Duo for RDP/Windows prerequisites


What are the prerequisites required on the Microsoft server for Duo 2FA?
Do I need the RD Gateway if I want to use Duo with Microsoft Session Host server?

On the Windows server, I assume I will need
RD Connection Broker
RD Session Host
RD Web Access
RD Licensing server

I saw the Duo/RDP network diagram on https://duo.com/docs/rdp#network-diagram but how is the client connection actually initiated? Through the RD Web interface?, through a standard RDP connection to the server? And is it safe to open RDP traffic from the internet?



Duo for RDP (Windows Logon) is a different offering from us than Duo for RD Web and RD Gateway.

The most typical use case for Duo Windows Logon/RDP is to install it on a server that users connect to with RDP or login at the console interactively, or to install on an end-user workstation. Users provide their Windows credentials, and then approve the Duo login request.

If you want to just protect interactive logins to a server or workstation where users are at the console or connect directly with MSTSC application (or similar) on the normal 3389 port, this is all you need.

You could also install Duo for Windows login only on the session host in an RDS deployment. Whether users connected to that host from RD Web, RD Gateway, or a direct RDP connection, they would complete Duo 2FA only at the session host.

It is generally not considered safe to open your system up to direct inbound RDP traffic from the internet. That’s why Microsoft RDS exists (of which RD Web and RD Gateway are components). These technologies let you provide connectivity to your session hosts over HTTPS instead of RDP 3389.

If you have an RDS deployment then you could install Duo for RDW on your RD Web server and Duo for RD Gateway on your RD Gateway server. That way anyone connecting through either of those would perform 2FA at the initial connection point, then get passed through to the session host without any further 2FA requirement at the session host.

Or, you could just choose to install Duo for Windows Logon on your session host, so users would connect via RD Web or RD Gateway but not need to perform 2FA until they actually hit the session host.

Please carefully read through our overview of how Duo fits into a full RDS deployment here.


When I installed DUO RDP Windows logon to a RDS session host used to provide remote apps for internal users, the users RDP access breaks. They get “Logon failure the user has not been granted the requested logon type” . If I give the remote app user group the “logon on locally” right they can get in again. The problem is they should not have this right, since they are only allowed RDP access to particular applications. They functioned fine without it prior to implementing DUO. I tried to add the registry change for DUO to RDP only, and the Group Policy template is also set to use DUO for remote access only also. Is there a way to make this work without giving the logon local right?


No, the Duo Auth for Windows Logon application requires that users have the “Log on locally” right.