This document details the installation steps for the Duo Windows RDP (Remote Desktop Protocol) client. Install this to set up two-factor authentication using Duo for your Windows server. Beginning July 20, 2016, Duo two-factor authentication will be used instead of MTokens for systems available through Wolverine Access.
Server Setup for Windows RDP
To set up a server, download the Windows installer: Duo RDP installer
The remainder of this document explains the adjustable and recommended settings based on University policy. You may also wish to read Duo's official installation guide for more details about each setting: Duo installation guide for RDP
Interactive Installation Process
The installation wizard will take you through the installation process.
Here are some things to keep in mind as you perform the installation:
- You must use the Integration Key, Secret Key, and API Hostname provided to you by ITS Identity and Access Management, because they match settings on the Duo side. Refer to Duo Application Creation and Migration Process if you do not have this information yet.
- Uncheck Bypass Duo authentication when offline for better security. You can still reboot the server into Safe Mode to bypass Duo, when necessary.
- Use auto push to authenticate if available has no security impact. It does, however, make the logon process faster, if you have the Duo phone app, so it is recommended.
- Leave Only prompt for Duo authentication when logging in via RDP unchecked. You can still use Safe Mode to bypass Duo.
Silent (Automated) Installation Process
For bulk deployments, the installer also supports command-line arguments.
Here is an example with the recommended settings previously mentioned:
duo-win-logon-220.127.116.11.exe /S /V" /qn IKEY="DIXXXXXXXXXXXXXXXXXXXX" SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" HOST="api-f6044a03.duosecurity.com" AUTOPUSH="#1" FAILOPEN="#0" RDPONLY="#0""
Note the quote after /V and the double quote at the end. The settings are all part of one giant /V parameter.
Proxy Setup for Servers With No Internet Access
Servers that do not have direct Internet access (private IP space, and no NAT) will need to use an HTTP proxy to authenticate through Duo.
The Windows installer does not prompt for proxy settings, so you will need to edit the registry settings directly.
Non-Production: HttpProxyHost (String): duo-proxy-test.dsc.umich.edu
Production: HttpProxyHost (String): duo-proxy.dsc.umich.edu
The registry setting is only read during authentication, so no restart is required.