Skip navigation
Documentation

Duo Authentication for Microsoft Remote Desktop Web on Windows 2016 and Later

Last Updated: October 31st, 2024

Duo integrates with Remote Desktop Web Access (previously Terminal Services), offering inline user enrollment, self-service device management, and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt.

Overview

Duo Authentication for Microsoft Remote Desktop Web Access adds two-factor authentication protection to RD Web portal browser logons. When logging on to the RD Web portal, users receive the Duo enrollment or authentication page after primary authentication.

Remote applications may no longer be launched from the "RemoteApp and Desktop Connections" app feed after Duo is installed on your RD Web server.

Before you begin deploying Duo in your RDS environment, please read our Duo 2FA for Microsoft Remote Desktop Services overview to understand the capabilities and limitations of the different deployment options.

If you want to enforce two-factor authentication for all your clients, you should ensure that they must connect through RD Web Access with Duo and/or RD Gateway with Duo. If clients can establish a direct connection to your RD Connection Broker and/or Session Host(s), then they may be able to bypass two­-factor authentication. Block direct RDP access to these hosts to mitigate the potential for bypass.

Deployment Tip

Set your application's New User Policy to "Allow Access" while testing. Enrolled users must complete two-factor authentication, while all other users are transparently let through.

Then (when you're ready) change the "New user policy" to "Require Enrollment." This forces all your users to authenticate to Duo (or enroll) after RD Web logon.

Prerequisites

Duo Authentication for RD Web supports Windows Server 2016 and later.

There are known issues with Duo and the Remote Desktop web client offered in Windows 2016 and later. Please continue to use the regular Remote Desktop client applications (e.g. MSTSC.exe) with Duo. RD Web logins must use the https://hostname.domain/RDWeb/Pages/en-US/login.aspx login page for Duo to work.

Duo Authentication for RD Web also requires the .NET Framework 4.7.1 or later runtime installed on your RD Web server.

Connectivity Requirements

This application communicates with Duo's service on SSL TCP port 443.

Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.

Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.

TLS Requirements

Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites.

The current versions of Duo for RD Web and RD Gateway supports TLS 1.2 when installed on RDS servers running a version of Windows that also supports and uses TLS 1.2 or higher.

See the article Guide to TLS support for Duo applications and TLS 1.0 and 1.1 end of support for more information.

First Steps

Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to ApplicationsProtect an Application.
  3. Locate the 2FA-only entry for Microsoft RD Web in the applications list. Click Protect to the far-right to configure the application and get your Client ID, Client secret, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications with Duo and additional application options.

    Previously, the Client ID was called the "Integration key" and the Client secret was called the "Secret key".

  4. Download the Duo Authentication for Remote Desktop Web Installer Package. View checksums for Duo downloads here.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Duo Universal Prompt

The Duo Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt Traditional Prompt
 Duo Push in Universal Prompt  Duo Push in Traditional Prompt

For Microsoft RD Web applications created before March 2024, migration to Universal Prompt is a three-step process:

  1. Install an update for the Microsoft RD Web application, which implements a redirect to Duo during authentication to support the Universal Prompt.
  2. Authenticate with Duo 2FA using the updated application so that Duo makes the Universal Prompt activation setting available in the Admin Panel. This first authentication after updating shows the traditional Duo prompt in a redirect instead of an iframe.
  3. From the Duo Admin Panel, activate the Universal Prompt experience for users of that Duo Microsoft RD Web application if the traditional prompt is still selected. Once activated, all users of the application see the Duo Universal Prompt in a redirect.

If you created your Microsoft RD Web application before March 2024, it's a good idea to read the Universal Prompt Update Guide for more information, about the update process and the new login experience for users, before you activate the Universal Prompt for your application.

New Microsoft RD Web Applications

When you install the latest version of RD Web you're ready to use the Universal Prompt. Microsoft RD Web applications created after March 2024 have the Universal Prompt activated by default. If you're configuring Microsoft RD Web now, proceed with the installation instructions in this document.

The "Universal Prompt" area of the application details page shows that this application is "Activation complete", with these activation control options:

  • Show traditional prompt: Your users experience Duo's traditional prompt via redirect when logging in to this application.
  • Show new Universal Prompt: (Default) Your users experience the Universal Prompt via redirect when logging in to this application.

Universal Prompt Info - Activation Complete for Universal Prompt

Existing Microsoft RD Web Applications

RD Web needs a software update installed to support the Universal Prompt. The "Universal Prompt" section of your existing Microsoft RD Web application reflects this status as "Update required". To update RD Web application to a newer version, follow the update directions below.

Universal Prompt Info - Update Required

Once a user authenticates to RD Web via the updated Duo plugin, the "Universal Prompt" section of the Microsoft RD Web application page reflects this status as "Ready to activate", with these activation control options:

  • Show traditional prompt: (Default) Your users experience Duo's traditional prompt via redirect when logging in to this application.
  • Show new Universal Prompt: Your users experience the Universal Prompt via redirect when logging in to this application.

Universal Prompt Info - Application Ready for Universal Prompt

In addition, the "Integration key" and "Secret key" property labels for the application update to "Client ID" and "Client secret" respectively. The values for these properties remain the same.

Activate Universal Prompt

Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.

Enable the Universal Prompt experience by selecting Show new Universal Prompt, and then scrolling to the bottom of the page to click Save.

Once you activate the Universal Prompt, the application's Universal Prompt status shows "Activation Complete" here and on the Universal Prompt Update Progress report.

Universal Prompt Info - Universal Prompt Activation Complete

Should you ever want to roll back to the traditional prompt, you can return to this setting and change it back to Show traditional prompt. However, this will still deliver the Duo prompt via redirect, not in an iframe. Keep in mind that support for the traditional Duo prompt ended for the majority of applications in March 2024.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.

Installation

  1. Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.

  2. Enter your Client ID (formerly called the Integration key), Client secret (formerly called the Secret key), and API hostname from the properties page of the "Microsoft RD Web" application you created earlier.

    Enter Duo Information
    • If the Bypass Duo authentication when offline option is unchecked, then Duo for RD Web will "fail closed" when Duo Security cloud services are unreachable and users will not be able to access protected federated resources. Check the box if you want users to be able to access protected applications without Duo authentication if Duo's cloud service is unreachable. This setting can be changed post-install from the registry.

    • Duo for RD Web sends a user's Windows sAMAccountName to Duo's service by default. To send the userPrincipalName to Duo instead, check the Use UPN username format box.

      If you enable the UPN username format option, you must also change the properties of your RD Web application in the Duo Admin Panel to change the "Username normalization" setting to None. Otherwise, Duo drops the domain suffix from the username sent from RD Web to our service, which may cause user mismatches or duplicate enrollment.

  3. If you only have one Windows Server instance running the Remote Desktop Web Access role, select the option to automatically generate a new key. However, if you have multiple servers running RD Web Access role then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.

    Create Session Key

    For example, you could use the following PowerShell commands to generate a suitable session key:

    $bytes = new-object "System.Byte[]" 30
    (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
    [Convert]::ToBase64String($bytes)
    
  4. Complete the Duo installation. The Duo installer stops and then restarts IIS services on your RD Web server automatically.

Test Your Setup

To test your setup, log into Remote Desktop Web Access using the hostname or fully-qualified domain name URL i.e. https://hostname.domain/RDWeb/Pages/en-US/login.aspx. Successful verification of your username and password redirects you to Duo. Complete Duo two-factor authentication when prompted and then you'll return to RD Web to complete the login process.

OIDC Duo Prompt

*Universal Prompt experience shown.

Configure Allowed Hostnames

If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID) in the traditional Duo Prompt, Duo recommends configuring allowed hostnames for this application and any others that show the inline Duo Prompt before onboarding your end-users.

The Duo Universal Prompt has built-in protection from unauthorized domains so this setting does not apply.

With Duo installed on only the RD Web server, when you launch a RemoteApp there is no additional two-factor authentication verification. If your session host is configured to use RD Gateway we recommend installing Duo on your RD Gateway server as well. See the RD Web and RD Gateway instructions.

If you installed Duo Authentication for both RD Web and RD Gateway, you receive an additional Duo authentication request via push or phone call when you launch a RemoteApp.

Update Duo for RD Web

You can upgrade your Duo installation over the existing version; there's no need to uninstall first.

  1. Download the most recent Duo RD Web Installer Package and run the MSI from an elevated command prompt. View checksums for Duo downloads here.

  2. Follow the on-screen prompts to complete the upgrade installation. Note that the installer restarts IIS services.

    The installer now defaults the Bypass Duo authentication when offline option to off when upgrading from v2.x to v3.0.0. If you want to allow users access to RD Web without 2FA when Duo's service can't be reached then select this option during your upgrade install. Upgrades from v3.0.0 to future releases will preserve your choice.

If you are updating an existing Duo RD Web deployment to use the Universal Prompt, you will need to authenticate once with the traditional Duo Prompt using the updated Duo for RD Web v3.x plugin first before you can enable the Universal Prompt for this RD Web application in Duo.

Troubleshooting

Need some help? Take a look at the RDS Frequently Asked Questions (FAQ) page or try searching our RDS Knowledge Base articles or Community discussions. For further assistance, contact Support.