Solved: Duo RD Web never prompting to set-up Duo or authenticate

robnicholsonmalt · ‎11-26-2023

I've posted in someone else's thread but thought I'd start my own as that's marked as solved. Scenario is standalone RDS server running as RD broker, gateway, web server, host with Duo RD Gateway and RD web. Gateway protection is working fine via Duo Push but many months ago, I became aware than none of my small clients (I have three) were been prompted for Duo when they logged on to the RDweb portal. I didn't think too much of it as they were still protected via Duo on the gateway. So hackers could get to the list of RDP files but no further. A risk but a low one.

However, I know that it used to work. When a new user logged onto RDweb, they were prompted with a series of Duo screens assisting them in getting their Duo account and mobile app setup. Sometime ago, they stopped working.

In the other thread, the solution was something to do with TLS 1.0 and 1.1 depreciation. I did read the emails honestly but they were were pretty confusing. It was never clear whether they were talking about the RD server, the PC accessing the gateway or the mobile device running the Duo mobile app.

As June came and went an no clients started screaming, I decided it must have been okay. I had checked that TLS 1.2 was available.

I've just migrated the one free user to a new Windows server. My other clients where it doesn't work are paying clients so might pursue via their accounts as it's not working their either.

On this site, TLS 1.0 and 1.1 were enabled on the RDS server (and therefore web) so I've disabled them using the excellent IISCrypto tool. I've also disabled them on my PC. So TLS 1.0 and TLS 1.1 is disabled on both server and client. Didn't make any difference.

I've enabled logging on RD Web and entries are occurring there so Duo RD Web is doing something but not sure what I'm looking for.

DuoKristina · ‎11-27-2023

I saw what you were posting in the other thread.

You should check specifically this on the RDS server where you have Duo RDW/RDG installed: https://help.duo.com/s/article/7546?language=en_US#winnet

The IIS Crypto config only applies to Windows OS and doesn't also make the needed changes to .NET installed on that server.

As the installed Duo applications on that server make *outbound* requests to Duo the SSL scanner report, which shows output for a test of *inbound* connectivity to your server, isn't as useful as the Duo support script will be to help diagnose if any TLS/crytpo requirement isn't met.

You might want to delete that report from your post on the other thread unless you don't care if everyone who access Cisco community now knows your RDW external hostname? 🤷‍

Duo, not DUO.

View solution in original post

DuoKristina · ‎11-27-2023

Look at the content of the events generated by Duo for RD Web in the Windows Event Viewer log. Do any of the events say that they are timing out on attempts to reach Duo and therefore failing open? This would let your users in without 2FA, and your RD Web attempting to contact Duo's service using outdated TLS or insecure ciphers is one of many possible reasons that your users don't see the Duo prompt.

However, if you have Duo for RD Gateway installed on the SAME server, and that is working properly, hints that it might not be related to TLS/Ciphers, because both Duo for RDG and Duo for RDW make similar API connections to Duo's service and would both be using the TLS and crypto settings for that server's OS and for the installed .NET on that server used by the Duo applications.

The Windows support script described here: https://help.duo.com/s/article/8296?language=en_US is a quick way to verify your server has TLS and crypto configured as needed for Duo application connectivity. I suggest running that to eliminate TLS/crypto as a possible issue (or, if the script notes missing config, make those corrections to hopefully resolve your issue).

>It was never clear whether they were talking about the RD server, the PC accessing the gateway or the mobile device running the Duo mobile app.

They were talking about ALL of them (depending on the Duo application). When someone logs into RD Web protected by Duo...
- the Duo RDW app on the server tries to contact Duo
- the browser on the user's access device tries to load content from Duo
- the Duo Mobile app on the user's phone needs to receive the request from Duo and respond

If any of those were incapable of making TLS 1.2 communications with Duo using a supported cipher it can cause issues with the entire auth process.

So, run that Duo Windows support script to verify the TLS/crypto config on the server. Look at the actual Duo event log events to see what they say, and try searching the Duo Knowledge Base https://help.duo.com for articles that may assist you. Please don't post your raw debug logs here in the community. The only place you should send raw debug logs is to Duo Support when requested by a Duo support engineer. You can open a case with Duo Support using one of the methods described at https://duo.com/support.

Duo, not DUO.

robnicholsonmalt · ‎12-05-2023

Here is the log from my lab install on Windows Server 2019:

https://maltsystems-my.sharepoint.com/:u:/g/personal/rob_nicholson_maltsystems_co_uk/Eb2-1C2NFexDiPqLbV82ruUBmgvmMGnRDSMSHx6SVovxNg?e=ZEb237

I've download the log from a client site but that shows straight away that TLS 1.0 and 1.1 are not disabled so I'm going to sort that out first. But we can maybe focus on getting it working in the lab first.

Later... this is from a new Windows Server 2022 build on Hyper-V, not yet live. I suspect the PowerShell script needs updating for server 2022:

https://maltsystems-my.sharepoint.com/:t:/g/personal/rob_nicholson_maltsystems_co_uk/EaX_Lso3-GxMt0bpBFvhwRQBqbSprNoz-HmfPmP4beXUdw?e=hG2vcj

DuoKristina · ‎11-27-2023

I saw what you were posting in the other thread.

You should check specifically this on the RDS server where you have Duo RDW/RDG installed: https://help.duo.com/s/article/7546?language=en_US#winnet

The IIS Crypto config only applies to Windows OS and doesn't also make the needed changes to .NET installed on that server.

As the installed Duo applications on that server make *outbound* requests to Duo the SSL scanner report, which shows output for a test of *inbound* connectivity to your server, isn't as useful as the Duo support script will be to help diagnose if any TLS/crytpo requirement isn't met.

You might want to delete that report from your post on the other thread unless you don't care if everyone who access Cisco community now knows your RDW external hostname? 🤷‍

Duo, not DUO.

robnicholsonmalt · ‎11-27-2023

Thanks for the article link, most useful.

robnicholsonmalt · ‎12-05-2023

>hints that it might not be related to TLS/Ciphers

About to run the script but this problem occurs on all four Duo installations I support - three clients plus my own test lab. I must have missed something several times!

robnicholsonmalt · ‎12-05-2023

Thanks - the registry keys did the trick in the lab. I'm about to try on the new Windows Server 2022 build and then other clients. Have to do out of hours as a reboot is needed.

Later... also worked on Windows Server 2022.

robnicholsonmalt · ‎12-06-2023

Considering that this issue has occurred on four systems, shouldn't one consider setting those registry keys in the RD Web installer script?

Also, I wonder how many installations have silently lost Duo authentication through RD Web and not worried about it because gateway is still protected? One has to admit that the communication around TLS was, err, confusing, to say the least

DuoKristina · ‎12-05-2023

Thanks for confirming the .NET reg changes worked.

Duo, not DUO.