Duo for RD Web and RD Gateway - Frequently Asked Questions
Duo's last day of support for installation and use of any Duo applications on Windows operating systems corresponds with the Microsoft end of support.
RDS 2019 and later
RD Gateway on Windows Server 2019 or later is supported starting with version 2.3.0 of Duo's RD Gateway application.
RD Web for Windows Server 2019 or later is supported starting with version 2.3.0 of Duo's RD Web application.
RDS 2016
RD Gateway on Windows Server 2016 is supported starting with version 2.2.0 of Duo's RD Gateway application.
RD Web for Windows Server 2016 is supported starting with version 2.2.0 of Duo's RD Web application.
RDS 2012 and 2012 R2
The last Duo release that supports Windows Server 2012 and 2012 R2 was v2.3.0.
Microsoft ended support for Windows Server 2012 and 2012 R2 on October 10, 2023.
RDS 2008 and 2008 R2
The last Duo release that supports Windows Server 2008 R2 was v2.3.0. No Duo for RDS release included support for Windows 2008.
Microsoft ended support for Windows Server 2008 and 2008 R2 on January 14, 2020.
The RemoteApp and Desktop Connections feature permits launch of remotely hosted applications from the Start Menu as if they were locally installed.
Installation of Duo Authentication for RD Web effectively disables the use of RemoteApp and Desktop Connections because there is not a method for two-factor authentication when the RemoteApp and Desktop Connections client accesses the "/rdweb/pages/webfeed.aspx" or "rdweb/feed/webfeed.aspx" URLs. This applies to all versions and configurations of Duo's RD Web application.
To continue allowing remote application launch with RemoteApp and Desktop Connections, do not install Duo Authentication for RD Web on your RD Web server. You may install Duo Authentication for RD Gateway on your RD Gateway server to protect remote logons with two-factor authentication when launching applications published via RemoteApp feeds. Your users will receive a Duo authentication request automatically after entering AD credentials.
Remote Desktop connection authorization policies (CAPs) and resource authorization policies (RAPs) are no longer available after installing Duo Authentication. If you require the use of CAPs and RAPs, consider installing Duo Authentication for Windows on your RDS session hosts instead.
No, Duo for RD Gateway only supports sending a push request to Duo Mobile or a phone call to a user. Duo authentication methods like SMS passcodes, hardware token passcodes, YubiKey passcodes, passcodes generated by Duo Mobile, U2F and WebAuthn security keys, and bypass codes may not be used with Duo for RD Gateway.
There is no user interface presented during login that would let a user interactively select a specific authentication method, nor is it possible to append a factor or passcode to any password during RD Gateway authentication.
There are known issues with Duo's applications for RD Web and RD Gateway and the new Remote Desktop web client for RDS 2016 and later. Duo 2FA is not supported in the Remote Desktop web client at this time.
RemoteApp access for Mac clients requires the following:
Mac clients log into the RD Web server using Chrome, and complete Duo authentication. Double-clicking a published RemoteApp downloads an RDP file. Open the RDP file using the Microsoft Remote Desktop app.
If you want your Mac users to access "Remote Resources" from the Microsoft Remote Desktop app, do not install Duo Authentication on your RD Web server (as that prevents access to the webfeed url). Install Duo on your RD Gateway server only, using separate authentication.
Duo does not support RD Web logons using Windows integrated authentication. Please use Windows Forms authentication (the RD Web default).
Launch of VDI desktop connections via RD Web or RD Gateway servers using Duo authentication is not supported.
The Duo RD Web and RD Gateway modules use the HTTPS proxy server configured in your system-wide WinHTTP settings.
You can configure the proxy server(s) used by WinHTTP with the netsh command.
We do not test integration with SBS or Server Essentials and cannot guarantee support for those platforms.
Enter the following command into PowerShell or a Command Prompt to silently install Duo for RD Web with default options (note that the MSI filename changes to reflect the version):
msiexec.exe /i duo-rdgateway-2.3.0.msi DUO_IKEY="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /qn
The parameter names passed to the installer (DUO_IKEY, DUO_SKEY, DUO_HOST, etc.) are case-sensitive!
You can also choose to change the default settings for fail mode to fail closed with FAILOPEN="#0", specify UPN as the username format sent to Duo instead of the sAMAccountName with DUO_USEUPNUSERNAME="#1", or define a shared session key on multiple RD Web servers with DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" (The AKEY is a string that you generate and keep secret from Duo; it should be at least 40 characters long.).
To uninstall Duo Authentication from your RD Web or RD Gateway server, run the msiexec.exe /x command from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option) against the same product MSI file you used to install Duo. For example:
MsiExec.exe /X duo-rdweb-2.2.0.msi
MsiExec.exe /X duo-tsg-2.2.0.msi
Uninstall silently by appending /qb to the command.
The Duo installers look for the RDS role IIS web site on the C: drive. If the installer ends prematurely then you should make sure that the RDS default web site is not installed on a different drive.
If you confirm that RDS default website directory is on the C: drive and you are still experiencing this behavior, then you should check your IIS site permissions are sufficient for the installer to complete the installation.
If the "Bypass Duo authentication when offline" box is selected during installation, authentication attempts fail open after primary authentication is successful if the Duo service cannot be contacted. This setting is controlled by a Registry DWORD value FailOpen set to 1. The FailOpen value is located at:
HKLM\Software\Duo Security\DuoRdweb\ (Duo RD Web 2.1.0 and later)
HKLM\Software\Duo Security\DuoTsg\ (Duo RD Gateway 2.0.2 and later)
HKLM\Software\Duo Security\DuoIis\ (earlier versions of the RDW and TSG installers)
You can set the fail mode during installation to "fail closed" by deselecting the "Bypass Duo authentication when offline" box in the Duo installer, or modify the setting after installation. As an administrator, use the Registry Editor (regedit.exe) to change the Duo registry DWORD FailOpen value from 1 to 0 to "fail closed." This will deny all login attempts to RD Web or RD Gateway if there is a problem contacting the Duo service.
Duo for RD Web and RD Gateway sends a user's sAMAccountName to Duo as the Duo username by default. You can change the username format sent to Duo to userPrincipalName (UPN) starting with version 2.3.0.
If you enable this option, you must also change the properties of your RD Web and RD Gateway application in the Duo Admin Panel to change the "Username normalization" setting to None, or Duo will drop the domain suffix from the username sent from RSG or RDG to our service, which may cause user mismatches or duplicate enrollment. If you installed Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.
Choose to send userPrincipalName usernames to Duo during installation by selecting the Send username to Duo in UPN format box in the Duo installer.
Enabling this setting after Duo installation requires creating a new registry value.
To enable this setting for RD Web:
Launch the Registry Editor (regedit.exe) as an administrator and navigate to HKLM\Software\Duo Security\DuoRdweb.
Create or update the REG_DWORD value UseUpnUsername to set it to 1 to enable UPN username format.
Alternatively, you can enter the command reg add "HKLM\Software\Duo Security\DuoRdweb" /v UseUpnUsername /t REG_DWORD /d 1 /f in PowerShell to create or update the registry value.
To switch from UPN usernames to sAMAccountName, update the UseUpnUsername value from 1 to 0.
After changing this setting restart the IIS server with iisreset.
To enable this setting for RD Gateway:
Launch the Registry Editor (regedit.exe) as an administrator and navigate to HKLM\Software\Duo Security\DuoTsg.
Create or update the REG_DWORD value UseUpnUsername to set it to 1 to enable UPN username format.
Alternatively, you can enter the command reg add "HKLM\Software\Duo Security\DuoTsg" /v UseUpnUsername /t REG_DWORD /d 1 /f in PowerShell to create or update the registry value.
To switch from UPN usernames to sAMAccountName, update the UseUpnUsername value from 1 to 0.
If you installed Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.
Microsoft RD Web, when accessed with Internet Explorer, includes a feature to connect directly to remote computers using Remote Desktop and ActiveX without launching a published RemoteApp. This remote computer connection does not authenticate through RD Gateway by default.
To require RD Gateway authentication for RD Web's "Connect to a remote PC" feature, do the following:
The change is effective immediately.
Additional information about this setting is available at Microsoft TechNet.
The log file location is C:\ProgramData\Duo Security\DuoTsg\DuoTsg.log. Events are additionally written as entries in the server's "Application" event log, with "Duo Security" as the event source.
Events are written as entries in the "Duo IIS Integration" event log under "Applications and Services Logs" in the Event Viewer.
Events are written as entries in the "Duo IIS Integration" event log under "Applications and Services Logs" in the Event Viewer.
Make a backup copy of the C:\Windows\Web\RDWeb\web.config file and edit as follows:
<add name="TraceTSWA" value="0" /> and change the value from 0 to 4.add name="FileLog" and remove the comment begin and end lines immediately preceding and following that listener section. Save the web.config file when done.Before:
<system.diagnostics>
<switches>
<!--
TraceTSWA has the following values
Off = 0, Error = 1, Warning = 2, Info = 3, Verbose = 4
-->
<add name="TraceTSWA" value="0" />
</switches>
<trace autoflush="true" indentsize="4">
<listeners>
<remove name="Default" />
<!-- Uncomment for file tracing
<add name="FileLog"
type="Microsoft.VisualBasic.Logging.FileLogTraceListener,
Microsoft.VisualBasic, Version=8.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
initializeData="FileLogWriter" BaseFileName="RDWeb"
Location="Custom"
LogFileCreationSchedule="Daily"
MaxFileSize="50000000"
CustomLocation="\Windows\Web\RDWeb\App_Data" />
-->
</listeners>
</trace>
</system.diagnostics>
After:
<system.diagnostics>
<switches>
<!--
TraceTSWA has the following values
Off = 0, Error = 1, Warning = 2, Info = 3, Verbose = 4
-->
<add name="TraceTSWA" value="4" />
</switches>
<trace autoflush="true" indentsize="4">
<listeners>
<remove name="Default" />
<add name="FileLog"
type="Microsoft.VisualBasic.Logging.FileLogTraceListener,
Microsoft.VisualBasic, Version=8.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
processorArchitecture=MSIL"
initializeData="FileLogWriter" BaseFileName="RDWeb"
Location="Custom"
LogFileCreationSchedule="Daily"
MaxFileSize="50000000"
CustomLocation="\Windows\Web\RDWeb\App_Data" />
</listeners>
</trace>
</system.diagnostics>
Debug information is written to C:\Windows\Web\RDWeb\App_Data\RDWeb-date.log.
See the Application and Services Logs\Microsoft\Windows\Terminal Services-Gateway event log in the Windows Event Viewer.
After you log on to the RD Web site you may be prompted again for your AD login when launching a remote application. The Remote Desktop infrastructure does not support proxying login credentials to the session host. However, it is possible to proxy the credentials of the currently logged in Windows user to the session host. See the Microsoft article "How to enable Single Sign-On for my Terminal Server connections" for more information.
Ensure that the "Bypass RD Gateway server for local addresses" option is not enabled in your RDS deployment properties or RemoteApp RD Gateway Settings.
Need more help? Try searching our RDS Knowledge Base articles or Community discussions. For further assistance, contact Support.