Documentation
FAQ — Duo Authentication for Microsoft Remote Desktop Services
Last Updated: July 15th, 2024Contents
Duo for RD Web and RD Gateway - Frequently Asked Questions
General
Does Duo for Microsoft RD Web support the Duo Universal Prompt?
Yes, as of version 3.0.0 for RD Web on Windows 2016 and later. Please see the update instructions to install the latest version with Universal Prompt support, and then once you authenticate to Duo using the updated application you can activate the Universal Prompt experience for your users.
Note that Duo for RD Gateway shows no interactive Duo prompt.
What Windows versions do Duo's RDS applications support?
Duo's last day of support for installation and use of any Duo applications on Windows operating systems corresponds with the Microsoft end of support.
RDS 2019 and later
RD Gateway on Windows Server 2019 or later is supported starting with version 2.3.0 of Duo's RD Gateway application.
RD Web for Windows Server 2019 or later is supported starting with version 2.3.0 of Duo's RD Web application.
RDS 2016
RD Gateway on Windows Server 2016 is supported starting with version 2.2.0 of Duo's RD Gateway application.
RD Web for Windows Server 2016 is supported starting with version 2.2.0 of Duo's RD Web application.
RDS 2012 and 2012 R2
The last Duo release that supports Windows Server 2012 and 2012 R2 was v2.3.0.
Microsoft ended support for Windows Server 2012 and 2012 R2 on October 10, 2023.
RDS 2008 and 2008 R2
The last Duo release that supports Windows Server 2008 R2 was v2.3.0. No Duo for RDS release included support for Windows 2008.
Microsoft ended support for Windows Server 2008 and 2008 R2 on January 14, 2020.
How does Duo Authentication for RD Web affect RemoteApp and Desktop Connections?
The RemoteApp and Desktop Connections feature permits launch of remotely hosted applications from the Start Menu as if they were locally installed.
Installation of Duo Authentication for RD Web effectively disables the use of RemoteApp and Desktop Connections because there is not a method for two-factor authentication when the RemoteApp and Desktop Connections client accesses the "/rdweb/pages/webfeed.aspx" or "rdweb/feed/webfeed.aspx" URLs. This applies to all versions and configurations of Duo's RD Web application.
To continue allowing remote application launch with RemoteApp and Desktop Connections, do not install Duo Authentication for RD Web on your RD Web server. You may install Duo Authentication for RD Gateway on your RD Gateway server to protect remote logons with two-factor authentication when launching applications published via RemoteApp feeds. Your users will receive a Duo authentication request automatically after entering AD credentials.
How does Duo Authentication for RD Gateway affect RD Gateway authorization policies?
Remote Desktop connection authorization policies (CAPs) and resource authorization policies (RAPs) are no longer available after installing Duo Authentication. If you require the use of CAPs and RAPs, consider installing Duo Authentication for Windows on your RDS session hosts instead.
Can I use any Duo authentication methods other than automatic Duo Push or phone call with RD Gateway?
No, Duo for RD Gateway only supports sending a push request to Duo Mobile or a phone call to a user. Duo authentication methods like SMS passcodes, hardware token passcodes, YubiKey passcodes, passcodes generated by Duo Mobile, U2F and WebAuthn security keys, and bypass codes may not be used with Duo for RD Gateway.
There is no user interface presented during login that would let a user interactively select a specific authentication method, nor is it possible to append a factor or passcode to any password during RD Gateway authentication.
Is the Remote Desktop web client available in Windows 2016 and later supported by Duo?
Duo 2FA is not supported in the new Remote Desktop HTML web client for RDS 2016 and later, which has a login URL like https://hostname.domain/RDWeb/webclient/index.htm
.
RD Web logins must use the https://hostname.domain/RDWeb/Pages/en-US/login.aspx
login page for Duo to work.
Are Mac clients supported by Duo Authentication for RD Web and RD Gateway?
RemoteApp access for Mac clients requires the following:
- RD Web on Windows 2016 or later
- Microsoft Remote Desktop app v8.0.5+ (latest version recommended, see MS RDP for OSX FAQ)
- Chrome browser if using RD Web (does not work with Safari)
- Duo Authentication for RD Web and/or RD Gateway installed using separate authentication.
Mac clients log into the RD Web server using Chrome, and complete Duo authentication. Double-clicking a published RemoteApp downloads an RDP file. Open the RDP file using the Microsoft Remote Desktop app.
If you want your Mac users to access "Remote Resources" from the Microsoft Remote Desktop app, do not install Duo Authentication on your RD Web server (as that prevents access to the webfeed url). Install Duo on your RD Gateway server only, using separate authentication.
Is Integrated Windows authentication supported for RD Web?
Duo does not support RD Web logons using Windows integrated authentication. Please use Windows Forms authentication (the RD Web default).
Is Microsoft Virtual Desktop Infrastructure (VDI) supported?
Launch of VDI desktop connections via RD Web or RD Gateway servers using Duo authentication is not supported.
Do Duo Security's RDS configurations support a web proxy?
The Duo RD Web and RD Gateway modules use the HTTPS proxy server configured in your system-wide WinHTTP settings.
You can configure the proxy server(s) used by WinHTTP with the netsh command.
Are Microsoft Small Business Server or Windows Server Essentials supported?
We do not test integration with SBS or Server Essentials and cannot guarantee support for those platforms.
Install and Uninstall
Can I silently install Duo for RD Web or RD Gateway from a command line or PowerShell?
Enter the following command into PowerShell or a Command Prompt to silently install Duo for RD Web with default options (note that the MSI filename changes to reflect the version):
Duo RD Web v3.0.0 and later:
msiexec.exe /i duo-rdweb-3.0.0.msi DUO_CLIENT_ID="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_CLIENT_SECRET="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /qn
Duo RD Web up to v2.3.0
msiexec.exe /i duo-rdweb-2.3.0.msi DUO_IKEY="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /qn
Duo RD Gateway
msiexec.exe /i duo-rdgateway-2.3.0.msi DUO_IKEY="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /qn
The parameter names passed to the installer (DUO_CLIENT_ID, DUO_CLIENT_SECRET, DUO_IKEY, DUO_SKEY, DUO_HOST, etc.) are case-sensitive!
You can also choose to change the default settings for fail mode to fail closed with FAILOPEN="#0"
, specify UPN as the username format sent to Duo instead of the sAMAccountName with DUO_USEUPNUSERNAME="#1"
, or define a shared session key on multiple RD Web servers with DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
(The AKEY is a string that you generate and keep secret from Duo; it should be at least 40 characters long.).
How do I uninstall Duo Authentication for RD Web and RD Gateway?
To uninstall Duo Authentication from your RD Web or RD Gateway server, run the msiexec.exe /x command from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option) against the same product MSI file you used to install Duo. For example:
-
RD Web:
MsiExec.exe /X duo-rdweb-3.0.0.msi
-
RD Gateway:
MsiExec.exe /X duo-rdgateway-2.3.0.msi
Uninstall silently by appending /qb
to the command.
Why might the Duo RD Web or RD Gateway installer end prematurely?
The Duo installers look for the RDS role IIS web site on the C: drive. If the installer ends prematurely then you should make sure that the RDS default web site is not installed on a different drive.
If you confirm that RDS default website directory is on the C: drive and you are still experiencing this behavior, then you should check your IIS site permissions are sufficient for the installer to complete the installation.
Configuration
How can I configure the fail mode for Duo Authentication?
If the Bypass Duo authentication when offline box is selected during installation, authentication attempts "fail open" after primary authentication is successful if the Duo service cannot be contacted. If you leave that option unchecked during install, Duo for Rd Web or RD Gateway logins "fail closed", blocking RDS access if there is a problem contacting the Duo service.
Duo for RD Web v3.x installers now default to fail closed for new installs and upgrades from v2.x and older, but upgrades from v3.0.0 to later releases preserve the installed fail mode selection.
Duo for RD Gateway installers and the RD Web v1.x and v2.x installers enable fail open by default.
This setting is controlled by a Registry DWORD value FailOpen
, with 1 allowing fail open and 0 preventing fail open.
To change the fail mode:
-
Launch the Registry Editor (regedit.exe) as an administrator.
-
Locate the registry REG_DWORD value
FailOpen
at the registry path for your installed version and change the current value to 0 or 1 as desired.HKLM\Software\Duo Security\DuoRdweb\ (Duo RD Web 2.1.0 and later)
HKLM\Software\Duo Security\DuoTsg\ (Duo RD Gateway 2.0.2 and later)
HKLM\Software\Duo Security\DuoIis\ (earlier versions of the RDW and TSG installers)
Alternatively, you can enter the
reg add
command in PowerShell, specifying the correct registry path for your installed Duo product and version, to create or update the registry value for "fail open" (substituting0
for1
to "fail closed").Example that enables fail open for RD Web 3.0.0:
reg add "HKLM\Software\Duo Security\DuoRdweb" /v FailOpen /t REG_DWORD /d 1 /f
-
After changing this setting restart the IIS server with
iisreset
.
How do I change the username format sent to Duo?
Duo for RD Web and RD Gateway sends a user's sAMAccountName to Duo as the Duo username by default. You can change the username format sent to Duo to userPrincipalName (UPN) starting with version 2.3.0.
If you enable this option, you must also change the properties of your RD Web and RD Gateway application in the Duo Admin Panel to change the "Username normalization" setting to None, or Duo will drop the domain suffix from the username sent from RSG or RDG to our service, which may cause user mismatches or duplicate enrollment. If you installed Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.
Choose to send userPrincipalName usernames to Duo during installation by selecting the Send username to Duo in UPN format box in the Duo installer.
Enabling this setting after Duo installation requires creating a new registry value.
To enable this setting for RD Web:
-
Launch the Registry Editor (regedit.exe) as an administrator and navigate to
HKLM\Software\Duo Security\DuoRdweb
. -
Create or update the REG_DWORD value
UseUpnUsername
to set it to 1 to enable UPN username format.Alternatively, you can enter the command
reg add "HKLM\Software\Duo Security\DuoRdweb" /v UseUpnUsername /t REG_DWORD /d 1 /f
in PowerShell to create or update the registry value.To switch from UPN usernames to sAMAccountName, update the
UseUpnUsername
value from 1 to 0. -
After changing this setting restart the IIS server with
iisreset
.
To enable this setting for RD Gateway:
-
Launch the Registry Editor (regedit.exe) as an administrator and navigate to
HKLM\Software\Duo Security\DuoTsg
. -
Create or update the REG_DWORD value
UseUpnUsername
to set it to 1 to enable UPN username format.Alternatively, you can enter the command
reg add "HKLM\Software\Duo Security\DuoTsg" /v UseUpnUsername /t REG_DWORD /d 1 /f
in PowerShell to create or update the registry value.To switch from UPN usernames to sAMAccountName, update the
UseUpnUsername
value from 1 to 0.
If you installed Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.
How do I configure the "Connect to a remote PC" option in RD Web to authenticate with RD Gateway?
Microsoft RD Web, when accessed with Internet Explorer, includes a feature to connect directly to remote computers using Remote Desktop and ActiveX without launching a published RemoteApp. This remote computer connection does not authenticate through RD Gateway by default.
To require RD Gateway authentication for RD Web's "Connect to a remote PC" feature, do the following:
- Log on to your RD Web role server as an administrator.
- Launch the Internet Information Services (IIS) Manager.
- In the IIS Manager console, navigate to Your Server Name > Sites > Default Web Site > RDWeb > Pages.
- Double-click the Application Settings icon.
- Double-click the DefaultTSGateway setting.
- Enter the fully qualified domain name (FQDN) of your RD Gateway server and click OK.
The change is effective immediately.
Additional information about this setting is available at Microsoft TechNet.
Troubleshooting
How do I enable debug logging for Duo Authentication?
- RD Gateway v2.0.2 and up: As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKLM\Software\Duo Security\DuoTsg with the value set to 1. Restart the RD Gateway service after changing this setting.
The log file location is C:\ProgramData\Duo Security\DuoTsg\DuoTsg.log. Events are additionally written as entries in the server's "Application" event log, with "Duo Security" as the event source.
- RD Web v2.1.0 and up: As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKLM\Software\Duo Security\DuoRdweb with the value set to 1. Restart the IIS server after changing this setting.
Events are written as entries in the "Duo IIS Integration" event log under "Applications and Services Logs" in the Event Viewer.
- RD Web v1.1.12 and lower: As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKLM\Software\Duo Security\DuoIis with the value set to 1. Restart the IIS server after changing this setting.
Events are written as entries in the "Duo IIS Integration" event log under "Applications and Services Logs" in the Event Viewer.
How do I enable debug logging for Microsoft RD Web?
Make a backup copy of the C:\Windows\Web\RDWeb\web.config file and edit as follows:
- Locate the line
<add name="TraceTSWA" value="0" />
and change the value from 0 to 4. - Locate the "listeners" block following the "TraceTSWA" line that contains
add name="FileLog"
and remove the comment begin and end lines immediately preceding and following that listener section. Save the web.config file when done.
Before:
<system.diagnostics>
<switches>
<!--
TraceTSWA has the following values
Off = 0, Error = 1, Warning = 2, Info = 3, Verbose = 4
-->
<add name="TraceTSWA" value="0" />
</switches>
<trace autoflush="true" indentsize="4">
<listeners>
<remove name="Default" />
<!-- Uncomment for file tracing
<add name="FileLog"
type="Microsoft.VisualBasic.Logging.FileLogTraceListener,
Microsoft.VisualBasic, Version=8.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
initializeData="FileLogWriter" BaseFileName="RDWeb"
Location="Custom"
LogFileCreationSchedule="Daily"
MaxFileSize="50000000"
CustomLocation="\Windows\Web\RDWeb\App_Data" />
-->
</listeners>
</trace>
</system.diagnostics>
After:
<system.diagnostics>
<switches>
<!--
TraceTSWA has the following values
Off = 0, Error = 1, Warning = 2, Info = 3, Verbose = 4
-->
<add name="TraceTSWA" value="4" />
</switches>
<trace autoflush="true" indentsize="4">
<listeners>
<remove name="Default" />
<add name="FileLog"
type="Microsoft.VisualBasic.Logging.FileLogTraceListener,
Microsoft.VisualBasic, Version=8.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
initializeData="FileLogWriter" BaseFileName="RDWeb"
Location="Custom"
LogFileCreationSchedule="Daily"
MaxFileSize="50000000"
CustomLocation="\Windows\Web\RDWeb\App_Data" />
</listeners>
</trace>
</system.diagnostics>
Debug information is written to C:\Windows\Web\RDWeb\App_Data\RDWeb-date.log.
How do I view additional log info for RD Gateway?
See the Application and Services Logs\Microsoft\Windows\Terminal Services-Gateway event log in the Windows Event Viewer.
Why does the Remote Desktop Session host continue to prompt for credentials?
After you log on to the RD Web site you may be prompted again for your AD login when launching a remote application. The Remote Desktop infrastructure does not support proxying login credentials to the session host. However, it is possible to proxy the credentials of the currently logged in Windows user to the session host. See the Microsoft article "How to enable Single Sign-On for my Terminal Server connections" for more information.
Why might the Duo RD Gateway integration not prompt users for two-factor authentication consistently?
Ensure that the "Bypass RD Gateway server for local addresses" option is not enabled in your RDS deployment properties or RemoteApp RD Gateway Settings.
Additional Troubleshooting
Need more help? Try searching our RDS Knowledge Base articles or Community discussions. For further assistance, contact Support.