Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1970
Views
0
Helpful
7
Replies

Disabling "Only prompt for duo authentication when logging in via rdp" doesn't seem to work?

ITBill1
Level 1
Level 1

‎07-13-2020 07:38 AM

I’ve installed Duo on multiple computers and disabled the option, “Only prompt for duo authentication when logging in via rdp.” I’ve also confirmed this by checking that is “RdpOnly” is set to 0 (zero) in the registry.

Regardless, I am able to login to the computers from LogMeIn (console) and VMWare UI (console) without any Duo 2FA.

What am I doing wrong?

Thank you!

Labels:
0 Helpful
7 Replies 7

DuoKristina
Cisco Employee
Cisco Employee

‎07-13-2020 10:01 AM

Perhaps there is another issue, like the Duo Windows client applications is “failing open” because it can’t contact Duo’s cloud service at login. You can enable debug logging for the Duo Windows Logon client and examine the logs to see if it explains what is happening.

Duo, not DUO.
0 Helpful

ITBill1
Level 1
Level 1
In response to DuoKristina

‎07-13-2020 11:30 AM

Duo 2FA works perfectly when I RDP in, before and after the console attempts. Also, Fail Open is disabled in favor of offline login allowed.

0 Helpful

KevinSiddique
Level 1
Level 1

‎07-13-2020 11:49 AM

I believe LogMeIn and VMWare UI are logging you into the console session on the machine and that’s why you’re not prompted for Duo 2FA. I’ve seen the same thing when accessing a Hyper-V VM in the console vs RDP. Try disabling the “RDP only” option to see if that helps.

0 Helpful

ITBill1
Level 1
Level 1

‎07-13-2020 11:51 AM

I enabled Debug logging and rebooted (assuming I would need to for the regedit to take effect). Duo properly stopped me during a console login. I’ve since disabled Debug, rebooted, and Duo continues to properly stop me during a console login.

Except for the reboot and the addition/removal of the registry value, nothing has changed. (I also rebooted when Duo was initially allowing me to login to the console without 2FA this morning and the issue persisted after.)

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to ITBill1

‎07-13-2020 01:06 PM

It does not typically require a reboot for any of the Duo registry settings to take effect, but I’m glad it helped resolve your issue.

Duo, not DUO.
0 Helpful

ITBill1
Level 1
Level 1
In response to DuoKristina

‎07-13-2020 01:24 PM

I guess I’m glad too, however, not knowing why it allowed me to remote in via the console without Duo 2FA in the first place (again, to multiple computers) is rather concerning. Thank you.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to ITBill1

‎07-13-2020 01:47 PM

Do you have any systems left with the issue where you haven’t already rebooted?

It’s possible that the non-debug level logging that was on when you initially encountered the issue captured some useful information. If that’s so, please use that to open a case with Duo support. This definitely isn’t expected behavior so we’d want to examine whatever artifacts you could provide.

If there are no logs available from before, but you encounter this again with future installs, please enable debugging via regedit without rebooting, reproduce the issue, and contact Duo Support to open a case.

For reference, which version of the Duo software did you install, what were the target Windows versions, and did you install Duo interactively or silently using the MSI?

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents