Skip navigation
Duo Blog
Admin Login
Documentation

FAQ — Duo Authentication for Microsoft Remote Desktop Services

Last Updated: January 29th, 2024

Contents

Related

Duo for RD Web and RD Gateway - Frequently Asked Questions

General

Does Duo for Microsoft RD Web support the Duo Universal Prompt?

Yes, as of version 3.0.0 for RD Web on Windows 2016 and later. Please see the update instructions to install the latest version with Universal Prompt support, and then once you authenticate to Duo using the updated application you can activate the Universal Prompt experience for your users.

Note that Duo for RD Gateway shows no interactive Duo prompt.

What Windows versions do Duo's RDS applications support?

Duo's last day of support for installation and use of any Duo applications on Windows operating systems corresponds with the Microsoft end of support.

RDS 2019 and later

RD Gateway on Windows Server 2019 or later is supported starting with version 2.3.0 of Duo's RD Gateway application.

RD Web for Windows Server 2019 or later is supported starting with version 2.3.0 of Duo's RD Web application.

RDS 2016

RD Gateway on Windows Server 2016 is supported starting with version 2.2.0 of Duo's RD Gateway application.

RD Web for Windows Server 2016 is supported starting with version 2.2.0 of Duo's RD Web application.

RDS 2012 and 2012 R2

The last Duo release that supports Windows Server 2012 and 2012 R2 was v2.3.0.

Microsoft ended support for Windows Server 2012 and 2012 R2 on October 10, 2023.

RDS 2008 and 2008 R2

The last Duo release that supports Windows Server 2008 R2 was v2.3.0. No Duo for RDS release included support for Windows 2008.

Microsoft ended support for Windows Server 2008 and 2008 R2 on January 14, 2020.

How does Duo Authentication for RD Web affect RemoteApp and Desktop Connections?

The RemoteApp and Desktop Connections feature permits launch of remotely hosted applications from the Start Menu as if they were locally installed.

Installation of Duo Authentication for RD Web effectively disables the use of RemoteApp and Desktop Connections because there is not a method for two-factor authentication when the RemoteApp and Desktop Connections client accesses the "/rdweb/pages/webfeed.aspx" or "rdweb/feed/webfeed.aspx" URLs. This applies to all versions and configurations of Duo's RD Web application.

To continue allowing remote application launch with RemoteApp and Desktop Connections, do not install Duo Authentication for RD Web on your RD Web server. You may install Duo Authentication for RD Gateway on your RD Gateway server to protect remote logons with two-factor authentication when launching applications published via RemoteApp feeds. Your users will receive a Duo authentication request automatically after entering AD credentials.

How does Duo Authentication for RD Gateway affect RD Gateway authorization policies?

Remote Desktop connection authorization policies (CAPs) and resource authorization policies (RAPs) are no longer available after installing Duo Authentication. If you require the use of CAPs and RAPs, consider installing Duo Authentication for Windows on your RDS session hosts instead.

Can I use any Duo authentication methods other than automatic Duo Push or phone call with RD Gateway?

No, Duo for RD Gateway only supports sending a push request to Duo Mobile or a phone call to a user. Duo authentication methods like SMS passcodes, hardware token passcodes, YubiKey passcodes, passcodes generated by Duo Mobile, U2F and WebAuthn security keys, and bypass codes may not be used with Duo for RD Gateway.

There is no user interface presented during login that would let a user interactively select a specific authentication method, nor is it possible to append a factor or passcode to any password during RD Gateway authentication.

Is the Remote Desktop web client available in Windows 2016 and later supported by Duo?

There are known issues with Duo's applications for RD Web and RD Gateway and the new Remote Desktop web client for RDS 2016 and later. Duo 2FA is not supported in the Remote Desktop web client at this time.

Are Mac clients supported by Duo Authentication for RD Web and RD Gateway?

RemoteApp access for Mac clients requires the following:

  • RD Web on Windows 2016 or later
  • Microsoft Remote Desktop app v8.0.5+ (latest version recommended, see MS RDP for OSX FAQ)
  • Chrome browser if using RD Web (does not work with Safari)
  • Duo Authentication for RD Web and/or RD Gateway installed using separate authentication.

Mac clients log into the RD Web server using Chrome, and complete Duo authentication. Double-clicking a published RemoteApp downloads an RDP file. Open the RDP file using the Microsoft Remote Desktop app.

If you want your Mac users to access "Remote Resources" from the Microsoft Remote Desktop app, do not install Duo Authentication on your RD Web server (as that prevents access to the webfeed url). Install Duo on your RD Gateway server only, using separate authentication.

Is Integrated Windows authentication supported for RD Web?

Duo does not support RD Web logons using Windows integrated authentication. Please use Windows Forms authentication (the RD Web default).

Is Microsoft Virtual Desktop Infrastructure (VDI) supported?

Launch of VDI desktop connections via RD Web or RD Gateway servers using Duo authentication is not supported.

Do Duo Security's RDS configurations support a web proxy?

The Duo RD Web and RD Gateway modules use the HTTPS proxy server configured in your system-wide WinHTTP settings.

You can configure the proxy server(s) used by WinHTTP with the netsh command.

Are Microsoft Small Business Server or Windows Server Essentials supported?

We do not test integration with SBS or Server Essentials and cannot guarantee support for those platforms.

Install and Uninstall

Can I silently install Duo for RD Web or RD Gateway from a command line or PowerShell?

Enter the following command into PowerShell or a Command Prompt to silently install Duo for RD Web with default options (note that the MSI filename changes to reflect the version):

Duo RD Web v3.0.0 and later:

msiexec.exe /i duo-rdweb-3.0.0.msi DUO_CLIENT_ID="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_CLIENT_SECRET="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /qn

Duo RD Web up to v2.3.0

msiexec.exe /i duo-rdweb-2.3.0.msi DUO_IKEY="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /qn

Duo RD Gateway

msiexec.exe /i duo-rdgateway-2.3.0.msi DUO_IKEY="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /qn

The parameter names passed to the installer (DUO_CLIENT_ID, DUO_CLIENT_SECRET, DUO_IKEY, DUO_SKEY, DUO_HOST, etc.) are case-sensitive!

You can also choose to change the default settings for fail mode to fail closed with FAILOPEN="#0", specify UPN as the username format sent to Duo instead of the sAMAccountName with DUO_USEUPNUSERNAME="#1", or define a shared session key on multiple RD Web servers with DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" (The AKEY is a string that you generate and keep secret from Duo; it should be at least 40 characters long.).

How do I uninstall Duo Authentication for RD Web and RD Gateway?

To uninstall Duo Authentication from your RD Web or RD Gateway server, run the msiexec.exe /x command from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option) against the same product MSI file you used to install Duo. For example:

  • RD Web: MsiExec.exe /X duo-rdweb-3.0.0.msi
  • RD Gateway: MsiExec.exe /X duo-rdgateway-2.3.0.msi

Uninstall silently by appending /qb to the command.

Why might the Duo RD Web or RD Gateway installer end prematurely?

The Duo installers look for the RDS role IIS web site on the C: drive. If the installer ends prematurely then you should make sure that the RDS default web site is not installed on a different drive.

If you confirm that RDS default website directory is on the C: drive and you are still experiencing this behavior, then you should check your IIS site permissions are sufficient for the installer to complete the installation.

Configuration

How can I configure the fail mode for Duo Authentication?

If the Bypass Duo authentication when offline box is selected during installation, authentication attempts "fail open" after primary authentication is successful if the Duo service cannot be contacted. If you leave that option unchecked during install, Duo for Rd Web or RD Gateway logins "fail closed", blocking RDS access if there is a problem contacting the Duo service.

Duo for RD Web v3.x installers now default to fail closed for new installs and upgrades from v2.x and older, but upgrades from v3.0.0 to later releases preserve the installed fail mode selection.

Duo for RD Gateway installers and the RD Web v1.x and v2.x installers enable fail open by default.

This setting is controlled by a Registry DWORD value FailOpen, with 1 allowing fail open and 0 preventing fail open.

To change the fail mode:

  1. Launch the Registry Editor (regedit.exe) as an administrator.

  2. Locate the registry REG_DWORD value FailOpen at the registry path for your installed version and change the current value to 0 or 1 as desired.

    HKLM\Software\Duo Security\DuoRdweb\ (Duo RD Web 2.1.0 and later)

    HKLM\Software\Duo Security\DuoTsg\ (Duo RD Gateway 2.0.2 and later)

    HKLM\Software\Duo Security\DuoIis\ (earlier versions of the RDW and TSG installers)

    Alternatively, you can enter the reg add command in PowerShell, specifying the correct registry path for your installed Duo product and version, to create or update the registry value for "fail open" (substituting 0 for 1 to "fail closed").

    Example that enables fail open for RD Web 3.0.0:

    reg add "HKLM\Software\Duo Security\DuoRdweb" /v FailOpen /t REG_DWORD /d 1 /f

  3. After changing this setting restart the IIS server with iisreset.

How do I change the username format sent to Duo?

Duo for RD Web and RD Gateway sends a user's sAMAccountName to Duo as the Duo username by default. You can change the username format sent to Duo to userPrincipalName (UPN) starting with version 2.3.0.

If you enable this option, you must also change the properties of your RD Web and RD Gateway application in the Duo Admin Panel to change the "Username normalization" setting to None, or Duo will drop the domain suffix from the username sent from RSG or RDG to our service, which may cause user mismatches or duplicate enrollment. If you installed Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.

Choose to send userPrincipalName usernames to Duo during installation by selecting the Send username to Duo in UPN format box in the Duo installer.

Enabling this setting after Duo installation requires creating a new registry value.

To enable this setting for RD Web:

  1. Launch the Registry Editor (regedit.exe) as an administrator and navigate to HKLM\Software\Duo Security\DuoRdweb.

  2. Create or update the REG_DWORD value UseUpnUsername to set it to 1 to enable UPN username format.

    Alternatively, you can enter the command reg add "HKLM\Software\Duo Security\DuoRdweb" /v UseUpnUsername /t REG_DWORD /d 1 /f in PowerShell to create or update the registry value.

    To switch from UPN usernames to sAMAccountName, update the UseUpnUsername value from 1 to 0.

  3. After changing this setting restart the IIS server with iisreset.

To enable this setting for RD Gateway:

  1. Launch the Registry Editor (regedit.exe) as an administrator and navigate to HKLM\Software\Duo Security\DuoTsg.

  2. Create or update the REG_DWORD value UseUpnUsername to set it to 1 to enable UPN username format.

    Alternatively, you can enter the command reg add "HKLM\Software\Duo Security\DuoTsg" /v UseUpnUsername /t REG_DWORD /d 1 /f in PowerShell to create or update the registry value.

    To switch from UPN usernames to sAMAccountName, update the UseUpnUsername value from 1 to 0.

If you installed Duo on both your RDW and RDG server, be sure to make the same username format selection and use the same normalization setting for both.

How do I configure the "Connect to a remote PC" option in RD Web to authenticate with RD Gateway?

Microsoft RD Web, when accessed with Internet Explorer, includes a feature to connect directly to remote computers using Remote Desktop and ActiveX without launching a published RemoteApp. This remote computer connection does not authenticate through RD Gateway by default.

To require RD Gateway authentication for RD Web's "Connect to a remote PC" feature, do the following:

  1. Log on to your RD Web role server as an administrator.
  2. Launch the Internet Information Services (IIS) Manager.
  3. In the IIS Manager console, navigate to Your Server Name > Sites > Default Web Site > RDWeb > Pages.
  4. Double-click the Application Settings icon.
  5. Double-click the DefaultTSGateway setting.
  6. Enter the fully qualified domain name (FQDN) of your RD Gateway server and click OK.

The change is effective immediately.

Additional information about this setting is available at Microsoft TechNet.

Troubleshooting

How do I enable debug logging for Duo Authentication?

  • RD Gateway v2.0.2 and up: As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKLM\Software\Duo Security\DuoTsg with the value set to 1. Restart the RD Gateway service after changing this setting.

The log file location is C:\ProgramData\Duo Security\DuoTsg\DuoTsg.log. Events are additionally written as entries in the server's "Application" event log, with "Duo Security" as the event source.

  • RD Web v2.1.0 and up: As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKLM\Software\Duo Security\DuoRdweb with the value set to 1. Restart the IIS server after changing this setting.

Events are written as entries in the "Duo IIS Integration" event log under "Applications and Services Logs" in the Event Viewer.

  • RD Web v1.1.12 and lower: As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKLM\Software\Duo Security\DuoIis with the value set to 1. Restart the IIS server after changing this setting.

Events are written as entries in the "Duo IIS Integration" event log under "Applications and Services Logs" in the Event Viewer.

How do I enable debug logging for Microsoft RD Web?

Make a backup copy of the C:\Windows\Web\RDWeb\web.config file and edit as follows:

  • Locate the line <add name="TraceTSWA" value="0" /> and change the value from 0 to 4.
  • Locate the "listeners" block following the "TraceTSWA" line that contains add name="FileLog" and remove the comment begin and end lines immediately preceding and following that listener section. Save the web.config file when done.

Before:

<system.diagnostics>
    <switches>
        <!--
		TraceTSWA has the following values
		  Off = 0, Error = 1, Warning = 2, Info = 3, Verbose = 4
	    -->
        <add name="TraceTSWA" value="0" />
    </switches>
    <trace autoflush="true" indentsize="4">
        <listeners>
            <remove name="Default" />
            <!-- Uncomment for file tracing
		<add name="FileLog"
			type="Microsoft.VisualBasic.Logging.FileLogTraceListener,
			Microsoft.VisualBasic, Version=8.0.0.0,
			Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
			processorArchitecture=MSIL"
			initializeData="FileLogWriter" BaseFileName="RDWeb"
			Location="Custom"
		LogFileCreationSchedule="Daily"
		MaxFileSize="50000000"
			CustomLocation="\Windows\Web\RDWeb\App_Data" />
		-->
        </listeners>
    </trace>
</system.diagnostics>

After:

<system.diagnostics>
    <switches>
        <!--
		TraceTSWA has the following values
		  Off = 0, Error = 1, Warning = 2, Info = 3, Verbose = 4
	    -->
        <add name="TraceTSWA" value="4" />
    </switches>
    <trace autoflush="true" indentsize="4">
        <listeners>
            <remove name="Default" />

		<add name="FileLog"
			type="Microsoft.VisualBasic.Logging.FileLogTraceListener,
			Microsoft.VisualBasic, Version=8.0.0.0,
			Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
			processorArchitecture=MSIL"
			initializeData="FileLogWriter" BaseFileName="RDWeb"
			Location="Custom"
		LogFileCreationSchedule="Daily"
		MaxFileSize="50000000"
			CustomLocation="\Windows\Web\RDWeb\App_Data" />

        </listeners>
    </trace>
</system.diagnostics>

Debug information is written to C:\Windows\Web\RDWeb\App_Data\RDWeb-date.log.

How do I view additional log info for RD Gateway?

See the Application and Services Logs\Microsoft\Windows\Terminal Services-Gateway event log in the Windows Event Viewer.

Why does the Remote Desktop Session host continue to prompt for credentials?

After you log on to the RD Web site you may be prompted again for your AD login when launching a remote application. The Remote Desktop infrastructure does not support proxying login credentials to the session host. However, it is possible to proxy the credentials of the currently logged in Windows user to the session host. See the Microsoft article "How to enable Single Sign-On for my Terminal Server connections" for more information.

Why might the Duo RD Gateway integration not prompt users for two-factor authentication consistently?

Ensure that the "Bypass RD Gateway server for local addresses" option is not enabled in your RDS deployment properties or RemoteApp RD Gateway Settings.

Additional Troubleshooting

Need more help? Try searching our RDS Knowledge Base articles or Community discussions. For further assistance, contact Support.