https://community.cisco.com/t5/managing-users/logon-failure-the-user-has-not-been-granted-the-requested-logon/m-p/4881518#M726 <DIV class="duo-migrated-content"><P>Hi,</P> <P>We operate a Windows RDS environment and have protection at the rdweb layer and then protection on published applications using the duo-rdp client.<BR /> We installed the duo-win-login.exe on a session host to protect the published application and added one user to test via ad-sync, however since installing the exe using the following powershell command (using elevated PS),<BR /> (C:\Windows\Temp\Duo\duo-win-login-4.1.3.exe /S /V" /qn IKEY=“DXXXXX” SKEY=“XXXXXXXXXXXXX” HOST=“<A href="http://api-xxxxxxx.duosecurity.com" rel="noopener nofollow ugc">■■■■■■■■■■■■■■■■■■■■■■■■■■■</A>” LOGFILE_MAXSIZEMB="<SPAN class="hashtag">#100</SPAN>" AUTOPUSH="<SPAN class="hashtag">#1</SPAN>" FAILOPEN="<SPAN class="hashtag">#1</SPAN>" SMARTCARD="<SPAN class="hashtag">#0</SPAN>" RDPONLY="<SPAN class="hashtag">#0</SPAN>"")<BR /> ALL users whether they were in the Duo console or not now receive the error “Logon Failure. The user has not been granted the requested logon type at this computer” when trying to open the RDP published application from rdweb.</P> <P>This error is normally seen if the user is not part of the ‘Remote Desktop Users’ local group on that server but the RDS session collection automatically adds this and they are still in there.<BR /> This all worked before installing the duo exe.</P> <P>I have to add ALL users as local admins on the server for them to launch the published app since installing Duo RDP, obviously i don’t want to do this so trying to understand why this happens.</P> <P>Anyone seen this?<BR /> Is it because the exe was ran elevated with admin?</P> <P>Thanks,<BR /> Steve</P></DIV> Fri, 02 Jul 2021 07:59:00 GMT s_hughes78 2021-07-02T07:59:00Z https://community.cisco.com/t5/managing-users/logon-failure-the-user-has-not-been-granted-the-requested-logon/m-p/4881518#M726 <DIV class="duo-migrated-content"><P>Hi,</P> <P>We operate a Windows RDS environment and have protection at the rdweb layer and then protection on published applications using the duo-rdp client.<BR /> We installed the duo-win-login.exe on a session host to protect the published application and added one user to test via ad-sync, however since installing the exe using the following powershell command (using elevated PS),<BR /> (C:\Windows\Temp\Duo\duo-win-login-4.1.3.exe /S /V" /qn IKEY=“DXXXXX” SKEY=“XXXXXXXXXXXXX” HOST=“<A href="http://api-xxxxxxx.duosecurity.com" rel="noopener nofollow ugc">■■■■■■■■■■■■■■■■■■■■■■■■■■■</A>” LOGFILE_MAXSIZEMB="<SPAN class="hashtag">#100</SPAN>" AUTOPUSH="<SPAN class="hashtag">#1</SPAN>" FAILOPEN="<SPAN class="hashtag">#1</SPAN>" SMARTCARD="<SPAN class="hashtag">#0</SPAN>" RDPONLY="<SPAN class="hashtag">#0</SPAN>"")<BR /> ALL users whether they were in the Duo console or not now receive the error “Logon Failure. The user has not been granted the requested logon type at this computer” when trying to open the RDP published application from rdweb.</P> <P>This error is normally seen if the user is not part of the ‘Remote Desktop Users’ local group on that server but the RDS session collection automatically adds this and they are still in there.<BR /> This all worked before installing the duo exe.</P> <P>I have to add ALL users as local admins on the server for them to launch the published app since installing Duo RDP, obviously i don’t want to do this so trying to understand why this happens.</P> <P>Anyone seen this?<BR /> Is it because the exe was ran elevated with admin?</P> <P>Thanks,<BR /> Steve</P></DIV> Fri, 02 Jul 2021 07:59:00 GMT https://community.cisco.com/t5/managing-users/logon-failure-the-user-has-not-been-granted-the-requested-logon/m-p/4881518#M726 s_hughes78 2021-07-02T07:59:00Z https://community.cisco.com/t5/managing-users/logon-failure-the-user-has-not-been-granted-the-requested-logon/m-p/4881519#M727 <DIV class="duo-migrated-content"><P>Managed to find the below thread which in turn gave the duo guide.<BR /> Pre-req missed around GPO’s for local logon, i’ll take a look at this.</P> <ASIDE class="quote quote-modified" data-post="3" data-topic="2220"> <DIV class="title"> <DIV class="quote-controls"></DIV> <IMG width="20" height="20" src="https://community.cisco.com/legacyfs/online/ciscoduo/letters/j_c77e96.png" style="display : inline;" /> <A href="https://community.duo.com/t/duo-for-rdp-windows-prerequisites/2220/3">Duo for RDP/Windows prerequisites</A> <A class="badge-wrapper bullet" href="https://community.cisco.com/c/protecting-applications-forum/microsoft/41"><SPAN class="badge-category-parent-bg" style="background-color: #F7941D;"></SPAN><SPAN class="badge-category-bg" style="background-color: #F7941D;"></SPAN><SPAN style="" data-drop-close="true" class="badge-category clear-badge">Microsoft</SPAN></A> </DIV> <BLOCKQUOTE> When I installed DUO RDP Windows logon to a RDS session host used to provide remote apps for internal users, the users RDP access breaks. They get “Logon failure the user has not been granted the requested logon type” . If I give the remote app user group the “logon on locally” right they can get in again. The problem is they should not have this right, since they are only allowed RDP access to particular applications. They functioned fine without it prior to implementing DUO. I tried to ad… </BLOCKQUOTE> </ASIDE> <P><A href="https://help.duo.com/s/article/1093?language=en_US" class="onebox" target="_blank" rel="noopener nofollow ugc">https://help.duo.com/s/article/1093?language=en_US</A></P></DIV> Fri, 02 Jul 2021 09:52:26 GMT https://community.cisco.com/t5/managing-users/logon-failure-the-user-has-not-been-granted-the-requested-logon/m-p/4881519#M727 s_hughes78 2021-07-02T09:52:26Z https://community.cisco.com/t5/managing-users/logon-failure-the-user-has-not-been-granted-the-requested-logon/m-p/4881520#M728 <DIV class="duo-migrated-content"><P>Creating a GPO for the two additional user rights as per the Duo support link and applying to server OU fixed this.<BR /> Just for anyone else reading in the future.</P></DIV> Fri, 02 Jul 2021 13:36:49 GMT https://community.cisco.com/t5/managing-users/logon-failure-the-user-has-not-been-granted-the-requested-logon/m-p/4881520#M728 s_hughes78 2021-07-02T13:36:49Z https://community.cisco.com/t5/managing-users/logon-failure-the-user-has-not-been-granted-the-requested-logon/m-p/4881521#M729 <DIV class="duo-migrated-content"><P>Thanks for sharing <A class="mention" href="https://community.duo.com/u/s_hughes78">@s_hughes78</A>! Glad you were able to resolve this using the info you found in a past thread and the Duo guide. <IMG width="20" height="20" src="https://community.cisco.com/legacyfs/online/ciscoduo/cdn_emojis/twitter/+1.png" style="display : inline;" /></P></DIV> Fri, 02 Jul 2021 14:03:25 GMT https://community.cisco.com/t5/managing-users/logon-failure-the-user-has-not-been-granted-the-requested-logon/m-p/4881521#M729 Amy2 2021-07-02T14:03:25Z