Duo for RDP/Windows prerequisites

MikoAke · ‎02-22-2018

Hi,
What are the prerequisites required on the Microsoft server for Duo 2FA?
Do I need the RD Gateway if I want to use Duo with Microsoft Session Host server?

On the Windows server, I assume I will need
RD Connection Broker
RD Session Host
RD Web Access
RD Licensing server

I saw the Duo/RDP network diagram on https://duo.com/docs/rdp#network-diagram but how is the client connection actually initiated? Through the RD Web interface?, through a standard RDP connection to the server? And is it safe to open RDP traffic from the internet?

Regards,
Michael

DuoKristina · ‎02-23-2018

Duo for RDP (Windows Logon) is a different offering from us than Duo for RD Web and RD Gateway.

The most typical use case for Duo Windows Logon/RDP is to install it on a server that users connect to with RDP or login at the console interactively, or to install on an end-user workstation. Users provide their Windows credentials, and then approve the Duo login request.

If you want to just protect interactive logins to a server or workstation where users are at the console or connect directly with MSTSC application (or similar) on the normal 3389 port, this is all you need.

You could also install Duo for Windows login only on the session host in an RDS deployment. Whether users connected to that host from RD Web, RD Gateway, or a direct RDP connection, they would complete Duo 2FA only at the session host.

It is generally not considered safe to open your system up to direct inbound RDP traffic from the internet. That’s why Microsoft RDS exists (of which RD Web and RD Gateway are components). These technologies let you provide connectivity to your session hosts over HTTPS instead of RDP 3389.

If you have an RDS deployment then you could install Duo for RDW on your RD Web server and Duo for RD Gateway on your RD Gateway server. That way anyone connecting through either of those would perform 2FA at the initial connection point, then get passed through to the session host without any further 2FA requirement at the session host.

Or, you could just choose to install Duo for Windows Logon on your session host, so users would connect via RD Web or RD Gateway but not need to perform 2FA until they actually hit the session host.

Please carefully read through our overview of how Duo fits into a full RDS deployment here.

Duo, not DUO.

jcondello · ‎03-09-2018

When I installed DUO RDP Windows logon to a RDS session host used to provide remote apps for internal users, the users RDP access breaks. They get “Logon failure the user has not been granted the requested logon type” . If I give the remote app user group the “logon on locally” right they can get in again. The problem is they should not have this right, since they are only allowed RDP access to particular applications. They functioned fine without it prior to implementing DUO. I tried to add the registry change for DUO to RDP only, and the Group Policy template is also set to use DUO for remote access only also. Is there a way to make this work without giving the logon local right?

DuoKristina · ‎03-12-2018

No, the Duo Auth for Windows Logon application requires that users have the “Log on locally” right.

Duo, not DUO.

alexanderpy · ‎03-05-2019

What license or service level is needed for Windows login Two factor auth? Can this work with Duo MFA?

Dooley · ‎03-06-2019

Hey Alex,
Our Duo for Windows Logon application is available for all Duo editions – including Duo Free. You can learn more by referencing our documentation here: Duo Authentication for Windows Logon and RDP | Duo Security.