Duo RD Gateway CAP/RAP Session timeout settings

True… But was hoping for a new answer :).

Support told me they found something and are investigating how to fix it, but don’t have any timeframe. Problem is… I can’t stall this much longer for a lot of my customers… Would like to use DUO (as a happy customer of it). But it looks like i’m losing the patience of my customers… so if still nothing to report… no timeframe or even a small indication when we can expect something, we will going investigate the other software option, starting next week. Options like Google Athenticator. So please… tell me … there is more to say about this problem then install it on a session host…

It sounds like you have the most up-to-date information. I do hope that during your contacts with Support you’ve submitted your feature requests so they can be considered as we plan future work on the Windows integrations.

My information is also already old. I guess about 2 month… but no updates after that.

Well, will email them again… and otherwise… shame… but like I said… probably that we will dump duo.

Last update, was that the registery keys aren’t working because of an DUO update… and that the latest DUO (2.3.0) is set the limit to 8 hours. But, because of change of things, it is not easy to fix that without changing something in the authentication framework…

as I have read… installing the duo-rdgateway on our session host, will give someproblems with the duo trusted ip policy?

Yes I agree, installing on the session host means that Duo is not aware of the originating IP address, all sessions originate from the gateway… So you cannot have trusted IP. That is the reason we cannot use it on the session hosts. We need trusted IP because there are many shared computers at head office and these computers are locked down.

Maybe this is a push from their sales team to get you to license every single user of shared computers at a trusted site?

I can confirm that with the reg keys from support is working, I have set a 24 hour session limit and have had no complaints for months now.

Not sure if I am at risk for not installing any updates though.

I have send support an email about the register keys.
There reaction:

“Currently there is not a way to adjust this timeout. I can add you to the feature request for supporting a configurable session timeout if you would like.”

Can someone give me the register keys so our customers can use DUO without complaining about being kicked from the servers.

Hi Gary,

How did you get the registry keys to resolve this issue? Also, what version of windows server are you currently using with the windows registry keys? I’m having timeout issues with a Windows Server 2012 R2 gateway server with DUO Authentication for Remote Desktop Gateway

Is someone able to share the reg keys that resolved the issue? Duo support advise there is no fix, this is just not acceptable for our users, we are getting so many complaints. Suggestions to use the RDSH agent don’t really work for us, as this doesn’t pass through the IP so we cannot do location whitelisting.

We have the same issue, battling with Duo support for them to provide the registry keys for RD Gateway Please can you share the registry keys?

Thanks everyone for keeping this topic alive. @DuoKristina I know we have all been asking for this feature with support and our Account Executives. My account executive didn’t make it sound like there is a way to be “added” to the feature request. Maybe someone at Duo can refer to this thread if they need proof of the need for this feature.


If your AE did not know how to add you to the existing feature request, contact Support. They definitely know how to do that.

Hey all,

Wanted to jump in and ensure we set some expectations around RDG and session timeout. It is a feature we would like to address in the future, but do not have a definitive timeline for beginning development.

To set some context about where we are today, we previously attempted to add this feature to our RDG application. The implementation did not work consistently and will be removed from the product in a future update. In the meantime, we continue to work to address this feature in the correct manner.

This may not be the answer you would like to read today but any registry setting to alter default timeout behavior may break in future updates and in its current state is unsupported.

We ask that the registry setting not be shared as this is an unsupported configuration and may result in unexpected behavior.

If you are looking to be added to the feature request around this, as @DuoKristina said please contact support and they will be more than happy to help.

1 Like

Any update on this at all?

Hi @thecalstanley,

Take a look at our @PatrickKnight 's last post to this thread.

1 Like

Has this been added to any release schedule? I ask because a client of mine is considering dumping Duo if they can’t get a timeline on this. They have a global consultancy that relies heavily on RDS and having them kicked out at 8 hours is an untenable situation. Installing Duo on session hosts is not an option.

1 Like

Ok so we also discovered this after implementing Duo in our environment.

I would like the option to turn this completely off, RD has it’s own timeout settings that can be controlled via policy.

Adding wait to argument - we have been evaluating products for our business, this NON feature is a show stopper.

Duo user and MSP. Our customer asks for new timeout values and copy/paste.
Customer is very impressed with DUO. But now I need to tell them that they cannot change something as simple as the timeout values.
What shall I tell the customer?

I work for an MSP and we just came across this issue with a new client.

This issue has caused a lot of frustration for users as well as us, we spent weeks trying to find the cause only to eventually find out that Duo RDGW takes over the CAP/RAP policies and hard sets the timeout, and the only mention of this in the documentation on the site is a footnote under Testing!, this is something which SHOULD be hightlighted in the documentation at the top Before even reading anything else about the RDGW implementation.

The fact that this is still an issue 18 months after the last Duo RD Gateway update was released is rediculous.
The date on the RDGW installer is from April 2018, and we’re still being told by support that the only workaround is to remove it and install it on the RDS hosts.

We also asked about the inability for this “Recommended Solution” to support the “Authorized Networks” functionality and were basically told that they cannot advise on that as they dont know our network. What’s there to know, you’re talking about removing the app from RDGW and installing the RDS one, this isn’t complicated.
Very disappointing considering you guys developed these various implementations but can’t advise on how they actually work!

Needless to say I will NOT be recommending Duo to any future clients.

Some kind of situation report would be nice, I was added to a feature request a couple of months ago but haven’t heard anything from that. Is there anyway to get this prioritised? It’s a major nuisance.