Configuring Duo for use with Windows Remote Desktop

Duo two-factor authentication for Windows Remote Desktop Protocol (RDP) helps protect Windows computers from unauthorized remote access, by requiring a one-time password in addition to a valid username and password for login.

Note: if this is your first time configuring Windows Remote Desktop, consider restricting access at a network level as well, by using the built-in Windows Firewall.  When you want to begin allowing incoming connections using Windows Remote Desktop, make sure the service is enabled, and that it's allowed through by the firewall.

For general information about Duo, see our documentation here.

First Steps

  • Contact Information Security by creating a ticket at help.caltech.edu (IMSS/Information Security/Security - General) or by emailing security@caltech.edu to request an integration key, secret key, and API hostname to set up Duo on your Windows system.

  • Information Security will either send you a GPG encrypted file with this information, or a password protected .zip file with the password relayed over the phone.

  • Download the Duo installer here.

    Please NOTE: Your secret key (skey) is critical to the security of your Duo setup! Secure it as you would any sensitive credential. Don't share it with others or email it unencrypted under any circumstances. If there is ever any doubt as to the security of the secret key, contact Information Security to generate a new one.

Remote access methods: Note that Duo for Windows Remote Desktop will not protect your computer from other forms of remote access enabled on the same system (e.g., VNC or any other remote access method).  Other forms of remote access must be disabled or secured separately.

Run The Installer

  • Run the Duo Authentication for Windows Logon installer with administrative privileges.

  • When prompted, enter your API Hostname as provided by Information Security, and click Next. The installer verifies that your Windows system has connectivity to the Duo service before proceeding.‚Äč

 

  • Enter your integration key and secret key as provided by Information Security, and click Next again.

 

  • FailOpen or FailClosed: for most installations, Bypass Duo authentication when offline (FailOpen) is an appropriate choice, and its checkbox should be checked.  This ensures that you can still log into your workstation in the event that a network connectivity issues prevents your computer from communicating with Duo's cloud service. 
  • Auto push: Use auto push to authenticate if available is a convenient choice if you prefer to authenticate using the Push option of the Duo Mobile app.
  • Only prompt for Duo authentication when logging in via RDP will allow local users to continue logging in using username and password only, without requiring Duo.  Depending on your preference and the workstation's physical location, this may be an appropriate choice.

 

    

 

  • Click next to ensure the process worked. The following screen should show up after you sign out and sign in again, or (if you have selected "Only prompt for Duo authentication when logging in via RDP", when you connect remotely using RDP:

 

  • Duo Push: Send a request to your smartphone. You can use Duo Push if you've installed and activated the Duo Mobile app on your smartphone or tablet, and your mobile device currently has network connectivity either via WiFi or your cellular data network.  "Device" in the image above refers to the authentication method you've chosen (in this case, a Google Nexus phone).

  • Passcode: Log in using a passcode generated with Duo Mobile or generated by your hardware token.