Regular users on AWS RDP on Server (no 2FA)

George_Megre · ‎12-15-2021

Hello everyone, I am new on this platform and short in time to read all the staff, I managed to install Duo Client on AWS Windows Server 2016, and 2FA is working only for users who has Builtin Administrator rights, is there possibility to involve 2FA for Regular users (Local User or Domain User permission with RDP access)?

When I am trying the same for the regular user without membership of Builtin Administrator Rights, it says “The username you have entered is not enrolled with Duo Security. Please contact your system administrator.”

Sorry if I do some issue or mistake when creating Topic here or in wrong place, thank you in advance and looking forward to your reply.

jamieis · ‎12-15-2021

Hi @George_Megre,

It sounds like the user that is encountering the error might not be enrolled in Duo already. When using Duo Authentication for RDP if your Duo policies are set to require enrollment or deny enrollment and a user is not previously enrolled in Duo they’ll be blocked when trying to log in.

You can manually enroll the user or send emails to users to have them enroll themselves first by following our enrolling users documentation.

George_Megre · ‎12-15-2021

when I am adding the user under administrators membership the push from duo started to work, without that privilege the 2FA is restricting as I mention “The username you have entered is not enrolled with Duo Security. Please contact your system administrator.” when bringing back again everything starts to work. Under Duo policies I have now only Global Policy, when Editing Global Policy I have only - New User policy and may change Enrollment for new users.

I don’t know how to proceed with the application as I need to push 2FA on all the users, and I cannot give admin permission to the usual users. Any ideas on that?

George_Megre · ‎12-16-2021

Here is more detailed information about issues that I am stuck:

Registered account on due and got 30 days Demo account. Needed 2FA
On AWS Windows Server 2016 EC2 with 5 RDP Active Accounts tried to enroll the DUO 2FA for RDP and by Guide follow the steps downloaded the Installer on Machine (duo-win-login-4.2.0.exe), install it (IDK if I did it right cause on EC2 Machine I have promoted Domain Controller, RDS and Created AD Users with user permission)
After that I created users under Admin portal of DUO and linked to E-Mail addresses of my users, sent them the Duo Activation request from there.
All of them Downloaded the App from Play Store or App Store depended on the Mobile phone Type (iOS/Android) and activated their QR Codes with Push notification.

Issues

The Users who have no Admin Rights on EC2 Machine and trying to connect to RDP getting error “The username you have entered is not enrolled with Duo Security. Please contact your system administrator.”, and the Admin Right Users getting notification on their Mobile phone and are able to access the RDP and their accounts. I cannot give for all of them Admin permission it is impossible.
While I was testing the environment somehow I activated for my account free 10 users account and I am not able to change the Global Policy as usual, all the staff which was related to my account as 30 days free have been disappeared, and now I cannot bring the staff back as it asks me Credit Card if I want to change type to explore the application, I don’t want to be charged while I am on test and learning. I have project and I am short in time, as well I am not able to delete that account and try it from scratch now I have some sort of subscription.

Please anyone help me somehow…

jamieis · ‎12-16-2021

Hi @George_Megre,

I think you’ll want to reach out to our support team at this point so they can look up your account and get you sorted. You can find their info here Duo Support