Skip navigation
Menu
Close

Connect with Duo users and security professionals in our Community.

Can't find what you're looking for? Contact Sales or Contact Support.

Documentation

Duo Authentication for Windows Logon and RDP

Contents

Related

Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons.

There is a known issue with using Duo authentication and Microsoft/Live accounts after installing the Windows 10 Fall Creators Update (version 1709) released 10/17/17. Please see the Microsoft Account FAQ item for more information and a workaround.

 

Important Notes

  • Installing Duo Authentication for Windows Logon adds two-factor authentication to all Windows login attempts, whether via a local console or over RDP, unless you select the "Only prompt for Duo authentication when logging in via RDP" option in the installer. If two-factor is enabled for both RDP and console logons, it may be bypassed by restarting Windows into Safe Mode (e.g. in case of a configuration error). If you wish to protect local console logons with Duo, please see the FAQ for some guidance on securing your Windows installation appropriately.
  • Duo Authentication for Windows Logon doesn't support inline self-service enrollment. We recommend using bulk enrollment to send your users unique self-enrollment links via email. Read the enrollment documentation to learn more.
  • Additional configuration may be required to log in using a Microsoft attached account. See Can I Use Duo with a Microsoft Account? for more information.
  • Windows users must have passwords to log in to the computer. Users with blank passwords may not login after Duo Authentication installation.

Connectivity Requirements

This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.

System Requirements

Duo Authentication for Windows Logon supports both client and server operating systems.

Clients:

  • Windows 7 SP1
  • Windows 8
  • Windows 8.1
  • Windows 10 (as of v1.1.8)

Servers (GUI and core installs):

  • Windows Server 2008 SP2
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016 (as of v2.1.0)

Duo Authentication for Windows Logon also requires .NET Framework 4.5 or later. If the correct .NET version is not present on your system then Duo setup prompts you to install the .NET Framework.

Ensure your system's time is correct before installing Duo.

First Steps

  1. Sign up for a Duo account.

  2. Log in to the Duo Admin Panel and navigate to Applications.

  3. Click Protect an Application and locate Microsoft RDP in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.) You will need this information to install the Duo application.

  4. We recommend setting the New User Policy for your Microsoft RDP application to Deny Access, as no unenrolled user may complete Duo enrollment via this application.

  5. Download the Duo Authentication for Windows Logon Installer Package.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Enroll a User

Add your first user to Duo, either manually or using bulk enrollment. The username should match your Windows logon name. Install Duo Mobile and add your account to it so you can use Duo Push. If the user logging in to Windows after Duo is installed does not exist in Duo, the user may not be able to log in.

Run the Installer

  1. Run the Duo Authentication for Windows Logon installer with administrative privileges.

  2. When prompted, enter your API Hostname from the Duo Admin Panel and click Next. The installer verifies that your Windows system has connectivity to the Duo service before proceeding.

    Duo API Hostname Information

    If the connectivity check fails, ensure that your Windows system is able to communicate with your Duo API hostname over HTTPS (port 443).

  3. Enter your integration key and secret key from the Duo Admin Panel and click Next again.

    Duo Application Information

  4. Select your integration options:

    Setting Description
    Bypass Duo authentication when offline (FailOpen) Enable this option to allow user logon without completing two-factor authentication if the Duo Security cloud service is unreachable. Checked by default.
    Use auto push to authenticate if available Automatically send a Duo Push or phone call authentication request after primary credential validation. Checked by default.
    Only prompt for Duo authentication when logging in via RDP Leave this option unchecked to require Duo two-factor authentication for console and RDP sessions. If enabled, console logons do not require 2FA approval.
    Enable Smart card support Select this option to permit use of the Windows smart card login provider as an alternative to Duo authentication.

    Duo Application Options

    Click Next to complete Duo installation.

Test Your Setup

To test your setup, attempt to log in to your newly-configured system as a user enrolled in Duo.

Windows Login Screen

The Duo authentication prompt appears after you successfully submit your Windows credentials. When auto-push is enabled (the default option), the Duo prompt indicates that a request has been pushed to your phone.

Duo Auto Push

If auto-push is disabled or if you click the Cancel button on the Duo authentication prompt, you can select a different device from the drop-down at the top (if you've enrolled more than one) or select any available factor to verify your identity to Duo:

  • Duo Push: Send a request to your smartphone. You can use Duo Push if you've installed and activated Duo Mobile on your device.
  • Call Me: Perform phone callback authentication.
  • Passcode: Log in using a passcode generated with Duo Mobile, received via SMS, generated by your hardware token, or provided by an administrator. To have a new batch of SMS passcodes sent to you click the Send me new codes button. You can then authenticate with one of the newly-delivered passcodes.

Duo Auth Factors

Remember: if you find that Duo Authentication for Windows Logon has locked you out of your Windows system (e.g. due to a configuration error), you can reboot into Safe Mode to bypass it.

Advanced Deployment and Configuration using Group Policy

Please see our Duo Authentication for Windows Logon Group Policy documentation.

Troubleshooting

Need some help? Take a look at the Windows Logon Frequently Asked Questions (FAQ) page or try searching our Windows Logon Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

  1. RDP connection or console logon initiated
  2. Primary authentication
  3. Duo Windows Logon credential provider connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Duo Windows Logon credential provider receives authentication response
  6. RDP or console session logged in

Ready to Get Started?

Sign Up Free