Disallow login for Windows RDP sessions when a user does not have PrivacyIDEA setup

Hello Everyone,

I have installed the credential provider setup on a Windows server. It is configured to force PrivacyIDEA authentication for logon, unlock, and UAC over RDP. This works great when the user is set up with PrivacyIDEA, but if they are not, it will still allow them to access the server. Here is the scenario,

User1 and User2 have RDP access to ServerA.
User1 has been set up in PrivacyIDEA, User2 has not.

If User1 tries to RDP to ServerA they will be prompted for 2-factor before they start the RDP session. If they try to open CMD as admin, it will then ask for 2-factor.

If User2 tries to RDP to ServerA it will allow them access to the RDP session without 2-factor, but will still require it when they try to open CMD as admin.

I would like to disallow signing in for User2. Is there a way to do this?

hi, for RDP, you probably want to install the credential provider on the target machine instead of the source machine.
Or, if you want user2 to not be able to initiate the RDP connection, you need to filter every other credential provider from the “UAC” window. but this will affect every UAC window, you can not do this for specified targets (like “only for the RDP process”), that is why installing on the target machine is probably better. there you also need to filter every other credential provider.