Skip navigation
Documentation

Duo Authentication for Microsoft Remote Desktop Web and Remote Desktop Gateway on Windows 2012 and Later

Last Updated: March 7th, 2023

Duo integrates with Remote Desktop Web Access (previously Terminal Services) and Remote Desktop Gateway to add two-factor authentication to RD Web and RD Gateway logons.

Overview

Duo Authentication for Microsoft Remote Desktop Web Access adds two-factor authentication protection to RD Web portal browser logons. When logging on to the RD Web portal, users receive the Duo enrollment or authentication page after primary authentication.

Duo Authentication for Remote Desktop Gateway adds two-factor authentication to your RemoteApp connections launched from RD Web, and blocks any connections to your Remote Desktop Gateway server(s) from users who have not completed two-factor authentication when all connection requests are proxied through a Remote Desktop Gateway. This configuration does not support passcodes or inline self-enrollment.

Users need to perform Duo 2FA authentication at the RD Web server when logging on via the browser, and then approve another Duo request when launching the first RemoteApp of that session. Subsequent RemoteApp launches do not require additional Duo authentication during the same session.

RD Web and RD Gateway Architecture

Remote applications may no longer be launched from the "RemoteApp and Desktop Connections" app feed after Duo is installed on your RD Web server.

Before you begin deploying Duo in your RDS environment, please read our Duo 2FA for Microsoft Remote Desktop Services overview to understand the capabilities and limitations of the different deployment options.

Installing Duo's RD Gateway plugin disables Remote Desktop Connection Authorization Policies (RD CAP) and Resource Authorization Policies (RD RAP). The CAPs and RAPs become inaccessible from the Remote Desktop Gateway Manager and previously configured policy settings are ignored by Remote Desktop Gateway. If operational requirements mandate continued use of RD CAPs/RAPs, you may want to consider installing Duo for Windows Logon at your RDS Session Hosts instead. This alternative also supports passcode authentication.

If you want to enforce two-factor authentication for all your clients, you should ensure that they must connect through RD Web Access with Duo and/or RD Gateway with Duo. If clients can establish a direct connection to your RD Connection Broker and/or Session Host(s), then they may be able to bypass two­-factor authentication. Block direct RDP access to these hosts to mitigate the potential for bypass.

Deployment Tip

Set your application's New User Policy to "Allow Access" while testing. Enrolled users must complete two-factor authentication, while all other users are transparently let through.

Then (when you're ready) change the "New user policy" to "Require Enrollment." This forces all your users to authenticate to Duo (or enroll after RD Web logon).

Prerequisites

Make sure to complete these requirements before installing Duo Authentication for RD Web.

  1. Check your server version. These instructions are for installing Duo Authentication for RD Web on Windows Server 2012 and later.

  2. Make sure you have installed .NET Framework 4.5 on your RD Web and RD Gateway servers. You can do this, for example, by running the following PowerShell commands:

    Import-Module ServerManager
    Add-WindowsFeature NET-Framework-Core
    
  3. Also make sure you have installed ASP.NET 4.5 support for IIS. The PowerShell commands for this are:

    Import-Module ServerManager
    Add-WindowsFeature NET-Framework-45-ASPNET
    
  4. Ensure that the IIS Management Scripts and Tools feature is turned on on the RD Web server only as well. PowerShell example:

    Import-Module ServerManager
    Add-WindowsFeature Web-Scripting-Tools
    

Connectivity Requirements

This application communicates with Duo's service on SSL TCP port 443.

Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.

Effective June 30, 2023, Duo will no longer accept TLS 1.0 or 1.1 connections or support insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.

TLS Requirements

Due to government restrictions, Duo’s services in Australia no longer support TLS versions prior to 1.2. Duo will stop supporting TLS 1.0 and 1.1 in all other regions after June 30, 2023.

The current versions of Duo for RD Web and Duo for RD Gateway support TLS 1.2 when installed on RDS servers running a version of Windows that also supports and uses TLS 1.2 or higher.

See the article Guide to updating Duo for TLS version 1.2 and preparing for TLS 1.0 and 1.1 end of support for more information.

First Steps

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate the entry for Microsoft RD Web in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
  4. Repeat the previous step, but this time locate Microsoft RD Gateway in the applications list. Click Protect to get your RD Gateway integration key, secret key, and API hostname.
  5. Download the Duo Authentication for Remote Desktop Web Installer Package.
  6. Download the Duo Authentication for Remote Desktop Gateway Installer Package.

View checksums for Duo downloads here.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Duo Universal Prompt

The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt Traditional Prompt
 Duo Push in Universal Prompt  Duo Push in Traditional Prompt

Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.

Migration to Universal Prompt for your Microsoft RD Web application will be a three-step process:

  1. Install an update provided by Duo for the application, which will implement a redirect to Duo during authentication to support the Universal Prompt.
  2. Authenticate with Duo 2FA using the updated application so that Duo makes the Universal Prompt activation setting available in the Admin Panel. This first authentication after updating will show the traditional Duo prompt in a redirect.
  3. From the Duo Admin Panel, activate the Universal Prompt experience for users of that Duo Microsoft RD Web application. Once activated, all users of the application will see the Duo Universal Prompt in a redirect.

You'll need to install an update from Duo for Microsoft RD Web to support the Universal Prompt, but the update isn't available yet. The "Universal Prompt" section reflects this status as "Waiting on Duo" with the activation options inaccessible. Please contact Duo Support to request Universal Prompt support for Microsoft RD Web.

Universal Prompt Info - Duo Application Update Not Yet Available

In the meantime, you can use Duo with Microsoft RD Web and the traditional prompt experience.

After Duo makes the necessary software update available and you've installed it, you'll return to the settings on this page to activate the Universal Prompt for your Microsoft RD Web users.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.

Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.

This does not apply to the Microsoft RD Gateway application, which does not show the Duo Prompt.

RD Web Installation

  1. On the server(s) running the RD Web role, launch the Duo Security RD Web installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.

  2. Enter the integration key, secret key, and API hostname from the properties page of the "Microsoft RD Web" application you created earlier.

    Enter Duo Information

    If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all RD Web login attempts will be denied if there is a problem contacting the Duo service.

    Duo for RD Web sends a user's Windows sAMAccountName to Duo's service by default. To send the userPrincipalName to Duo instead, check the Use UPN username format box.

    If you enable the UPN username format option, you must also change the properties of your RD Web application in the Duo Admin Panel to change the "Username normalization" setting to None. Otherwise, Duo drops the domain suffix from the username sent from RD Web to our service, which may cause user mismatches or duplicate enrollment.

    When you install Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.

  3. If you only have one Windows Server instance running the Remote Desktop Web Access role, select the option to automatically generate a new key. However, if you have multiple servers running RD Web Access role then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.

    Create Session Key

    For example, you could use the following PowerShell commands to generate a suitable session key:

    $bytes = new-object "System.Byte[]" 30
    (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
    [Convert]::ToBase64String($bytes)
    
  4. Complete the Duo installation steps. The Duo installer stops and then restarts IIS services on your RD Web server automatically.

  5. Continue to RD Gateway setup.

RD Gateway Installation

  1. On the server(s) running the RD Gateway role, launch the Duo Security RD Gateway installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.

  2. Enter the integration key, secret key, and API hostname from the properties page of the "Microsoft RD Gateway" application you created earlier.

    Enter Duo Information

    If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all RD Gateway login attempts will be denied if there is a problem contacting the Duo service.

    Duo for RD Gateway sends a user's Windows sAMAccountName to Duo's service by default. To send the userPrincipalName to Duo instead, check the Use UPN username format box.

    If you enable the UPN username format option, you must also change the properties of your RD Gateway application in the Duo Admin Panel to change the "Username normalization" setting to None. Otherwise, Duo drops the domain suffix from the username sent from RD Gateway to our service, which may cause user mismatches or duplicate enrollment.

    When you install Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.

  3. Complete the Duo installation. The Duo installer stops and then restarts the Remote Desktop Gateway service on your RD Gateway server automatically.

Test Your Setup

With Duo protection installed on both RD Web and RD Gateway, users perform Duo authentication at both RD Web and RD Gateway logon.

To test your setup, log into Remote Desktop Web Access. Duo's enrollment or login prompt appears after you enter your username and password:

RD Web Duo Authentication Prompt

Complete Duo two-factor authentication in the browser to access RD Web.

Once logged in to RD Web, launch a RemoteApp. Enter your primary Windows credentials if prompted to do so by the Remote Desktop client. You'll receive an additional Duo authentication request via push or phone call.

Troubleshooting

Need some help? Take a look at the RDS Frequently Asked Questions (FAQ) page or try searching our RDS Knowledge Base articles or Community discussions. For further assistance, contact Support.