RDP users inquiry

So I recently signed up for the trial to see if this would work for me, after talking to support. They informed me that the environment type I’m using could work.

Here’s how it is, all users who will have duo are username “Administrator” the default on windows server. They said I could add the computer name in front of Administrator like
Computername/Administrator
This makes the user all lower case. Once duo is installed on the virtual server an error comes up saying user doesn’t match and to contact the administrator. Does anyone have a work around for this besides cresting users on each system?

Hi @Josh615, welcome to the Duo Community! I think the help article here may have the answer you’re looking for. In order for the Duo service to properly authenticate a Windows user account, the username in Windows must match the username in the Duo account. If you’re seeing the error The username you have entered is not enrolled with Duo Security then the account you are using to log into Windows does not match a Duo user. Please take a look at that article for the steps to troubleshoot this.

@Josh615 If you are looking to have “computername\administrator” map to a specific Duo user with the same username, this can be done if you have username normalization (mentioned in the article @Amy provided above) turned off in the Microsoft RDP application settings (Protecting Applications | Duo Security). If set to Simple (default), this will drop the “computername” prefix during authn.

Also, ensure that the Duo for Winlogon client is set to use the NTLM username format, which should be the default (registry setting USERNAMEFORMAT set to 1): Duo Authentication for Windows Logon and RDP: FAQ | Duo Security

Please note that this method really only works if you have a 1:1 user to computer mapping. If a team of IT Admins need to use the same local Administrator account for a given server, only the 2FA device associated with that person/account will be prompted for Duo MFA. Creating local user accounts that are unique to each person or using Active Directory would be preferred.

Hope this helps!

Yes this did help now I’m getting an issue with 1 user where is says he’s not enrolled. He has done the link but it still persists. I’ve remade the user account and resent the enrollment email same issue. Any tips on that?

If you have verified that his account in Duo shows as enrolled via the Admin Panel, you may want to verify how the username format is being sent by examining the Duo for Winlogon client debug logs: Knowledge Base | Duo Security

If a computername is rather long, the NTLM prefix will be cut short, so creating the Duo username the way it appears in the logs is required. I believe 15 characters is the limit before NetBIOS characters cut off, per Microsoft.

Screenshot_20220107-163934_Chrome
I don’t see any errors on this end. I will have him redo the verification. I was sure to have him enroll before installing the application on the device. Is this a good practice whenever I remake a user? Reinstall the app on the pc as well?

Re-installing the Duo for Winlogon client is not required for re-enrolling a user in Duo.

You might verify enrollment by sending this user a Duo Push: Duo Administration - Manage Users | Duo Security

I’ve done that and they get the push

Does the win-vr8lsn8bfl1\administrator username appear in the debug logs as the username being sent to Duo?

I don’t have the debug mode enabled currently

So here’s some more insight I watched him do the enrollment and he never received the congrats you are enrolled and can use duo services.