Duo RD Gateway CAP/RAP Session timeout settings


#1

Duo is installed and working well on our RD Gateway server. RD Gateway Manager shows

Due to pluggable authorization, Remote connection authorization policies and Remote Desktop resource authorization policies are no longer used to manage authentication and authorization on this system. Use the appropriate administrative tool to manage these services.

That is fine and we knew that would be the case from the installation doc.
There is no Duo admin tool for managing this.
My problem now is that since installing and rolling out Duo to users, everyone now has an 8 hour active session limit enforced. That is, the user is actively working and using the computer at the 8 hour mark after they logged in and they are booted out.

How can I lift this limit? Is there an admin section in Duo that I am not aware of?
Cheers


#2

I adding on to this. I have the same issue. I don’t see any way to control this. It’s very disappointing to have this issue and not be able to control session timeout. If it was set to 9 or 10 hours, probably wouldn’t be much of an issue.


#3

We can’t also find any way to control this. It’s very important for us to extend the session timeout to more then 8 hours. Now everyone need to authenticate more then ones a day.
it is frustrating for most users because this was not applicable before the implementation of DUO.

Does anyone know how to do this?


#4

The only “Work around” I have found, is to remove Duo from the RDGateway and install it on all the session hosts individually. Doing that you will get your RD CAPs and RAPs back. The downside to this is you cannot have “trusted IPs” any more, as all RDP connections to the session hosts come from the internal IP of the RDGateway servers.


#5

Having the same problem. We have multiple session hosts and it is growing. Would like to see how to fix this on the gateway server.


#6

Customers interested in using CAP/RAP with the Duo RD Gateway integration should please contact your account executive, customer success manager, or Duo Support to be added to the existing feature request for authorization support via CAP/RAP in the Duo TSG plugin.

If you have questions specifically about the 8 hour timeout, please contact Duo Support.


#7

Wel it is not that I want to use CAP/RAP… But I don’t want DUO to limit the connection on the RD Gateway :slight_smile:


#8

I cannot speak to others expectations, but I too am happy to not be able to manage CAP/RAP through Windows Server, but have some way to manage those required settings from DUO somewhere.

Specifically, even if we could remove the 8 hour active session limit (or increase it to 14 hours)


#9

If you have questions specifically about the 8 hour timeout, please contact Duo Support.


#10

Same here.

@DuoKristina,
I did create a ticket for it. But, they are giving me the option to install duo on all my session hosts. But, I don’t get it why DUO is stopping the session after 8 hours. As GaryDoven is proposing is to increase it to 14 hours… would fix this issue for us to.

I also did recieve 2 regkeys from support, but that did not fix it :frowning:


#11

I too got those regkeys when speaking to support and they made no difference (server 2012 R2 RDGateway)


#12

I too am interested in extending the timeout for a session. Requiring a call to support these days seems silly. If someone figures it out, please do post.

I’m NOT interested in deploying to the session hosts (as already addressed). Deploying solely to the RD Gateway server is favorable if the time-out can be extended. I’m assuming Duo will/is continuing to evolve the technology and will incorporate some level of RAP / CAP functionality down the road.


#14

Many customers do find installing Duo for Windows Logon on the session hosts preferable today because not only does it let them continue to use the native CAPs/RAPS, it presents an interactive MFA experience to users so they can use passcodes/tokens, select a different authentication device, etc.

We’ve also seen that in with Duo RDG installed in a deployment that features an RD session farm users may experience multiple Duo pushes as the connection broker sends them to session hosts.

With that said, any customer interested in improvements to the Duo RDG plugin should definitely contact their account exec or sales engineer, customer success manager, or Duo Support to submit a feature request.


#15

@DuoKristina,
Thank you for your reply. However, as already stated:
“I’m NOT interested in deploying to the session hosts (as already addressed). Deploying solely to the RD Gateway server is favorable…”

I’ve experimented with deploying to session hosts. While this might seem like a preferable solution for some, it would be time consuming for our organization. We have over hundreds of virtual machines in our cloud environment (I know a GPO is an option). By deploying to a RD Gateway, a single deployment will provide the secondary authentication we are looking to achieve.

Once again, “I’m assuming Duo will/is continuing to evolve the technology and will incorporate some level of RAP / CAP functionality down the road.”


#16

However, as already stated

Yes, I understand. I was just explaining for the community why some people do prefer that setup.

Once again, “I’m assuming Duo will/is continuing to evolve the technology and will incorporate some level of RAP / CAP functionality down the road.”

So please do submit your feature requests. These are taken into account by our Product team when they plan out our roadmaps.