*** Updated Information: We have made several modifications on the script including additional Extra Data Fields and checks in the script as well as moving the Tab (and functions) to the Location rather than the Client level.

See full list on guide.duo.com. The following video shows the DUO 2 factor authentication system usage with Microsoft Remote Desktop once setup is complete. Remember to enter any of the following keywords in the 'duo security box' to invoke 2 factor authentication.

Due to the rise in Ransomware, Hijacking, Cryptojacking, etc. we have made it a requirement for Duo on all servers. We have made this script available as a product to use in your environments as well (*it will be free for a limited time*)

Background

This script will deploy the Duo Windows/RDP Authentication agent to the device(s) you select. There are a number of variables, or arguments, that are pre-set for you but it has been configured so that they are easily changed. The description in the script, once imported, displays these instructions as well. For a list of arguments: https://help.duo.com/s/article/1090?language=en_US Help article

Process

  1. If you are feeling kind, please donate. It helps support development time for providing free scripts: https://comertechnology.com/product/donation/
  2. Download the following script: Link Here
  3. Go System > General > Import > XML Expansion.
    1. Browse to the file and select it.
    2. Accept the prompt.
  4. Go to Browse > Clients. Expand the desired Client, double click the desired Location.
  5. Under Info > Duo MFA Config. Provide the following information (which you can get from the configured Application in Duo). To allow Duo deployment for this location, check “Enable Duo Deployment“.
    1. Integration Key
    2. Secret Key
    3. API Host
  6. To apply the information in the “Info about…” box above. Import the following file: Link Here
    1. Go to System > General > Import > SQL File.
  7. Run script against the servers at the client.
  8. Login and verify you are being prompted by Duo.

Defaults and Modifications

The script is currently configured with the following default arguments:

  • AutoPush is enabled
  • FailOpen is enabled
  • RDPOnly is disabled (will work for all logins – console and remote)
  • EnableOffline is enabled.
Full

To modify any of these configurations, open the script: !Custom > !Custom – SW – Deploy Duo Windows Authentication

Modify the following lines: 27-34

Skip to end of metadataGo to start of metadata
  1. The Duo RDP integration will add two-factor authentication to all Windows login attempts, whether via a local console or over RDP, unless you select the “Only prompt for Duo authentication when logging in via RDP” option in the installer. If two-factor is enabled for both RDP and console logons, it may be bypassed by restarting Windows into Safe Mode (e.g. in case of a configuration error).
  2. This RDP integration doesn’t support inline self-service enrollment. Any users of the system must have a device enrolled prior to attempting to authenticate.

Prerequisites

Check your server versions before starting. This integration works with Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012 and R2, and Windows Server 2016.

Then:

Download Duo Microsoft Rdp

  1. Have all users for the system visit CAS at my.vcu.edu, so they can register for DUO service. (Note: If a user is already registered and need to register a new device, the user must login to CAS from a non-VCU location such as from the cellular network or from home.)
  2. Have your API keys1 on hand.
    • Submit a request for API keys either by calling the VCU helpIT Center or (for advanced users) submitting a ticket
  3. Download the Duo RDP Installer Package:
Windows

Run the Installer

Duo Microsoft Rdp Download

Run the installer with administrative privileges to run it. Accept the license agreement and enter yourintegration key, secret key, and API hostname when prompted:

Test Your Setup

To test your setup, attempt to log in to your newly-configured system as the user you enrolled in the previous step.

When auto-push is enabled (the default option), a popup will appear notifying you that a login request has been pushed to your phone. When it is not enabled, you will be able to select the authentication option on the login screen.

If auto-push is disabled or if you click the Cancel button on the auto-push dialog, a popup will appear asking for a Duo passcode (either generated with Duo Mobile, sent via SMS, or generated with a hardware token).

Remember: if you find that the Credential Provider has locked you out of your Windows system (e.g. due to a configuration error), you can reboot into Safe Mode to bypass it.

Notes

Rdweb

API Keys

Duo For Microsoft Rdp Free Download

1: API keys are used to connect your DUO client instance to VCU's DUO service, and also ensure that your DUO authentication information is secured in transit.




⇐ ⇐ Zazen
⇒ ⇒ Hui Neng