03-22-2021 03:13 AM
Hi all,
we have Duo installed and working to protect access via Microsoft RD Gateway. Now we want to set up Duo also for Windows local logon for all user local logons in the active directory domain. I am not sure about on which server to install? Does it have to be a domain controller or can it be any member server and then push out via GPO? Can I install the Duo Microsoft RDP application on the same server where currently the Duo app for protecting Microsoft RD Gateway is installed?
thanks!
Georg
03-22-2021 05:18 AM
Hi @gg2,
If your goal is to require login to every Windows computer on the domain you’ll need to look at using our Duo Authentication for Windows Logon and RDP. This will install a client on every machine that can require 2FA before the user logs on using RDP or a local logon.
We’ve got some docs about how to push this out using Group Policy right here: 2FA for Windows Remote Desktop Protocol and Local Logons | Duo Security
03-22-2021 08:55 AM
Hi jamie,
yes, thanks. goal is to require login to every Windows computer on the domain with duo. I couldn’t find the information whether the server side application needs to be installed on the domain controller or can it be any member server?
thanks for your guidance.
03-22-2021 12:26 PM
Duo does not provide a solution that integrates directly with Active Directory. Duo protects various clients of AD by adding 2FA at the application, and does not directly add 2FA to AD account authentication itself.
03-26-2021 07:51 AM
We use this as well. It works really well and protects PCs as well as RDP sessions to servers.
You create a protected application in the duo admin portal
You install the login client on the PC to be protected
During installation you are asked for the ikey skey and api-host of the protected application (admin portal settings)
You can automate the install for pushing out via GPO but you need to create a transform file (which will answer the install questions) which can be used with the MSI in the install bundle.
Also, I recommend creating an RMM script that removed Duo in case a user has not created an offline code and your implementation is set to “fail closed” or you will be locked out of the PC if internet access is lost.
03-26-2021 03:31 PM
Thank you, Michael! Can you point me to the RMM script you mentioned please?
05-13-2021 07:22 AM
We wrote it inhouse. You need to create a Transform file from the MSI to answer the install questions.
To Install:
@echo off
msiexec /i “\path\to\Duo\Client\Installer\DuoWindowsLogon64.msi” /qn TRANSFORMS="\path\to\Duo\Client\Installer\DuoWindowsLogon64.mst"
echo Install Duo Client [WIN] complete
exit
To Remove:
@echo off
regsvr32 /u “C:\Program Files\Duo Security\WindowsLogon\DuoCredProv.dll”
regsvr32 /u “C:\Program Files\Duo Security\WindowsLogon\DuoCredFilter.dll”
shutdown /r /f
echo Disable Duo [WIN] complete
exit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide