Duo Authentication for Microsoft Remote Desktop Web Access adds two-factor authentication protection to RD Web portal browser logons. When logging on to the RD Web portal, users receive the Duo enrollment or authentication page after primary authentication.
Remote applications may no longer be launched from the "RemoteApp and Desktop Connections" app feed after Duo is installed on your RD Web server.
Before you begin deploying Duo in your RDS environment, please read our Duo 2FA for Microsoft Remote Desktop Services overview to understand the capabilities and limitations of the different deployment options.
If you want to enforce two-factor authentication for all your clients, you should ensure that they must connect through RD Web Access with Duo and/or RD Gateway with Duo. If clients can establish a direct connection to your RD Connection Broker and/or Session Host(s), then they may be able to bypass two-factor authentication. Block direct RDP access to these hosts to mitigate the potential for bypass.
Set your application's "New user policy" to "Allow Access" while testing. Enrolled users receive the Duo authentication prompt, while all other users are transparently let through.
Then (when you're ready) change the "New user policy" to "Require Enrollment." This forces all your users to authenticate to Duo (or enroll) after RD Web logon.
Make sure to complete these requirements before installing Duo Authentication for RD Web.
Check your server version. These instructions are for installing Duo Authentication for RD Web on Windows Server 2012 and later.
Make sure you have installed .NET Framework 4.5. You can do this, for example, by running the following PowerShell commands:
Import-Module ServerManager Add-WindowsFeature NET-Framework-Core
Also make sure you have installed ASP.NET 4.5 support for IIS. The PowerShell commands for this are:
Import-Module ServerManager Add-WindowsFeature NET-Framework-45-ASPNET
Ensure that the IIS Management Scripts and Tools feature is turned on as well. PowerShell example:
Import-Module ServerManager Add-WindowsFeature Web-Scripting-Tools
This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.
Enter the integration key, secret key, and API hostname from the properties page of the "Microsoft RD Web" application you created earlier.
If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all RD Web login attempts will be denied if there is a problem contacting the Duo service.
If you enable the UPN username format option, you must also change the properties of your RD Web application in the Duo Admin Panel to change the "Username normalization" setting to None. Otherwise, Duo drops the domain suffix from the username sent from RD Web to our service, which may cause user mismatches or duplicate enrollment.
If you only have one Windows Server instance running the Remote Desktop Web Access role, select the option to automatically generate a new key. However, if you have multiple servers running RD Web Access role then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.
For example, you could use the following PowerShell commands to generate a suitable session key:
$bytes = new-object "System.Byte" 30 (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes) [Convert]::ToBase64String($bytes)
To test your setup, log into Remote Desktop Web Access. Duo's enrollment or login prompt appears after you enter your username and password:
If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID), Duo recommends enabling hostname whitelisting for this application and any others that show the inline Duo Prompt before onboarding your end-users.
With Duo installed on only the RD Web server, when you launch a RemoteApp there is no additional two-factor authentication verification. If your session host is configured to use RD Gateway we recommend installing Duo on your RD Gateway server as well. See the RD Web and RD Gateway instructions.
If you installed Duo Authentication for both RD Web and RD Gateway, you receive an additional Duo authentication request via push or phone call when you launch a RemoteApp.
You can upgrade your Duo installation over the existing version; there's no need to uninstall first.
Follow the on-screen prompts to complete the upgrade installation. Note that the installer restarts IIS services.