We operate a Windows RDS environment and have protection at the rdweb layer and then protection on published applications using the duo-rdp client.
We installed the duo-win-login.exe on a session host to protect the published application and added one user to test via ad-sync, however since installing the exe using the following powershell command (using elevated PS),
(C:\Windows\Temp\Duo\duo-win-login-4.1.3.exe /S /V" /qn IKEY=“DXXXXX” SKEY=“XXXXXXXXXXXXX” HOST=“■■■■■■■■■■■■■■■■■■■■■■■■■■■” LOGFILE_MAXSIZEMB="#100" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#0" RDPONLY="#0"")
ALL users whether they were in the Duo console or not now receive the error “Logon Failure. The user has not been granted the requested logon type at this computer” when trying to open the RDP published application from rdweb.
This error is normally seen if the user is not part of the ‘Remote Desktop Users’ local group on that server but the RDS session collection automatically adds this and they are still in there.
This all worked before installing the duo exe.
I have to add ALL users as local admins on the server for them to launch the published app since installing Duo RDP, obviously i don’t want to do this so trying to understand why this happens.
Anyone seen this?
Is it because the exe was ran elevated with admin?