), the Duo prompt indicates that a request has been pushed to your phone.
If auto-push is disabled or if you click the Cancel button on the Duo authentication prompt, you can enter the name of any available factor (like "sms" to receive a passcode via text message) to verify your identity to Duo.
Here's a full list of what you can type into the Duo prompt:
|A passcode||Log in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator.|
Perform Duo Push authentication
You can use Duo Push if you've installed and activated Duo Mobile on your device.
|"phone"||Perform phone callback authentication|
|"sms"||Send a new batch of SMS passcodes. Your first authentication attempt is denied. You can then authenticate with one of the newly-delivered passcodes.|
You can also specify a number after the factor name if you have more than one device enrolled in Duo, like "phone2" to call your second phone or "push2" to send the request to Duo Mobile on your second phone.
Remember: if you find that Duo Authentication for Windows Logon has locked you out of your Windows system (e.g. due to a configuration error), you can reboot into Safe Mode to bypass it.
Please see our Duo Authentication for Windows Logon Group Policy documentation.