This website uses cookies to ensure you get the best experience on our website. Learn more
Specops Authentication Client and Duo Authentication for Windows Login
The Specops Authentication Client provides enhancements to the Windows logon experience by wrapping the built-in Windows credential provider (GINA). This includes allowing users to reset their passwords from the login screen, as well as enhancing the feedback users receive when changing their password via CTRL+ALT+DEL. Often our customers will have additional third-party credential providers, and we do support wrapping those credential providers via a registry or GPO ADMX template setting (see https://specopssoft.com/blog/custom-admx-templates-specops-authentication-client-specops-password-reset/ for details). However certain credential providers such as Duo Security’s Authentication for Windows Logon require additional steps in order to allow the Specops Authentication Client to wrap them.
For Duo, we must set a registry key in order to allow wrapping by the Specops Authentication Client. On a machine with Duo installed, create or update the following registry key:
Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv
Value name: ProvidersWhitelist
Value type: REG_MULTI_SZ
Value data: enter (or add) the following two GUIDs on separate lines:
{00002ba3-bcc4-4c7d-aec7-363f164fd178} {4834dbc7-4a06-424d-a67f-20ddebcf08e1}
Next, use the Specops Authentication ADMX Template to specify that we should wrap the Duo credential provider — {44E2ED41-48C7-4712-A3C3-250C5E6D5D84}.
Once the policy has been applied to the affected computers, both Duo login functionality and Specops Password Reset/uReset and Password Policy functionality should work seamlessly together.