Solved: Duo RD Gateway CAP/RAP Session timeout settings

GaryDoven · ‎10-18-2018

Duo is installed and working well on our RD Gateway server. RD Gateway Manager shows

“Due to pluggable authorization, Remote connection authorization policies and Remote Desktop resource authorization policies are no longer used to manage authentication and authorization on this system. Use the appropriate administrative tool to manage these services.”

That is fine and we knew that would be the case from the installation doc.
There is no Duo admin tool for managing this.
My problem now is that since installing and rolling out Duo to users, everyone now has an 8 hour active session limit enforced. That is, the user is actively working and using the computer at the 8 hour mark after they logged in and they are booted out.

How can I lift this limit? Is there an admin section in Duo that I am not aware of?
Cheers

PatrickKnight · ‎05-18-2020

In light of COVID-19 and the exponential rise we’ve seen in RDGateway usage, we have updated our Knowledge Base article to include the necessary keys to edit the Max Sessions and Idle Timeout values. These options are still unsupported, but have been tested against Microsoft Server 2012R2 through Server 2019, so please utilize them at your own risk.

We know this has been a long-requested option that has gone unaddressed, and we hope offering these keys as an unsupported option will help improve your experience with Duo, but publishing these keys still does not live up to the expectation we’d like to offer around RDG. Hopefully this helps today and we’ll update the community with additional information we have to share around the future of RDG.

If you have any feedback please DM me here or reach out to me via email at pknight@duo.com

Thanks,
Patrick

View solution in original post

sbarron · ‎12-07-2018

I adding on to this. I have the same issue. I don’t see any way to control this. It’s very disappointing to have this issue and not be able to control session timeout. If it was set to 9 or 10 hours, probably wouldn’t be much of an issue.

jcv86 · ‎12-10-2018

We can’t also find any way to control this. It’s very important for us to extend the session timeout to more then 8 hours. Now everyone need to authenticate more then ones a day.
it is frustrating for most users because this was not applicable before the implementation of DUO.

Does anyone know how to do this?

GaryDoven · ‎12-10-2018

The only “Work around” I have found, is to remove Duo from the RDGateway and install it on all the session hosts individually. Doing that you will get your RD CAPs and RAPs back. The downside to this is you cannot have “trusted IPs” any more, as all RDP connections to the session hosts come from the internal IP of the RDGateway servers.

Flyer1 · ‎01-07-2019

Having the same problem. We have multiple session hosts and it is growing. Would like to see how to fix this on the gateway server.

DuoKristina · ‎01-08-2019

Customers interested in using CAP/RAP with the Duo RD Gateway integration should please contact your account executive, customer success manager, or Duo Support to be added to the existing feature request for authorization support via CAP/RAP in the Duo TSG plugin.

If you have questions specifically about the 8 hour timeout, please contact Duo Support.

Duo, not DUO.

Flyer1 · ‎01-08-2019

Wel it is not that I want to use CAP/RAP… But I don’t want DUO to limit the connection on the RD Gateway

GaryDoven · ‎01-08-2019

I cannot speak to others expectations, but I too am happy to not be able to manage CAP/RAP through Windows Server, but have some way to manage those required settings from DUO somewhere.

Specifically, even if we could remove the 8 hour active session limit (or increase it to 14 hours)

DuoKristina · ‎01-08-2019

If you have questions specifically about the 8 hour timeout, please contact Duo Support.

Duo, not DUO.

Flyer1 · ‎01-09-2019

Same here.

@DuoKristina,
I did create a ticket for it. But, they are giving me the option to install duo on all my session hosts. But, I don’t get it why DUO is stopping the session after 8 hours. As GaryDoven is proposing is to increase it to 14 hours… would fix this issue for us to.

mhowell · ‎01-10-2019

I too am interested in extending the timeout for a session. Requiring a call to support these days seems silly. If someone figures it out, please do post.

I’m NOT interested in deploying to the session hosts (as already addressed). Deploying solely to the RD Gateway server is favorable if the time-out can be extended. I’m assuming Duo will/is continuing to evolve the technology and will incorporate some level of RAP / CAP functionality down the road.

DuoKristina · ‎01-11-2019

Many customers do find installing Duo for Windows Logon on the session hosts preferable today because not only does it let them continue to use the native CAPs/RAPS, it presents an interactive MFA experience to users so they can use passcodes/tokens, select a different authentication device, etc.

We’ve also seen that in with Duo RDG installed in a deployment that features an RD session farm users may experience multiple Duo pushes as the connection broker sends them to session hosts.

With that said, any customer interested in improvements to the Duo RDG plugin should definitely contact their account exec or sales engineer, customer success manager, or Duo Support to submit a feature request.

Duo, not DUO.

mhowell · ‎01-11-2019

@DuoKristina,
Thank you for your reply. However, as already stated:
“I’m NOT interested in deploying to the session hosts (as already addressed). Deploying solely to the RD Gateway server is favorable…”

I’ve experimented with deploying to session hosts. While this might seem like a preferable solution for some, it would be time consuming for our organization. We have over hundreds of virtual machines in our cloud environment (I know a GPO is an option). By deploying to a RD Gateway, a single deployment will provide the secondary authentication we are looking to achieve.

Once again, “I’m assuming Duo will/is continuing to evolve the technology and will incorporate some level of RAP / CAP functionality down the road.”

DuoKristina · ‎01-11-2019

However, as already stated

Yes, I understand. I was just explaining for the community why some people do prefer that setup.

Once again, “I’m assuming Duo will/is continuing to evolve the technology and will incorporate some level of RAP / CAP functionality down the road.”

So please do submit your feature requests. These are taken into account by our Product team when they plan out our roadmaps.

Duo, not DUO.

danielbunce · ‎03-19-2019

So is there a way to change the timeout settings with Duo installed on the RD Gateway. We are experiancing this issue and prefer the DUO application on the RDGW. And if not how do we get that option to be put on a roadmap to be fixed as this is something that needs to be able to be controlled. Thanks