RD Gateway RAP/CAP

I read this in the documentation " Installing Duo’s RD Gateway plugin disables Remote Desktop Connection Authorization Policies (RD CAP) and Resource Authorization Policies (RD RAP). The CAPs and RAPs become inaccessible from the Remote Desktop Gateway Manager and previously configured policy settings are ignored by Remote Desktop Gateway. If operational requirements mandate continued use of RD CAPs/RAPs, you may want to consider installing Duo for Windows Logon at your RDS Session Hosts instead.

But I could not find anything on what the RD Gateway will use instead of RAP/CAP? I followed the instructions to install the RD Gateway software and now all users that we test with get an error stating they do not have access. I am sure I missed something simple but I am unable to tell what.

Are they getting “no access” because they didn’t click Approve in Duo on their phone?

There’s no CAPs/RAPs with Duo for RD Gateway. Its access control is located within the Duo Security Admin panel.

I’m assuming you did the entire setup, similar to this (see circled items):

Good luck!

Thank you for the reply. No the user is never prompted to approve the login, they simply receive a message that they are not authorized.

I did set the application policy but there are only 4 users to manage so none of them are restricted. It’s a pretty basic setup. If I install duo for windows client it prompts them at the desktop but I wanted to place the security at the RD Gateway. Unfortunately when I do it doesn’t prompt, it just denies the login.

When you installed Duo on your Remote Desktop Gateway server, did you use the info from Duo Protected Applications, such as the Integration Key, Secret Key and API Hostname for Duo RD Gateway? Is your RDG server joined to the domain? And, I’m assuming the 4 users have Duo Mobile installed on their smartphones, and that they’re all enrolled properly? Do they show up anywhere in the Duo Admin panel, specifically any attempts, like success or failed, in the authentication report?

I’m sure you read the documentation but, if not, it’s here: Two-Factor Authentication for Microsoft RD Gateway on Windows 2012 and Later | Duo Security