Duo Microsoft Rdp

| Posted on by



  1. Duo for Windows RDP has been working flawlessly for months where I work. Recently 2 of our users are experiencing slow authentication prompt after changing their domain password. It's now taking 25-30 seconds before the Duo authentication prompt appears after they enter their domain password.
  2. To download or upgrade your Duo Authentication for Windows Logon (RDP) installation on a local system: Navigate to the documentation for RDP and Windows Logon and refer to the First Steps section.
  3. Nov 27, 2019 Duo for Windows RDP has been working flawlessly for months where I work. Recently 2 of our users are experiencing slow authentication prompt after changing their domain password. It's now taking 25-30 seconds before the Duo authentication prompt appears after they enter their domain password.
  4. RDP security layer: To secure Microsoft remote desktop services, you can use SSL security layer. SSL is secure because for SSL to work, you must present a digital certificate showing the RD session host is legitimate. The digital certificate also encrypts the connection between the host and the remote desktop protocol.

The Duo Authentication for Windows Logon (RDP) v4.1.2 installer contained a bug that caused the installer to unexpectedly run and fail to complete. It displays an error that says 'Installation Stopped. We found a few potential security concerns', following an earlier successful installation.

This document details the installation steps for the Duo Windows RDP (Remote Desktop Protocol) client. Install this to set up two-factor authentication using Duo for your Windows server.

Request Duo Application Keys for Your Server

Windows

Each server should have its own Integration Key (i-Key) and Secret Key (s-Key). To request a key set for your server, contact the ITS Service Center and ask that your request be directed to the ITS Identity and Access Management (IAM) Operations team. Submit your application creation request as soon as possible in advance. The application registration process will take one-three days from the time the service request is received by ITS IAM.

In the ticket, include your preferred application name. Most requests follow the format below. See Duo Naming Conventions for a more detailed explanation.

  • Application Name: (Unit's AD Prefix) (SSH/RDP) (server hostname)
  • Example: ITS SSH dodo.dsc.umich.edu

ITS IAM will communicate the i-Key, s-Key, and application host name back to the system administrator via U-M Box. These should be protected like any other key information used on your server.

Server Setup for Windows RDP

Duo Rdp Client Download

To set up a server, download the Windows installer: Duo RDP installer

The remainder of this document explains the adjustable and recommended settings based on University policy. You may also wish to read Duo's official installation guide for more details about each setting: Duo installation guide for RDP

Interactive Installation Process

The installation wizard will take you through the installation process.

Duo Microsoft Rdp Client

Here are some things to keep in mind as you perform the installation:

  • You must use the Integration Key, Secret Key, and API Hostname provided to you by ITS Identity and Access Management, because they match settings on the Duo side. Refer to Duo Application Creation and Migration Process if you do not have this information yet.
  • Uncheck Bypass Duo authentication when offline for better security. You can still reboot the server into Safe Mode to bypass Duo, when necessary.
  • Use auto push to authenticate if available has no security impact. It does, however, make the logon process faster, if you have the Duo phone app, so it is recommended.
  • Leave Only prompt for Duo authentication when logging in via RDP unchecked. You can still use Safe Mode to bypass Duo.

Silent (Automated) Installation Process

For bulk deployments, the installer also supports command-line arguments.

Duo Microsoft Rdp Free

Here is an example with the recommended settings previously mentioned:

Note the quote after /V and the double quote at the end. The settings are all part of one giant /V parameter.

LoginDuo microsoft rdp

Proxy Setup for Servers With No Internet Access

Servers that do not have direct Internet access (private IP space, and no NAT) will need to use an HTTP proxy to authenticate through Duo.

The Windows installer does not prompt for proxy settings, so you will need to edit the registry settings directly.

HKEY_LOCAL_MACHINESOFTWAREDuo SecurityDuoCredProv

Non-Production: HttpProxyHost (String): duo-proxy-test.dsc.umich.edu

Production: HttpProxyHost (String): duo-proxy.dsc.umich.edu

The registry setting is only read during authentication, so no restart is required.