We are using RSA tokens (both hardware and software) for securing several systems. Also Windows Server 2012 R2 based RDP hosts. It worked prety stable many years , but now ( unfortunatelly not exactly known when it started) for some users multiple logons are required.
Ie. User connects to RDS Host (NLA is turned off so user gets RDS host login screen), clicks on RSA icon, enters his username and passcode (success). Next Windows password prompt is presented - user enter his correct password AND user is redirected back to RSA logon prompt. User enters again username and passcode, enters again windows password and now gets desktop.
All users are challenged to use RSA SecurID. And most users do not experience this inconvinient double logon.
Client OS is Windows 10.