DUO RD Gateway app issues

We have a small RDS 2019 “farm” and were running both the DUO RD web and RD gateway apps. Users were getting double prompted and we were ok with that. Then we began to see users (external to network since we bypass the rd gateway for internal connections) getting error messages like -

  • Remote Desktop can’t connect to the remote computer…
    We were also seeing this error -
  • The user on client computer did not meet the authorization policy requirements and was therefor not authorized to access the RD Gateway server.
    An event log error on the gateway server showed this (even though we knew they were enrolled) -
  • Error in Duo login for ‘xxxx\xxxx’: The username you have entered is not enrolled with Duo Security. Please contact your system administrator.

So, I uninstalled the DUO RD gateway app and users don’t see the “Remote Desktop can’t connect to the remote computer…” error.

Where can I start looking to troubleshoot the RD Gateway app?

Thanks in advance
Faye

I personally only use the DUO RD Gateway app because having both Web and Gateway is kind of redundant, which is why you are prompted twice. For internal users, we don’t get prompted at all. For external users, only the gateway prompts us. When a web is used, it downloads a custom RDP and that prompts DUO RD Gateway, anyways. Good luck with your design; I’ll keep an eye on this post should you have any further questions.

Error in Duo login for ‘xxxx\xxxx’: The username you have entered is not enrolled with Duo Security. Please contact your system administrator.

Are the users enrolled in Duo with their username as dddd\xxxx or as xxxx? The Username Normalization setting for Duo applications determines whether Duo attempts to match the username exactly as received or, if enabled, Duo drops any prefix or suffix to the username.

For our Microsoft applications, we default to normalization on, so when Duo’s service receives an RDG auth request for dddd\xxxx it drops the domain prefix and looks for an existing xxxx user.

If the user in Duo has the username dddd\xxxx and normalization is on it would fail to match the user xxxx and produce that error message.

If the user in Duo has the username xxxx and normalization is off it would also fail to match the user dddd\xxxx and produce that error message.

So for any users who were receiving that message, verify that their Duo usernames are a format that matches the normalization setting for your RDG app. If not, you can add the username in another format as an alias for that user from the user’s details page in Duo, for example username = dddd\xxxx and username alias 1 = xxxx.

Where can I start looking to troubleshoot the RD Gateway app?

Have you tried enabling and viewing debug output?

How do I enable debug logging for Duo Authentication?
How do I view additional log info for RD Gateway?

Sorry, just seeing this. Will try the suggestions and let you know how it works.