Duo on RDP (Remote Desktop Protocol)


From Monday 28 June 2021, you will need to use Duo multi-factor authentication (MFA) to access all Windows servers using the Remote Desktop Gateway (RDG - rdg.leeds.ac.uk). This means that anyone (including external vendors) who needs to access a Windows server remotely for support or maintenance will need to have a valid, enrolled Duo account and Duo installed on a local device.

If you or your team work with vendors who need remote access to a Windows server then you must ensure they have their own account (not shared) which is Duo enabled.

What remote access will be Duo protected?

Duo is used on the Remote Desktop Gateway (RDG - rdg.leeds.ac.uk) to access Windows based servers.  

How do I get a Duo enabled account? 

Most University staff and students should already have a Duo enabled account. If you are not already enrolled and you can't find the enrollment email or reminder, please contact the IT Service Desk.

Vendors

Duo MFA access is linked to a specific account and must be associated with a single individual, not a shared account. 

If a vendor has an account which is not already Duo enabled, their University contact should submit a request to the IT Service Desk by logging into the IT website and using the "Request something" link on the homepage. They must include: 

  1. Vendor's current username
  2. The name of the vendor or supplier
  3. The name of the access account owner  i.e. the individual who will be associated with the account on University records
  4. Account owner email address. The Duo Enrolment email will be sent to this address.
  5. A mobile phone number to associate with the Duo enrolment. The vendor must have access to this as it will be used each time they need to log on. 

Some vendors may be using one account to log into the RDG and a separate account (DS\username) to then log onto a Windows server. In this case it is the account they use to log onto the server (DS\username) which needs to be Duo enrolled.

If any vendors are using a local computer account (servername\username) to logon to a Windows server then this cannot be Duo enrolled and the Vendor must enrol the account used to log on to the RDG itself or have a new account created.

Can emergency access be granted without Duo for Vendors?

In exceptional circumstances, temporary access may be granted. Contact the IT Service Desk by logging into the IT website and using the "Request something" link on the homepage.