Specops Authentication Client and Duo Authentication for Windows Login

The Specops Authentication Client provides enhancements to the Windows logon experience by wrapping the built-in Windows credential provider (GINA). This includes allowing users to reset their passwords from the login screen, as well as enhancing the feedback users receive when changing their password via CTRL+ALT+DEL.

The Specops Authentication Client also supports wrapping third party credential providers, as long as that credential provider supports being wrapped. Certain credential providers, such as Duo Security’s Authentication for Windows Logon, require additional configuration in order to allow the Specops Authentication Client to wrap them.

Continuously block 4 billion+ compromised passwords in your Active Directory

We begin by setting a registry key in the Duo client order to allow wrapping by the Specops Authentication Client. On a machine with the Duo client installed, create or update the following registry key:

Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv
Value name: ProvidersWhitelist
Value type: REG_MULTI_SZ
Value data: enter (or add) the following two GUIDs on separate lines — these are the GUIDs that identify the Specops Authentication Client:

{00002ba3-bcc4-4c7d-aec7-363f164fd178}
{4834dbc7-4a06-424d-a67f-20ddebcf08e1}

Next, use the Specops Authentication ADMX Template to specify that we should wrap the Duo credential provider. Under Specops Authentication Client Wrap Duo Specops Authentication Client/Enhance Windows logon and password change, set GUID of credential provider to wrap to the GUID of the Duo client, including the curly brackets: {44E2ED41-48C7-4712-A3C3-250C5E6D5D84}.

Note the Specops Authentication Client, ADMX templates, and instructions for installing both can be found on our support site.

Once the group policy has been applied to the affected computers, both Duo login functionality and Specops Authentication functionality for password change and password reset should work seamlessly together. For uReset customers, this means you can continue to use the Reset Password link at the logon screen just as you would on workstations without the Duo client.

For Dynamic Feedback at Password Change (available to both uReset and Password Policy customers with Specops Authentication Client version 7.15 or later) the dynamic feedback will be displayed. Duo will prompt for MFA after the password change is submitted as it would normally.