I just installed it according to the paltry amount of documentation and it doesn’t work. I’ve got two users added and they have the Duo software on their devices and I see the installation on the admin page. When we login via RDP to the terminal server (RDS), it logs us straight in and never does anything Duo related. I also don’t see any type of control panel on the server to see if Duo is even running. What am I missing here?
We need a bit more information to understand your use case and Duo install before we can help.
As you’re undoubtedly aware, there are many parts to an RDS deployment. Did you install Duo for RD Web, RD Gateway, or both? Are your RDS roles colocated on the same server or distributed? Do you have one session host or multiple behind a connection broker?
When it comes to your running the RemoteApps, are your users launching a published RDP file or do they have MSTSC on their clients configured to connect via an RD Gateway server, or was the RemoteApp feed added to their Start Menus via the Control panel applet?
Enabling debug logging for Duo for RDW/RDG may also help pinpoint the issue.
If your RDS deployment is only used for RDP access via MSTSC to session hosts your users might have a better experience if you just install Duo for Windows Logon on your session hosts instead. In that scenario the 2FA request comes when logging in to the session host instead of during the RDG connection, but instead of receiving an automatic push or phone call to one device users can make user of a variety of factors in the Duo Windows Logon prompt.
Thanks for trying Duo!
Thanks for your response. I’ll try to answer a few of your questions.
I did the install for only RD Gateway because that is the only one we’ll be using. Both roles are installed and active on the same host but only the RD Gateway will be used. There is only the one session host.
Users only have a manually created RDP file on their desktops to start the session. I see the RD Gateway setting inside the RDP config but haven’t done anything with it.
I’ve got the debugging enabled now. Should I try connecting to a remote session to see if anything is logged?
I didn’t realize you could use Duo for Windows Logon for a RDS server. I was thinking terminal server = RD Gateway only. Would that be a better fit for me?
Thanks for the additional information!
So it sounds like your users have a saved .rdp file for double-click access, and within that file it has a string like:
Do you also have
gatewayusagemethod:i: defined in the .rdp file, and is it set to 2 by chance? 2 is the “Bypass RD Gateway for local addresses” GUI setting. If set to 2, try changing that to
gatewayusagemethod:i:1 to ensure RDG isn’t bypassed.
There is also an equivalent server-side setting for bypass. You can see instructions for checking that here.
Make sure that the test users have activated the Duo Mobile app for Duo Push. When you view a user’s details page in the Admin Panel it shows whether the app is activated or not. If you open the Windows Event Viewer and navigate to Application and Services Logs > Microsoft > Windows > Terminal Services-Gateway and see something like “Error in Duo login for ‘ACME\imatest’: No default factor is available for user” that means that the user’s Duo Mobile app isn’t activated so you may need to send an activation link. See here for activation instructions.
If your test users are also Duo admins (with access to log in to the Duo Admin Panel), ensure that they also exist as end users in Duo. If the Duo app only lists one account, and that account says “ADMIN”, then that person isn’t enrolled as an end user. The “ADMIN” account in Duo Mobile is exclusively used for Admin Panel logon verification.
Here are instructions for manually creating end users in Duo and here’s some more information about user and admin account differences.
After checking all those things, try launching the .rdp file and logging in. If you still don’t receive the Duo Push request from RD Gateway, check the debug log.
One of the side effect of installing the Duo plugin for RD Gateway is that it disables RDG’s CAPs and RAPs. This is a reason that some Duo customers choose to install Duo for Windows Logon on their session hosts instead of installing the Duo plugin on their RDG server. Also, like I mentioned before, Duo for Windows Logon lets your users take advantage of the interactive Duo prompt for factor selection, while since RDG doesn’t really have its own interactive logon interface (it’s just the same MSTSC application interface for any type of Remote Desktop Connection) there’s no way for us to present a Duo prompt to the user and default to the automatic push or phone call.
If you don’t have a hard requirement that 2FA happen at your perimeter (that is, no hard requirement for a second factor at the RDG connection as opposed to the session host) connection then installing Duo for Windows Logon on your single session host may strike a good balance between security and usability.