Showing the DUO prompt on RemoteApps

I am looking to implement DUO to secure Remote Desktop connections as well as RemoteApps. When connecting to RemoteApps the DUO prompt is hidden, and the only way to reveal it is by clicking the “Show Details” button on the RemoteApp connection window. My concern is that because this window is not shown by default for RemoteApps, users will not know that they need to authenticate with DUO, and will not understand why they can’t get connected.

Is there a way I can have this login screen shown by default for RemoteApps so that users always see the DUO prompt?

I suspect the answer is no because Duo has no control over the remote desktop connection window. There is no interface exposed for the user to interact with - that’s why it has to use Duo Push and the app. I’m not sure what you mean by “Show Details” as this is what we see when we launch the RDP file:

image

If the user doesn’t twig and accept the Duo Push, they get this prompt:

image

They soon learn to check the Duo app when logging on. I personally have my mobile connected to the Phone app on Windows 10 so that the notification appears like this as a reminder:

image

Microsoft would have to make some significant changes to the protocol to allow an interface. I’m sure Duo has tried to discuss it with Microsoft…

Thanks for the reply.

When launching a RemoteApp, or more specifically connecting to the session host for the first time after being disconnected, we get this window on the client:

details1

You can see in the bottom left that there is a “Show details” button which when clicked shows the full login screen along with the Duo prompt:

I’m trying to find if there is a way to by default show the login screen as in the second image, but without user interaction (having to click on the “Show Details” button). Or at the very least I would like to have a way to remind users that they need to authenticate with Duo, such as your example of connecting the phone to the computer to get that notification.

Hmm, interesting - the dialog we get is different and there is no “Show Details” window. Is this simply downloading an RDP file and then double-clicking it to connect? Or some other method?

No, this is not simply downloading the RDP file. We have it setup so users are subscribed to the webfeed from RemoteApp and Desktop Connections. That way they can put shortcuts to the RemoteApps on their desktop, taskbar, start menu, and so on.

@robnicholson you have a different experience because I suspect you installed Duo for RD Gateway on your RDG server, which has no end-user UI for MFA. The experience @CoNETERm describes is what happens when you install Duo for Windows Logon on the remote session hosts or RDP servers and then try to access the app/desktop via RemoteFeed.

@CoNETERm to answer your original question, no, there is no way to expand that window automatically. Using autopush (the installation default for the Duo WinLogon application) and ensuring your users have Duo Mobile activated on an iOS/Android device is the best recommendation, so that way your users will receive a 2FA push request without needing to expand the session details window to interact with the remote Duo prompt.

2 Likes

Ahh thanks for explaining. I’m assuming that Duo for Windows Logon is protecting the standard Windows logon like you’d get on a Active Directory/private LAN kind of set-up? RemoteFeed - that’s new to me so something else to research :wink:

@robnicholson Here is an article that describes some reasons one may choose to apply Duo at the session host/remote system instead of RDS. The Remote Feed URL from RDWeb lets users add shortcuts to RDS published apps to their Start Menu.