Logon Failure. The user has not been granted the requested logon type at this computer


We operate a Windows RDS environment and have protection at the rdweb layer and then protection on published applications using the duo-rdp client.
We installed the duo-win-login.exe on a session host to protect the published application and added one user to test via ad-sync, however since installing the exe using the following powershell command (using elevated PS),
(C:\Windows\Temp\Duo\duo-win-login-4.1.3.exe /S /V" /qn IKEY=“DXXXXX” SKEY=“XXXXXXXXXXXXX” HOST=“■■■■■■■■■■■■■■■■■■■■■■■■■■■” LOGFILE_MAXSIZEMB="#100" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#0" RDPONLY="#0"")
ALL users whether they were in the Duo console or not now receive the error “Logon Failure. The user has not been granted the requested logon type at this computer” when trying to open the RDP published application from rdweb.

This error is normally seen if the user is not part of the ‘Remote Desktop Users’ local group on that server but the RDS session collection automatically adds this and they are still in there.
This all worked before installing the duo exe.

I have to add ALL users as local admins on the server for them to launch the published app since installing Duo RDP, obviously i don’t want to do this so trying to understand why this happens.

Anyone seen this?
Is it because the exe was ran elevated with admin?


Managed to find the below thread which in turn gave the duo guide.
Pre-req missed around GPO’s for local logon, i’ll take a look at this.


Creating a GPO for the two additional user rights as per the Duo support link and applying to server OU fixed this.
Just for anyone else reading in the future.


Thanks for sharing @s_hughes78! Glad you were able to resolve this using the info you found in a past thread and the Duo guide. :+1: