Duo integrates with RDP to add two-factor authentication to Remote Desktop logins.
What login interfaces can be protected by Duo?
The Duo integration for RDP can provide two-factor authentication for RDP and local console logins. It will not add a secondary authentication prompt to the following logon types:
- Right-click “Run as administrator”
- Shift + right-click “Run as different user”
- PowerShell “Enter-PsSession” or “Invoke-Command” cmdlets
- Non-interactive logins (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
I just set up a trial account, installed and configured Duo RDP, and now I can’t login to Windows. Help!
In order for the Duo service to properly authenticate a Windows user account the username in Windows must match the username in the Duo account.
- Log in to the Duo administrative interface and make sure that you’ve added a user with a username that matches the Windows username.
- You will also need to manually enroll this user’s phone number so that the user can receive passcodes or phone calls, which are needed in order to authenticate.
- Once the user’s phone number has been added you may optionally install and enroll the Duo Mobile smartphone app, which will enable the “push” functionality for an RDP login.
- Now try to log in to Windows RDP again.
How can I configure the fail mode for RDP?
By default, the RDP integration will “fail open” if it is unable to contact the Duo service.
You can set the fail mode during installation to “fail close” by deselecting the “Bypass Duo authentication when offline” box in the Duo installer, or modify the setting after installation by changing the Registry DWORD value HKEY_LOCAL_MACHINE\Software\Duo Security\DuoCredProv\FailOpen from 1 to 0 to “fail closed.” This will deny all login attempts if there is a problem contacting the Duo service.
When modifying the FailOpen registry value on a Windows 2003 or XP system a reboot is required to make the change effective.
How can I configure auto push for RDP?
When auto push is enabled, the Duo RDP login will automatically send a push notification to the Duo Mobile application after the user enters username and password. This is the installation default.
You can choose to disable auto push by deselecting the “Use auto-push to authenticate if available” box in the Duo installer, or modify the setting after installation by changing the registry DWORD value HKEY_LOCAL_MACHINE\Software\Duo Security\DuoCredProv\AutoPush from 1 to 0.
When auto push is disabled, the user is presented with a dialog for entering another authentication factor, such as sms or passcode after Windows username and password are entered.
How do I enable debug logging?
As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv with the value set to 1. The log file location is %PROGRAMDATA%\Duo Security\duo.log for version 1.1.8 and later, and %ProgramFiles%\Duo Security\DuoCredProv\duo.log for version 1.1.7 and earlier. Please note that these paths apply to both the Credential Provider and GINA Duo installations.
Can Duo protect local console logins in Windows?
Yes, the Duo RDP integration does enable two-factor authentication for local console logins. However, it can be difficult to prevent an attacker with physical access to a system from compromising it. In particular, there are two significant threats you should take care to address:
- The Duo RDP integration can be bypassed by rebooting a Windows system into Safe Mode. To limit the effect of this, you should prevent all but a select group of users logging in while Windows is running in Safe Mode. (See, for example, http://support.microsoft.com/kb/977542.)
- By default, the RDP integration will “fail open” if it is unable to contact the Duo service. A user with local console access might be able to disrupt a machine’s network connectivity (e.g. by unplugging an ethernet cord), thereby bypassing Duo authentication.
- You can set the fail mode during installation to “fail close” by deselecting the “Bypass Duo authentication when offline” box in the Duo installer, or modify the setting after installation by changing the Registry DWORD value HKEY_LOCAL_MACHINE\Software\Duo Security\DuoCredProv\FailOpen from 1 to 0 to “fail closed.” This will deny all login attempts if there is a problem contacting the Duo service.
It is also possible to only enable Duo authentication for RDP sessions (and not local console logins). This can be set during the installation by checking the “Only prompt for Duo authentication when logging in via RDP” box, or changed manually after installation by setting the Registry value HKEY_LOCAL_MACHINE\Software\Duo Security\DuoCredProv\RdpOnly to a value of 1.
When modifying the RdpOnly registry value on a Windows 2003 or XP system a reboot may be required to make the change effective.
How does Duo RDP work with NLA (Network Level Authentication)
Network Level Authentication (NLA) for Remote Desktop Connection is an optional security feature available in Windows Vista and later. When NLA is enabled, remote connections pre-authenticate to the remote system when the RDP client connects before displaying a full remote session. When NLA is disabled, the Windows username and password is entered within the RDP client session after connecting.
When the Duo RDP integration is installed on a system where NLA is enabled the RDP client will prompt for the Windows username and password in a local system dialog. That information is used to connect to the remote system and passed through to the Remote Desktop manager. Once the RDP client has completed primary authentication the full Remote Desktop session is displayed, and the Duo Security pop-up dialog will prompt to complete two-factor authentication.
When the Duo RDP integration is installed on a system where NLA is not required a full Remote Desktop session is displayed when the RDP client connects to the remote system. The Windows username and password are entered in the Remote Desktop window, and after the logon information is accepted the Duo Security pop-up dialog will prompt to complete two-factor authentication.
There are some security advantages to enabling NLA, but one of the drawbacks is that users with expired passwords are prevented from logging on. More information about NLA and RDP can be found at the Microsoft site and on Wikipedia.
How do I disable or uninstall Duo RDP in Safe Mode?
To disable the Duo integration in Windows Vista, Windows 7, Server 2008, or Windows 8 run the following from an elevated command prompt:
regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoCredProv.dll" regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoCredFilter.dll"
For Windows Server 2003 run the following in the command prompt:
regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoGina.dll"
You can also uninstall the Duo Windows Logon integration while in safe mode with a registry change and a service start.
- When booted into safe mode, launch the Registry Editor (regedit.exe).
- Drill down into the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal registry hive (if you are booted into regular safe mode) or down to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network (if you are booted into safe mode with networking).
- Right-click the Minimal or Network registry key (as appropriate for your currently booted mode) and click New → Key on the context menu. Name the new key MSIServer.
- From an elevated command prompt, run the command
net start msiserver.
- You can now use Programs and Features on the Windows Control Panel (Add/Remove Programs in Windows 2003) to uninstall the Duo GINA or Credential Provider integration.
Does Duo Security’s RDP integration support a web proxy?
Starting with version 1.0.7, the RDP integration will use the HTTPS proxy server configured in your system-wide WinHTTP settings.
You can configure the proxy server(s) used by WinHTTP with the netsh command.
Can I silently install the Duo Windows Logon integration from a command line or PowerShell?
Yes, first download the appropriate msi install file for your system using the links below. Next, enter the following command into PowerShell to silently install Duo Security with auto push off and automatically restart the server if required:
cmd.exe /c C:\duo-install-file.msi ikey="Integration Key" skey="Secret Key" host="API Hostname" autopush="#0" /quiet
This performs the install with the same settings in the previous example from the command line using Windows Installer.
msiexec.exe /i C:\duo-install-file.msi ikey="Integration Key" skey="Secret Key" host="API Hostname" autopush="#0" /q
You can also choose to change the default settings for fail mode (
failopen="#0" to fail closed) and whether local console logins require two-factor (
rdponly="#1" to only require Duo for remote logons).
MSI Download links
- Credential Provider for Windows Vista and later 32-bit
- Credential Provider for Windows Vista and later 64-bit
- GINA for Windows 2003 32-bit
- GINA for Windows 2003 64-bit
These MSI installers and properties can also be used to create a transform file for use with with Active Directory Group Policy Software Publishing or other automated software deployment utilities.
I am using Internet Explorer, why I am unable to download the RDP installers?
Check your Internet Explorer options and uncheck the “Do not save encrypted pages to disk” option on the Advanced tab if it is selected. See this blog post for additional information.
Users receive the error “Logon failure: the user has not been granted the requested logon type at this computer” when attempting to log in.
This error may be seen in Duo Windows Logon version 1.1.5 or later. Ensure that the users have been delegated the “Allow log on locally” rights for console logins, or have been delegated both the “Allow log on locally” and “Allow log on through Remote Desktop Connection” rights in the computer’s local or domain-level security policy. Please see the Group Policy Settings Reference for Windows and Windows Server for more information about these user rights assignments.
When logging in via Remote Desktop, my authentication is accepted but the Remote Desktop session is disconnected. How do I fix this?
You can increase the logon timeout if extra time is needed to complete authentication (for example, if users must type in a hardware token passcode). Create a new registry DWORD value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\LogonTimeout and set it to a decimal value greater than 60. You may need to cycle the TermService service or restart Windows recognize the change.
To increase the Remote Desktop logon timeout for multiple computers joined to an Active Directory domain with Group Policy, add the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\LogonTimeout value to a GPO (Group Policy object) as a registry preference item. Please see “Configure a Registry Item” at the Microsoft TechNet site for more information.
Are Windows XP and Windows 2003 supported?
Microsoft ended support for Windows XP on April 8, 2014. Duo no longer supports any integrations on Windows XP.
Duo will support the Windows Logon (RDP) integration for Windows 2003 until the planned Windows Server 2003 end of life date of July 14, 2015 with the following limitations:
- A reboot is required after installing or uninstalling the Duo Windows Logon integration.
- A password may be changed from the Windows password expiration warning dialog or the password expired prompt without first completing two-factor authentication.