Local and Domain Administrator Can't Log In to RDP

Chad_Quinlan · ‎05-26-2019

I’m brand new to Duo, trying it out for the first time. I’ve read through all the ■■■■ociated guides I could find, but haven’t found an answer.

I set up a user in Duo with the name domain\Administrator, and aliases hostname\administrator and domain\cquinlan. The domain\administrator and hostname\administrator accounts get the error below. I didn’t find anything about local\domain admins not working with RDP in Duo, so I thought I was doing something wrong. I was able to log in with domain\cquinlan, though, which is an alias for the same Duo account. Can someone point out what’s going wrong? I know logging in with a local or domain admin is a poor security practice - but right now it’s in a non-prod lab, and some systems require local admin to run.

Error message text: The username you have entered is not enrolled with Duo Security. Please contact your system administrator.

DuoKristina · ‎05-28-2019

Hi @Chad_Quinlan!

The Duo Microsoft RDP application enables username normalization by default, so domain\username becomes username for Duo auth.

You have two options:

Access the Microsoft RDP application in the Duo Admin Panel and change the “Username normalization” option from “Simple” to “None” so that the full domain+username is sent to Duo, matching the username or aliases configured for your user.

OR

Edit your Duo user to remove the DOMAIN\ prefixes from the usernames, or add the usernames without the domain prefix as additional aliases.

I was sure this was noted in the documentation for our RDP application and see that it isn’t mentioned at all. We’ll update to mention this default normalization setting.

Thanks for trying Duo!

Duo, not DUO.