Duo integrates with Remote Desktop Web Access (previously Terminal Services) and Remote Desktop Gateway to add two-factor authentication to RD Web and RD Gateway logons.
Duo Authentication for Microsoft Remote Desktop Web Access adds two-factor authentication protection to RD Web portal browser logons. When logging on to the RD Web portal, users receive the Duo enrollment or authentication page after primary authentication.
Duo Authentication for Remote Desktop Gateway adds two-factor authentication to your RemoteApp connections launched from RD Web, and blocks any connections to your Remote Desktop Gateway server(s) from users who have not completed two-factor authentication when all connection requests are proxied through a Remote Desktop Gateway. This configuration does not support passcodes or inline self-enrollment.
Users need to perform Duo 2FA authentication at the RD Web server when logging on via the browser, and then approve another Duo request when launching the first RemoteApp of that session. Subsequent RemoteApp launches do not require additional Duo authentication during the same session.
Remote applications may no longer be launched from the "RemoteApp and Desktop Connections" app feed after Duo is installed on your RD Web server.
Before you begin deploying Duo in your RDS environment, please read our Duo 2FA for Microsoft Remote Desktop Services overview to understand the capabilities and limitations of the different deployment options.
Installing Duo's RD Gateway plugin disables Remote Desktop Connection Authorization Policies (RD CAP) and Resource Authorization Policies (RD RAP). The CAPs and RAPs become inaccessible from the Remote Desktop Gateway Manager and previously configured policy settings are ignored by Remote Desktop Gateway. If operational requirements mandate continued use of RD CAPs/RAPs, you may want to consider installing Duo for Windows Logon at your RDS Session Hosts instead. This alternative also supports passcode authentication.
Set your application's New User Policy to "Allow Access" while testing. Enrolled users must complete two-factor authentication, while all other users are transparently let through.
Then (when you're ready) change the "New user policy" to "Require Enrollment." This forces all your users to authenticate to Duo (or enroll after RD Web logon).
Duo Authentication for RD Web and RD Gateway supports Windows Server 2016 and later.
There are known issues with Duo and the Remote Desktop web client offered in Windows 2016 and later. Please continue to use the regular Remote Desktop client applications (e.g. MSTSC.exe) with Duo.
Make sure to complete these requirements before installing Duo Authentication for RD Web.
Check your server version. These instructions are for installing Duo Authentication for RD Web on Windows Server 2016 and later.
Make sure you have installed .NET Framework 4.5 on your RD Web and RD Gateway servers. You can do this, for example, by running the following PowerShell commands:
Import-Module ServerManager
Add-WindowsFeature NET-Framework-Core
Also make sure you have installed ASP.NET 4.5 support for IIS. The PowerShell commands for this are:
Import-Module ServerManager
Add-WindowsFeature NET-Framework-45-ASPNET
Ensure that the IIS Management Scripts and Tools feature is enabled (on the RD Web server only). PowerShell example:
Import-Module ServerManager
Add-WindowsFeature Web-Scripting-Tools
This application communicates with Duo's service on SSL TCP port 443.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.
Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.
Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites.
The current versions of Duo for RD Web and Duo for RD Gateway support TLS 1.2 when installed on RDS servers running a version of Windows that also supports and uses TLS 1.2 or higher.
See the article Guide to TLS support for Duo applications and TLS 1.0 and 1.1 end of support for more information.
View checksums for Duo downloads here.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
| Universal Prompt | Traditional Prompt |
 |
 |
Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.
Migration to Universal Prompt for your Microsoft RD Web application will be a three-step process:
You'll need to install an update from Duo for Microsoft RD Web to support the Universal Prompt, but the update isn't available yet. The "Universal Prompt" section reflects this status as "Waiting on Duo" with the activation options inaccessible. Please contact Duo Support to request Universal Prompt support for Microsoft RD Web.
In the meantime, you can use Duo with Microsoft RD Web and the traditional prompt experience.
After Duo makes the necessary software update available and you've installed it, you'll return to the settings on this page to activate the Universal Prompt for your Microsoft RD Web users.
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.
Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.
This does not apply to the Microsoft RD Gateway application, which does not show the Duo Prompt.
On the server(s) running the RD Web role, launch the Duo Security RD Web installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.
Enter the integration key, secret key, and API hostname from the properties page of the "Microsoft RD Web" application you created earlier.
If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all RD Web login attempts will be denied if there is a problem contacting the Duo service.
Duo for RD Web sends a user's Windows sAMAccountName to Duo's service by default. To send the userPrincipalName to Duo instead, check the Use UPN username format box.
If you enable the UPN username format option, you must also change the properties of your RD Web application in the Duo Admin Panel to change the "Username normalization" setting to None. Otherwise, Duo drops the domain suffix from the username sent from RD Web to our service, which may cause user mismatches or duplicate enrollment.
When you install Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.
If you only have one Windows Server instance running the Remote Desktop Web Access role, select the option to automatically generate a new key. However, if you have multiple servers running RD Web Access role then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.
For example, you could use the following PowerShell commands to generate a suitable session key:
$bytes = new-object "System.Byte[]" 30
(new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
[Convert]::ToBase64String($bytes)
Complete the Duo installation steps. The Duo installer stops and then restarts IIS services on your RD Web server automatically.
Continue to RD Gateway setup.
On the server(s) running the RD Gateway role, launch the Duo Security RD Gateway installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.
Enter the integration key, secret key, and API hostname from the properties page of the "Microsoft RD Gateway" application you created earlier.
If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all RD Gateway login attempts will be denied if there is a problem contacting the Duo service.
Duo for RD Gateway sends a user's Windows sAMAccountName to Duo's service by default. To send the userPrincipalName to Duo instead, check the Use UPN username format box.
If you enable the UPN username format option, you must also change the properties of your RD Gateway application in the Duo Admin Panel to change the "Username normalization" setting to None. Otherwise, Duo drops the domain suffix from the username sent from RD Gateway to our service, which may cause user mismatches or duplicate enrollment.
When you install Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.
Complete the Duo installation. The Duo installer stops and then restarts the Remote Desktop Gateway service on your RD Gateway server automatically.
With Duo protection installed on both RD Web and RD Gateway, users perform Duo authentication at both RD Web and RD Gateway logon.
To test your setup, log into Remote Desktop Web Access. Duo's enrollment or login prompt appears after you enter your username and password:
Complete Duo two-factor authentication in the browser to access RD Web.
Once logged in to RD Web, launch a RemoteApp. Enter your primary Windows credentials if prompted to do so by the Remote Desktop client. You'll receive an additional Duo authentication request via push or phone call.
You can upgrade your Duo installation over the existing version; there's no need to uninstall first.
Download the most recent Duo RD Web Installer Package or Duo RD Gateway Installer Package and run the MSI from an elevated command prompt. View checksums for Duo downloads here.
Follow the on-screen prompts to complete the upgrade installation. Note that each of the installers restarts IIS services.
Need some help? Take a look at the RDS Frequently Asked Questions (FAQ) page or try searching our RDS Knowledge Base articles or Community discussions. For further assistance, contact Support.