Skip navigation
Documentation

Duo Authentication for Microsoft Remote Desktop Services

Last Updated: July 15th, 2024

Duo integrates with Remote Desktop Web Access (formerly Terminal Services Web Access or TS Web Access) or Remote Desktop Gateway (formerly Terminal Services Gateway or TS Gateway) to add two-factor authentication to RD Web and RD Gateway logons.

Deployment Architecture

Duo Authentication for RD Web and RD Gateway supports Windows Server 2016 and later.

There are known issues with Duo and the Remote Desktop web client offered in Windows 2016 and later. Please continue to use the regular Remote Desktop client applications (e.g. MSTSC.exe) with Duo. RD Web logins must use the https://hostname.domain/RDWeb/Pages/en-US/login.aspx login page for Duo to work.

If you want to enforce two-factor authentication for all your clients, you should ensure that they must connect through RD Web Access with Duo and/or RD Gateway with Duo. If clients can establish a direct connection to your RD Connection Broker and/or Session Host(s), then they may be able to bypass two­-factor authentication. Block direct RDP access to these hosts to mitigate the potential for bypass.

RD Web and RD Gateway

In this scenario Duo two-factor authentication protects logons via browser to the RD Web portal as well as logons via local RDP client and RemoteApp and Desktop Connections from the local system to an RD Gateway server. Users authenticate to Duo when logging on to the RD Web portal and then again when launching a RemoteApp connection through RD Gateway. Connecting to a computer directly from RD Web using the "Connect to a remote PC" feature with RD Gateway authentication is permitted. Downloaded RDP files may be saved for reuse. The RD Web and RD Gateway roles may be deployed on separate servers or on the same server.

When logging on to the RD Web portal at https://hostname.domain/RDWeb/Pages/en-US/login.aspx, users are presented with the Duo enrollment or authentication page after primary authentication. Users connecting to RemoteApp or RDP via RD Gateway from a local client receive an automatic push or phone call from Duo after primary authentication.

Install Duo Authentication for RD Web onto your RD Web servers then install Duo Authentication for RD Gateway onto your RD Gateway servers.

RD Web and RD Gateway Architecture

Refer to the Duo Authentication for Remote Desktop Web and Remote Desktop Gateway 2016 and later instructions.

RD Web Only

In this scenario Duo protects logons via browser to the RD Web portal. RD Gateway connections do not require two-factor authentications. Downloaded RDP files may be saved for reuse, and will not require two-factor authentication from RD Web at launch.

After your remote users pass primary login to the RD Web portal at https://hostname.domain/RDWeb/Pages/en-US/login.aspx, they receive the Duo enrollment or authentication page. When Duo authentication succeeds, the users proceed to the RemoteApp and Desktop Connection web console and see any published RemoteApp programs and virtual desktops.

Install Duo Authentication for RD Web onto your RD Web server. You may install Duo Authentication for RD Web onto a server hosting both the RD Web and RD Gateway roles but after completing installation only the RD Web portal will be protected with Duo two-factor authentication. To protect both RD Web and RD Gateway roles on the same server see RD Web and RD Gateway.

RD Web Only Architecture

Refer to the Duo Authentication for Remote Desktop Web 2016 and later instructions.

RD Gateway Only

In this scenario Duo protects logons via local RDP client and RemoteApp and Desktop Connections from the local system to an RD Gateway server. RD Web browser logons are not protected with two-factor authentication. However, RemoteApp connections initiated from an RD Web Access browser session that use the RD Gateway server with Duo installed are protected by Duo.

Duo for RD Gateway has no browser interface, so inline user enrollment isn't available. Enroll your users in Duo before they try to log in. If the user has activated the Duo Mobile app, Duo initiates an automatic push to authenticate after primary login to RD Gateway succeeds. Otherwise, Duo will call the user's phone to complete two-factor authentication.

Install Duo Authentication for RD Gateway onto your RD Gateway servers. You may install Duo Authentication for RD Gateway onto a server hosting both the RD Web and RD Gateway roles but after completing installation only RD Gateway connections will be protected with Duo two-factor authentication. To protect both RD Web and RD Gateway roles on the same server see RD Web and RD Gateway.

RD Gateway Only Architecture

Refer to the Duo Authentication for Remote Desktop Gateway 2016 and later instructions.

Known Issues

Please refer to the RDS FAQ for information about unsupported configurations and known issues.

Troubleshooting

Need some help? Take a look at the RDS Frequently Asked Questions (FAQ) page or try searching our RDS Knowledge Base articles or Community discussions. For further assistance, contact Support.