When you log in to one of the applications integrated with Rublon using Rublon Access Gateway, the Rublon Prompt appears, allowing you to choose one of the available methods of authentication. If you installed one of our connectors, Rublon Prompt also shows up when logging in to Windows Logon and RDP as well as RD Web Access. Still, sometimes the Rublon Prompt does not appear. This article lists the most common reasons why the Rublon Prompt is not appearing on Windows.
RDP Only Selected During Installation
If you do not uncheck the Prompt for MFA only for RDP logins checkbox during installation, only RDP sessions will prompt for MFA, while local system logons will be bypassed.
Uncheck the Prompt for MFA only for RDP logins option to enable MFA for both local system logons as well as RDP sessions.
This behavior can also be controlled post-installation by changing the value of the RublonRDPOnly parameter in Windows Registry:
1. Go to your Windows Registry and locate HKEY_LOCAL_MACHINE\SOFTWARE\Rublon\WindowsLogon.
2. Change the value of RublonRDPOnly to 0.
You Are Offline
If you are offline and OfflineAuth is set to 0 in Windows registry, the Rublon Prompt will not appear. You will be either bypassed or denied depending on the value of the FailMode option in Windows Registry.
Note that if your antivirus/firewall is set to deliberately block true internet communication until a user logs in, then you will not see the Rublon Prompt even with OfflineAuth set to 1. In this case, you must add an exception for https://core.rublon.net. For more information, refer to the Security Policies Block Traffic to the Rublon API section of this article.
Wrong System Token or Secret Key
Ensure the values of System Token and Secret Key you provided during installation are correct.
Note that the values of System Token and Secret Key you have to provide during installation refer to the application of the type Windows you added in the Rublon Admin Console.
You can change the values of System Token and Secret Key in Windows Registry:
1. Go to your Windows Registry and locate HKEY_LOCAL_MACHINE\SOFTWARE\Rublon\WindowsLogon.
2. Change the values of SystemToken and SecretKey.
Changes will be effective immediately.
External Program Corrupted Installation
Our clients reported that some programs such as Symantec Endpoint Protection and Comodo Cyber Security made their installation silently fail and did not create registry keys. Turning off the program and retrying the installation solved the issue.
If you are facing similar issues with Rublon for Windows Logon & RDP, it is a good idea to temporarily turn off all your antiviruses, firewalls, and other external programs that might potentially disrupt the installation of Rublon for Windows.
Incorrect Firewall/Antivirus Configuration Makes Rublon Bypass MFA
Your firewall might be blocking Rublon for Windows from communicating with the Rublon API, which in turn makes Rublon for Windows bypass MFA (or deny access). While it’s a good idea to temporarily turn off your firewall during installation, you understandably cannot keep it off forever. You can however try turning it off again to test if Rublon MFA works again with the firewall off. If Rublon MFA works when your firewall is off but stops working when your firewall is on, then you have to add Rublon to the allow list in your firewall.
Security Policies Block Traffic to the Rublon API (e.g., in Sophos Firewall Protection)
Some security policies—like those enforced by Sophos Endpoint Protection (also known as Sophos Endpoint Security and Sophos Antivirus)—can make a workstation believe it has internet access while actually blocking most outbound traffic until a user logs on. This leads to the Rublon Prompt not appearing, even if the Offline Mode is enabled in the Rublon MFA for Windows connector.
Even if OfflineAuth is set to 1 in Windows registry, the Rublon for Windows connector checks for genuine internet connectivity before switching to offline authentication. When a security solution (for example, Sophos Endpoint Security) is in place, a machine may receive an IP and basic network settings at startup, yet be restricted from communicating with external services until user authentication is complete. As a result, the connector never detects the offline state and does not trigger the Offline Mode, while being prevented from communicating with the Rublon API for the standard online auth.
To resolve this issue, you need to create a network exception that allows your machine to reach the Rublon API (https://core.rublon.net) even before a user logs on. This will allow the Rublon MFA for Windows connector to connect to the Rublon API and perform standard online authentication.
For specific, always up-to-date instructions on how to create an exception in Sophos Endpoint Protection, refer to the official Endpoint Protection documentation.
User Bypassed in Rublon Admin Console
Rublon Prompt does not appear for users whose status is set to Bypass in the Rublon Admin Console. Ensure that your User Status is not set to Bypass.
Bypass Policy Assigned to Windows Application
Chances are there’s a policy assigned to your Windows application in the Rublon Admin Console. A custom policy might bypass one or more users in your organization. You have to check if there is a custom policy assigned to your application and whether the policy’s settings might cause your users to be bypassed. Note that you also have to check the Global Policy. Follow the steps below:
1. In Admin Console, go to Applications.
2. In the list of applications, find your application of type Windows Logon & RDP and click its name.
3. In the Policy section, check if there is a custom policy assigned to your application. If not, go to step 7.
4. Check if Remembered Devices is enabled in the custom policy. A user might have checked Remember this device, which causes Rublon MFA to be bypassed.
5. Check if Authorized Networks is enabled in the custom policy. Authorized Networks bypass multi-factor authentication from the IP address ranges set in the text field. If the field is not empty, investigate if the IPs of your users fall within the authorized networks range.
6. Check if the Default Authentication Method policy is on. Default Authentication Method automatically selects Mobile Push (or any other authentication method) as the second factor during Rublon Authentication. When enabled, all other methods get deactivated and the method selection screen on the Rublon Prompt does not appear when authenticating. (It is possible to get back to it by clicking Back, though.)
7. Check steps 4 to 6 for the Global Policy.
Rublon Prompt Still Not Appearing
If you tried all the preceding advice but Rublon Prompt is still not appearing for you, contact Rublon Support.
Helpful Links
Rublon for Windows & RDP - Documentation
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article