Duo Microsoft Rdp

Posted on by



Duo Authentication for Microsoft Remote Desktop Web Access adds two-factor authentication protection to RD Web portal browser logons. When logging on to the RD Web portal, users receive the Duo enrollment or authentication page after primary authentication.

Use the following instructions to deploy Duo Authentication for Windows Logon (RDP) with System Center Configuration Manager (SCCM): Download the MSI of Windows Logon here. Unzip the file and select the 32-bit or 64-bit version needed. Follow the silent install instructions for MSI to establish the parameters you wish to use for installation. Install DUO Authentication on the server(s) and client(s) you want to protect. In this step we’ll install an application that will be configured to use the secrets above and that will protect RDP connections with DUO’s MFA. Download the Duo Authentication for Windows Logon installer package. Note, the link will bring you to DUO’s latest.

Duo Microsoft Rdp Login

Duo

Request the integration

For help requesting the integration, see Integrate Duo with an application.

Download

Install the integration

Duo Microsoft Rdp

Once you have the API hostname, integration key, and secret key, you can run the installer to set up the integration. For instructions, go to Duo Authentication for Windows Logon and RDP and click Run the Installer.

If during the installation you see the error 'The hostname or keys you have entered are invalid', see the troubleshooting steps at Why did I get the error message 'The hostname or keys you have entered are invalid' while installing Duo Authentication for Windows Logon?

Install the integration on a machine with a private IP address

If you have a server with an IU private IP address, you will need to have a proxy set up so that the machine can communicate with the Duo servers. Servers with private IP addresses in Data Center systems can still connect to the Duo authentication servers, because a universal rule has been added that automatically grants proxy access.

For more about the private IP proxy, including the proxy service IP addresses, see About proxy services at IU.

To complete the installation on a server that needs to use this proxy:

  1. Open PowerShell as an administrator, and enter the following command:
  2. Complete the installation by following the instructions at Duo Authentication for Windows Logon and RDP, under 'Run the Installer'.
  3. In PowerShell as an administrator, enter the following command:
  4. To configure the proxy, follow the instructions at Duo Authentication for Windows Logon and RDP - FAQ. Enter the following for each variable:

If you notice that a machine on a private IP is not receiving Windows updates, you may need to run the following command:

Skip to end of metadataGo to start of metadata
  1. The Duo RDP integration will add two-factor authentication to all Windows login attempts, whether via a local console or over RDP, unless you select the “Only prompt for Duo authentication when logging in via RDP” option in the installer. If two-factor is enabled for both RDP and console logons, it may be bypassed by restarting Windows into Safe Mode (e.g. in case of a configuration error).
  2. This RDP integration doesn’t support inline self-service enrollment. Any users of the system must have a device enrolled prior to attempting to authenticate.

Prerequisites

See Full List On Duo.com

Check your server versions before starting. This integration works with Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012 and R2, and Windows Server 2016.

Then: Download marvell cameras.

  1. Have all users for the system visit CAS at my.vcu.edu, so they can register for DUO service. (Note: If a user is already registered and need to register a new device, the user must login to CAS from a non-VCU location such as from the cellular network or from home.)
  2. Have your API keys1 on hand.
    • Submit a request for API keys either by calling the VCU helpIT Center or (for advanced users) submitting a ticket
  3. Download the Duo RDP Installer Package:

Run the Installer

Run the installer with administrative privileges to run it. Accept the license agreement and enter yourintegration key, secret key, and API hostname when prompted:

Duo Microsoft Rdp Download

Test Your Setup

To test your setup, attempt to log in to your newly-configured system as the user you enrolled in the previous step.

When auto-push is enabled (the default option), a popup will appear notifying you that a login request has been pushed to your phone. When it is not enabled, you will be able to select the authentication option on the login screen.

If auto-push is disabled or if you click the Cancel button on the auto-push dialog, a popup will appear asking for a Duo passcode (either generated with Duo Mobile, sent via SMS, or generated with a hardware token).

Cached

Remember: if you find that the Credential Provider has locked you out of your Windows system (e.g. due to a configuration error), you can reboot into Safe Mode to bypass it.

Notes

API Keys

1: API keys are used to connect your DUO client instance to VCU's DUO service, and also ensure that your DUO authentication information is secured in transit.