Virtual Server: How to Protect Your Server with Duo MFA for Remote Desktop (Windows)

    This article is for Managed Services customers. If you were referred here from the Duo Integration for Active Directory site to use installation instructions, please skip to STEP 4. You do not need to email itscs@hawaii.edu as you would have already received your Duo keys.

     

     

    Before installing and configuring Duo MFA, please ensure you have accounts created on your server matching UH username accounts. Duo MFA will be configured to push on UH usernames, so any username that does not match an existing UH username (i.e., "admin" or "user") could fail, thus locking you out of your server. 

    Please also note that using variations of your username (i.e. "jdoe" vs "johndoe") for the server account that does not match your own username could potentially lock another person out of using Duo MFA, if they have that as an existing UH username.

     

  1. Email itscs@hawaii.edu to inform us that you'd like to setup Duo MFA on your Windows server, and we will add your server to our Duo environment. Please verify that you are enrolled in Duo MFA. See Getting setup for Multi-Factor Authentication (MFA) for more information.

    Please include the following information in your request:

    Hostname or VM name
    IP address

    NOTE: This is only provided to virtual server customers hosted under ITS Managed Services.

     
  2. We will filedrop you three keys, which are required in the Duo configuration on the server.

    Integration key
    Secret key
    API hostname

    We will also filedrop you the Duo installer for Windows.
     
  3. Before you begin with the installation, please ensure that a local account matching your exact UH username has been created on the server. Duo MFA will be configured to push on UH usernames, so any username that does not match an existing UH username (i.e., "admin" or "user") could fail, thus locking you out of the server.

    Please also note that using variations of your username (i.e. "jdoe" vs "johndoe") for the server account that does not match your own username could potentially lock another person out of using Duo MFA, if they have that as an existing UH username.
     
  4. On your Windows server, copy the Duo installer on to the desktop and run it. Be sure to run as Administator.
     
  5. At the welcome screen, click Next.



     
  6. Paste the API hostname that was filedropped to you in the field. Leave the checkbox unchecked.



     
     
  7. Copy and paste in both the Integration Key and Secret Key from the filedrop.



     
  8. You can leave the following checked as default and proceed to the next step, or change it based on your preference.

    Note that you may want to uncheck option two to NOT use the auto push if you use other devices aside from the mobile Duo app to authenticate (like a USB key). This will let you chose the device of your choice to send the push to.

    If you have access to your server/VM through the vCenter console, the "only prompt for Duo authentication via RDP" option can be checked so the MFA push won't be enabled when logging into the server through vCenter.




     
  9. Leave the next part unchecked as default and click Next to proceed.



     
  10. Leave this part unchecked as the default and click Next.



     
  11. Click Install to start the installation. After it finishes, you may need to reboot your server. Login to the server again via RDP to ensure the Duo push does work.

 

Please rate the quality of this answer: Poor Fair Okay Good Excellent
Not the answer you were looking for? Try different keyword combinations and if you still can’t find your answer, please contact us.
Article ID: 1847
Created: Tue, 16 Feb 2021 11:10am
Modified: Mon, 04 Mar 2024 11:54am