Duo for windows logon not prompting for 2fa on reconnect. Server 2019

We allow customers to access applications using Citrix Remote Apps.

We protect applications using Duo Authentication for Windows Logon and RDP.

Duo prompts for 2 factor on the first connection. But once someone is already logged in another person can “steal” the session or reconnect to an already disconnected (but still logged in) session without any further 2 factor prompts. The user needs to be fully logged out to be secure.

This has been going on for a long time and the later versions haven’t fixed anything. We have customers that now want 2 factor so I’ve been tasked with looking into it again.

Server 2019 did not have the problem before 1803 (I believe) which is when I know there was an issue with Microsoft’s “Automatic Reconnection” but I followed all the mitigation steps with no luck. It definitely used to work a few years ago on 2019.
Server 2012r2 does not have the same issue.

Does anybody have any ideas we can try?

Hi @GeorgeK, welcome to the Duo Community. Thanks for sharing your question here! When you say you followed all the mitigation steps, do you mean you disabled Automatic Reconnection of RDP sessions following the instructions in the help article here?

Hi @Amy thank you for getting back to me. That’s the one.

It’s been a while so I double checked everything was applied correctly.

Even with “Automatic Reconnection of RDP Sessions” disabled in group policy. Server rebooted and checked gpresult to be sure. I can still reconnect to disconnected sessions. Without any 2 factor prompts.

Any other ideas?

Hmm interesting. This can also be configured on the Remote Desktop connection general page as “allow me to save credentials” which you should ensure is not checked.
image (1)
It may also be listed as “always ask for credentials” which should be checked.
image (2)

If you’re still having trouble, I would recommend contacting Duo Support for help. They can investigate this with you further and make recommendations. I’ve kind of exhausted my limited expertise on this topic :slightly_smiling_face: Unless the wider community has suggestions or ideas!

Users through Citrix don’t use that remote desktop GUI.
I appreciate the help. Thanks for trying.

I’ll aim to contact support tomorrow.

@GeorgeK - I’m curious to know if you found a solution to this issue? We are having the same exact problem on Server 2019, but on server 2016 the suggestion to disable Automatic Reconnection does work as expected. Opening a ticket with support is next on our list.

We’ve not heard back from the ticket I made 6 days ago sadly. Interesting to hear the fix works on 2016.

If you hear back sooner than me I’d love to hear the update. Otherwise I’ll update this once I have an answer.

This is what I received back (ticket 00939111):
Based on the information you have provided and since you have applied the setting recommended in our knowledge article, I recommend contacting Microsoft support. If it works for your 2016 server, there could be something on Microsoft’s end that is causing the issue with the 2019 server.

They just said the same thing to me.

Because apparently they think a small business contacting Microsoft will have more luck then themselves?

In my opinion unless this isn’t affecting everyone on 2019. Duo shouldn’t list 2019 as a supported operating system if they won’t support us.

As part of the case troubleshooting did the support engineer have you enable debug logging for Duo and then examine the log to see how the app identifies the Citrix reconnection login scenario?

Duo requires auth for Usage scenario 1/CPUS_LOGON and Usage scenario 2/CPUS_UNLOCK_WORKSTATION. If a connection does not go through one of those primary login scenarios then the Duo 2FA credential provider isn’t triggered.

The vulnerability note says that with Automatic Reconnection the “reconnected RDP session is restored to a logged-in desktop rather than the login screen”.

It would be interesting to know how these reconnections get identified if the condition persists after you made the local policy change on the connection server to disable automatic reconnection.

Is it possible that if the automatic reconnection option was disabled locally a domain-level policy could be overriding it?

Is it possible that there is also a Citrix setting for automatic reconnection that might conflict with the Terminal Services setting (if you only see this for Citrix session reconnection)?

2 Likes

Kristina you are a life saver. The engineer didn’t ask for any logging or really suggest anything.

I searched through the Citrix policies and found “Auto client reconnect: Enabled” and “Auto Client Reconnect Authentication: Do not require authentication” policies. These are both the default.

I set these to “Disabled” and “Require authentication”. Although I bet I just needed to set “Auto client reconnect” to disabled.

This has solved the problem for me. I’ll update my support ticket.

2 Likes

I’m very glad this helped! We’ll get the knowledge base article 5148 updated to mention the Citrix-specific settings information.

1 Like