RDS 2012 - renewing RDS ssl certificates and RAPs


hi guys, had an issue that recently just came across and another issue that has been nagging my setup since the beginning but due to time and bandwidth, had to put on backburner. Both appear to be now resolved but just thought I’d share my findings and ask the bigger question about refs/docs and user experiences which seem to be hard to find, even within this community forum.

  1. Is there is any documentation on how to renew the SSL cert with Duo installed in unified mode on Windows 2012 RDS?
    I have renewed the RDS side of things successfully, but kept getting errors on starting the remoteapp via the RD Web console.
    After much digging around, found that there was a signing cert hash setting in a file called duo,config which i can’t find any references to. updating the hash to match the new cert fixed this.
    And I don’t recall having to select a certificate for signing when first installing Duo.

  2. I’ve been getting intermittent problems starting a remoteapp in the browser since day one. Event viewer show:

The user “user1”, on client computer “a.b.c.d”, did not meet resource authorization policy requirements and was therefore not authorized to resource “rds2012.server,com”.
The following error occurred: “5”.
Turns out that my connection out to the web goes through several different proxies and they are dynamically chosen and hence different public IPs. I managed to figure out that there was a client IP validation setting in the duo.config file. This by default sets to True, setting to false gets me around these circumstances.

So got me to wondering where do I find ref docs about all config settings possible with registry keys and duo.config and anything else I haven’t come across my googling?
Are these local settings controlled via the web admin portal. I have the free version so I can’t verify these settings. But the resources on the website doesn’t confirm this.



Hi Eddie,

Did you take a look at our Knowledge Base at https://help.duo.com? We have many articles about all aspects of Duo and protected applications that you may find useful in the future.

  1. When you installed Duo for RD Web with the legacy unified authentication option you were prompted to select the certificate used by RDS to sign published applications. If this RDP signing certificate expired, you can update the Duo config to use the new certificate. Please see this knowledge base article.

  2. Congratulations on finding the “ValidateClientIP” setting for RD Web. We no longer publicly document advanced configuration for unified authentication because we deprecated support for it in August 2016. The most commonly asked questions and answers about unified authentication are still found in the knowledge base.

The title of your question mention RAPs, but I didn’t see a question about them (I’m assuming you are referring to RD Gateway Resource Authorization Policies). If you installed Duo on your RD Gateway server you most likely found that the Duo plugin disables RDG CAP and RAP. If you had a different question feel free to follow up.