This document details the installation steps for the Duo Windows RDP (Remote Desktop Protocol) client. Install this to set up two-factor authentication using Duo for your Windows server.
Request Duo Application Keys for Your Server
Each server should have its own Integration Key (i-Key) and Secret Key (s-Key). To request a key set for your server, contact the ITS Service Center and ask that your request be directed to the ITS Identity and Access Management (IAM) Operations team. Submit your application creation request as soon as possible in advance. The application registration process will take one-three days from the time the service request is received by ITS IAM.
In the ticket, include your preferred application name. Most requests follow the format below. See Duo Naming Conventions for a more detailed explanation.
- Application Name: (Unit's AD Prefix) (SSH/RDP) (server hostname)
- Example: ITS SSH dodo.dsc.umich.edu
ITS IAM will communicate the i-Key, s-Key, and application host name back to the system administrator via U-M Dropbox. These should be protected like any other key information used on your server.
Server Setup for Windows RDP
To set up a server, download the Windows installer: Duo RDP installer
The remainder of this document explains the adjustable and recommended settings based on University policy. You may also wish to read Duo's official installation guide for more details about each setting: Duo installation guide for RDP
Interactive Installation Process
The installation wizard will take you through the installation process.
Here are some things to keep in mind as you perform the installation:
- You must use the Integration Key, Secret Key, and API Hostname provided to you by ITS Identity and Access Management, because they match settings on the Duo side. Refer to Duo Application Creation and Migration Process if you do not have this information yet.
- Uncheck Bypass Duo authentication when offline for better security. You can still reboot the server into Safe Mode to bypass Duo, when necessary.
- Use auto push to authenticate if available has no security impact. It does, however, make the logon process faster, if you have the Duo phone app, so it is recommended.
- Leave Only prompt for Duo authentication when logging in via RDP unchecked. You can still use Safe Mode to bypass Duo.
Silent (Automated) Installation Process
For bulk deployments, the installer also supports command-line arguments.
Here is an example with the recommended settings previously mentioned:
duo-win-logon-2.0.0.71.exe /S /V" /qn IKEY="DIXXXXXXXXXXXXXXXXXXXX" SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" HOST="api-f6044a03.duosecurity.com" AUTOPUSH="#1" FAILOPEN="#0" RDPONLY="#0""
Note the quote after /V and the double quote at the end. The settings are all part of one giant /V parameter.
Proxy Setup for Servers With No Internet Access
Servers that do not have direct Internet access (private IP space, and no NAT) will need to use an HTTP proxy to authenticate through Duo.
The Windows installer does not prompt for proxy settings, so you will need to edit the registry settings directly.
HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv
Non-Production: HttpProxyHost (String): duo-proxy-test.dsc.umich.edu
Production: HttpProxyHost (String): duo-proxy.dsc.umich.edu
The registry setting is only read during authentication, so no restart is required.