Skip navigation

Duo Security is now a part of Cisco

About Cisco

Documentation

FAQ — Duo Authentication for Microsoft Remote Desktop Services

Last Updated: July 9th, 2019

Duo for RD Web and RD Gateway - Frequently Asked Questions

General

What Windows versions do Duo's RDS applications support?

RDS 2019

RD Gateway on Windows Server 2019 is supported starting with version 2.3.0 of Duo's RD Gateway application.

RD Web for Windows Server 2019 is supported starting with version 2.3.0 of Duo's RD Web application.

There are known issues with Duo's applications for RD Web and RD Gateway and the new Remote Desktop web client for RDS 2016/2019. Duo 2FA is not supported in the web client at this time.

RDS 2016

RD Gateway on Windows Server 2016 is supported starting with version 2.2.0 of Duo's RD Gateway application.

RD Web for Windows Server 2016 is supported starting with version 2.2.0 of Duo's RD Web application.

There are known issues with Duo's applications for RD Web and RD Gateway and the new Remote Desktop web client for RDS 2016/2019. Duo 2FA is not supported in the web client at this time.

RDS 2012 and 2012 R2

RD Gateway on Windows Server 2012 and 2012 R2 is supported starting with version 2.0.2 of Duo's RD Gateway application.

RD Web for Windows Server 2012 and 2012 R2 is supported starting with version 2.1.0 of Duo's RD Web application.

RDS 2008 R2

RD Gateway on Windows Server 2012 and 2012 R2 is supported starting with version 2.0.2 of Duo's RD Gateway application.

RD Web for Windows Server 2012 and 2012 R2 is supported starting with version 2.1.0 of Duo's RD Web application.

Note that as of version 2.3.0 there is a separate Duo installer for 2008 R2 servers.

RDS 2008

Not supported.

How does Duo Authentication for RD Web affect RemoteApp and Desktop Connections?

The [RemoteApp and Desktop Connections]https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Introducing-RemoteApp-and-Desktop-Connections/ba-p/246803) feature introduced in Windows 7/2008 R2 and later permits launch of remotely hosted applications from the Start Menu as if they were locally installed.

Installation of Duo Authentication for RD Web effectively disables the use of RemoteApp and Desktop Connections because there is not a method for two-factor authentication when the RemoteApp and Desktop Connections client accesses the "/rdweb/pages/webfeed.aspx" or "rdweb/feed/webfeed.aspx" URLs. This applies to all versions and configurations of Duo's RD Web application.

To continue allowing remote application launch with RemoteApp and Desktop Connections, do not install Duo Authentication for RD Web on your RD Web server. You may install Duo Authentication for RD Gateway on your RD Gateway server to protect remote logons with two-factor authentication when launching applications published via RemoteApp feeds. Your users will receive a Duo authentication request automatically after entering AD credentials.

How does Duo Authentication for RD Gateway affect RD Gateway authorization policies?

Remote Desktop connection authorization policies (CAPs) and resource authorization policies (RAPs) are no longer available after installing Duo Authentication. If you require the use of CAPs and RAPs, consider installing Duo Authentication for Windows on your RDS session hosts instead.

Are Mac clients supported by Duo Authentication for RD Web and RD Gateway?

RemoteApp access for Mac clients requires the following:

  • RD Web on Windows 2012 or 2012 R2
  • Microsoft Remote Desktop app v8.0.5+ (latest version recommended, see MS RDP for OSX FAQ)
  • Chrome browser if using RD Web (does not work with Safari)
  • Duo Authentication for RD Web and/or RD Gateway installed using separate authentication.

Mac clients log into the RD Web server using Chrome, and complete Duo authentication. Double-clicking a published RemoteApp downloads an RDP file. Open the RDP file using the Microsoft Remote Desktop app.

If you want your Mac users to access "Remote Resources" from the Microsoft Remote Desktop app, do not install Duo Authentication on your RD Web server (as that prevents access to the webfeed url). Install Duo on your RD Gateway server only, using separate authentication.

Is integrated Windows authentication supported for RD Web?

Duo does not support RD Web logons using Windows integrated authentication. Please use Windows Forms authentication (the RD Web default).

Is Microsoft Virtual Desktop Infrastructure (VDI) supported?

Launch of VDI desktop connections via RD Web or RD Gateway servers using Duo authentication is not supported.

Do Duo Security's RDS configurations support a web proxy?

The Duo RD Web and RD Gateway modules use the HTTPS proxy server configured in your system-wide WinHTTP settings.

You can configure the proxy server(s) used by WinHTTP with the netsh command.

Are Microsoft Small Business Server or Windows Server Essentials supported?

We do not test integration with SBS or Server Essentials and cannot guarantee support for those platforms.

Install and Uninstall

How do I uninstall Duo Authentication for RD Web and RD Gateway?

To uninstall Duo Authentication from your RD Web or RD Gateway server, run the msiexec.exe /x command from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option) against the same product MSI file you used to install Duo. For example:

  • RD Web: MsiExec.exe /X duo-rdweb-2.2.0.msi
  • RD Gateway: MsiExec.exe /X duo-tsg-2.2.0.msi

Why might the Duo RD Web or RD Gateway installer end prematurely?

The Duo installers look for the RDS role IIS web site on the C: drive. If the installer ends prematurely then you should make sure that the RDS default web site is not installed on a different drive.

If you confirm that RDS default website directory is on the C: drive and you are still experiencing this behavior, then you should check your IIS site permissions are sufficient for the installer to complete the installation.

Configuration

How can I configure the fail mode for Duo Authentication?

If the "Bypass Duo authentication when offline" box is selected during installation, authentication attempts fail open after primary authentication is successful if the Duo service cannot be contacted. This setting is controlled by a Registry DWORD value FailOpen set to 1. The FailOpen value is located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoRdw\ (Duo RD Web 2.1.0 and later) HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoTsg\ (Duo RD Gateway 2.0.2 and later) HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoIis\ (earlier versions of the RDW and TSG installers)

You can set the fail mode during installation to "fail closed" by deselecting the "Bypass Duo authentication when offline" box in the Duo installer, or modify the setting after installation. As an administrator, use the Registry Editor (regedit.exe) to change the Duo registry DWORD FailOpen value from 1 to 0 to "fail closed." This will deny all login attempts to RD Web or RD Gateway if there is a problem contacting the Duo service.

How do I change the username format sent to Duo?

Duo for RS Web and RD Gateway sends a user's sAMAccountName to Duo as the Duo username by default. You can change the username format sent to Duo to userPrincipalName (UPN) starting with version 2.3.0.

If you enable this option, you must also change the properties of your RD Web and RD Gateway application in the Duo Admin Panel to change the "Username normalization" setting to None, or Duo will drop the domain suffix from the username sent from RSG or RDG to our service, which may cause user mismatches or duplicate enrollment. If you installed Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.

Choose to send userPrincipalName usernames to Duo during installation by selecting the Send username to Duo in UPN format box in the Duo installer.

Enabling this setting after Duo installation requires creating a new registry value.

To enable this setting for RD Web:

  1. Launch the Registry Editor (regedit.exe) as an administrator and navigate to HKLM\Software\Duo Security\DuoRdweb.

  2. Create or update the REG_DWORD value UseUpnUsername to set it to 1 to enable UPN username format.

    Alternatively, you can enter the command reg add "HKLM\Software\Duo Security\DuoRdweb" /v UseUpnUsername /t REG_DWORD /d 1 /f in PowerShell to create or update the registry value.

    To switch from UPN usernames to sAMAccountName, update the UseUpnUsername value from 1 to 0.

  3. After changing this setting restart the IIS server with iisreset.

To enable this setting for RD Gateway:

  1. Launch the Registry Editor (regedit.exe) as an administrator and navigate to HKLM\Software\Duo Security\DuoTsg.

  2. Create or update the REG_DWORD value UseUpnUsername to set it to 1 to enable UPN username format.

    Alternatively, you can enter the command reg add "HKLM\Software\Duo Security\DuoTsg" /v UseUpnUsername /t REG_DWORD /d 1 /f in PowerShell to create or update the registry value.

    To switch from UPN usernames to sAMAccountName, update the UseUpnUsername value from 1 to 0.

If you installed Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.

How do I configure the "Connect to a remote PC" option in RD Web to authenticate with RD Gateway?

Microsoft RD Web, when accessed with Internet Explorer, includes a feature to connect directly to remote computers using Remote Desktop and ActiveX without launching a published RemoteApp. This remote computer connection does not authenticate through RD Gateway by default.

To require RD Gateway authentication for RD Web's "Connect to a remote PC" feature, do the following:

  1. Log on to your RD Web role server as an administrator.
  2. Launch the Internet Information Services (IIS) Manager.
  3. In the IIS Manager console, navigate to Your Server Name > Sites > Default Web Site > RDWeb > Pages.
  4. Double-click the Application Settings icon.
  5. Double-click the DefaultTSGateway setting.
  6. Enter the fully qualified domain name (FQDN) of your RD Gateway server and click OK.

The change is effective immediately.

Additional information about this setting is available at Microsoft TechNet.

Troubleshooting

How do I enable debug logging for Duo Authentication?

  • RD Gateway v2.0.2 and up: As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoTsg with the value set to 1. Restart the RD Gateway service after changing this setting.

The log file location is C:\ProgramData\Duo Security\DuoTsg\DuoTsg.log. Events are additionally written as entries in the server's "Application" event log, with "Duo Security" as the event source.

  • RD Web v2.1.0 and up: As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoRdw with the value set to 1. Restart the IIS server after changing this setting.

Events are written as entries in the "Duo IIS Integration" event log under "Applications and Services Logs" in the Event Viewer.

  • RD Web v1.1.12 and lower: As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoIis with the value set to 1. Restart the IIS server after changing this setting.

Events are written as entries in the "Duo IIS Integration" event log under "Applications and Services Logs" in the Event Viewer.

How do I enable debug logging for Microsoft RD Web?

Make a backup copy of the C:\Windows\Web\RDWeb\web.config file and edit as follows:

  • Locate the line <add name="TraceTSWA" value="0" /> and change the value from 0 to 4.
  • Locate the "listeners" block following the "TraceTWSA" line that contains add name="FileLog" and remove the comment begin and end lines immediately preceding and following that listener section. Save the web.config file when done.

Before:

<system.diagnostics>
    <switches>
        <!--
        TraceTSWA has the following values
          Off = 0, Error = 1, Warning = 2, Info = 3, Verbose = 4
        -->
        <add name="TraceTSWA" value="0" />
    </switches>
    <trace autoflush="true" indentsize="4">
        <listeners>
            <remove name="Default" />
            <!-- Uncomment for file tracing
        <add name="FileLog"
            type="Microsoft.VisualBasic.Logging.FileLogTraceListener,
            Microsoft.VisualBasic, Version=8.0.0.0,
            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
            processorArchitecture=MSIL"
            initializeData="FileLogWriter" BaseFileName="RDWeb"
            Location="Custom"
        LogFileCreationSchedule="Daily"
        MaxFileSize="50000000"
            CustomLocation="\Windows\Web\RDWeb\App_Data" />
        -->
        </listeners>
    </trace>
</system.diagnostics>

After:

<system.diagnostics>
    <switches>
        <!--
        TraceTSWA has the following values
          Off = 0, Error = 1, Warning = 2, Info = 3, Verbose = 4
        -->
        <add name="TraceTSWA" value="4" />
    </switches>
    <trace autoflush="true" indentsize="4">
        <listeners>
            <remove name="Default" />

        <add name="FileLog"
            type="Microsoft.VisualBasic.Logging.FileLogTraceListener,
            Microsoft.VisualBasic, Version=8.0.0.0,
            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
            processorArchitecture=MSIL"
            initializeData="FileLogWriter" BaseFileName="RDWeb"
            Location="Custom"
        LogFileCreationSchedule="Daily"
        MaxFileSize="50000000"
            CustomLocation="\Windows\Web\RDWeb\App_Data" />

        </listeners>
    </trace>
</system.diagnostics>

Debug information is written to C:\Windows\Web\RDWeb\App_Data\RDWeb-date.log.

How do I view additional log info for RD Gateway?

See the Application and Services Logs\Microsoft\Windows\Terminal Services-Gateway event log in the Windows Event Viewer.

Why does the Remote Desktop Session host continue to prompt for credentials?

After you log on to the RD Web site you may be prompted again for your AD login when launching a remote application. The Remote Desktop infrastructure does not support proxying login credentials to the session host. However, it is possible to proxy the credentials of the currently logged in Windows user to the session host. See the Microsoft article "How to enable Single Sign-On for my Terminal Server connections" for more information.

Why might the Duo RD Gateway integration not prompt users for two-factor authentication consistently?

Ensure that the "Bypass RD Gateway server for local addresses" option is not enabled in your RDS deployment properties or RemoteApp RD Gateway Settings.

Additional Troubleshooting

Need more help? Try searching our RDS Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free