Duo Security

Configuring Duo Security with Specops Authentication for Authentication for O365 will extend Duo Security’s two-factor authentication system to uReset users.

There are two ways to connect to Duo Security, Web SDK and Auth API. Auth API is the newer of the two and is used by all new customers, To check which method you are using, perform the following steps:

  1. Log in to the Specops Authentication web: https://login.specopssoft.com/authentication/admin
  2. Select Identity Services in the left sidebar navigation, then select Duo Security.
  3. Make sure it says “Auth API”.

Configuring Duo Security with Web SDK


NOTE
Web SDK is only available to customers who started using Duo Security prior to the 8.16 release of Specops Authentication . Customers who start using Duo Security from 8.16 onwards must use Auth API (see below) to configure Duo Security.

Pre-requisites: The Owner, Administrator, or Application Manager Administrative Roles are required in Duo Security.

  1. Log in to the Specops Authentication Web : https://login.specopssoft.com/authentication/admin
  2. Select Identity Services in the left sidebar navigation, then select Duo Security.
  3. Select Enable, then in the pop-up select Enable again. This will make the service available for use in Specops services.
  4. Log into the Duo Security Admin Panel.
  5. Select Applications in the left sidebar navigation, then select Protect an Application.
  6. The next page shows a list of the different types of services that can be integrated with Duo Security. In the list, find Web SDK and select Protect this application.
  7. Set a policy for the application by using an existing one or creating a new one.
    NOTE
    the New User Policy setting should be set to Require enrollment. Allow access without 2FA will allow users to bypass Duo Security without authenticating. Deny access will block users from authenticating with Duo Security.
    NOTE
    the Group Access Policy setting should be set to No action. As with the New User Policy, it cannot be set to Allow access without 2FA or Deny access.
  8. Configure the Settings and enter a name.
  9. Select Save.
  10. From the Details section, copy the Integration key, Secret key, and API hostname into their corresponding fields in the Specops Authentication Client .
    NOTE
    the Attribute name field can be left blank to use the default Active Directory attribute (sAMAccountName), unless you need to use a different AD attribute.
  11. Select Test connection. If the connection was successful, a message saying Connection test successful will apear.
  12. Select Save.

To add Duo Security to your policy

  1. Select Authentication for O365 in the left sidebar navigation, then select Configure in the Policies section.
  2. Drag Duo Security from the Unselected Identity Services section to the Selected Identity Services section, and configure Weight, Required and Protected settings.
  3. Select Save.

Configuring Duo Security with Auth API


Pre-requisites: The Owner, Administrator, or Application Manager Administrative Roles are required in Duo Security.

  1. Log in to the Specops Authentication Web : https://login.specopssoft.com/authentication/admin
  2. Select Identity Services in the left sidebar navigation, then select Duo Security.
  3. Select Enable, then in the pop-up select Enable again. This will make the service available for use in Specops services.
  4. Log into the Duo Security administration page
  5. Select Applications in the left sidebar navigation, then select Protect an Application.
  6. The next page shows a list of the different types of services that can be integrated with Duo Security. In the list, find Partner Auth API and select Protect this application.
  7. Set a policy for the application by clicking on Apply a policy to all users and selecting the policy in the drop-down, or create a new policy by clicking the Or, create a new policy link in that same window, then clicking New User policy.
    NOTE
    the New User Policy setting should be set to Require enrollment. Allow access without 2FA will allow users to bypass Duo Security without authenticating. Deny access will block users from authenticating with Duo Security.
  8. Configure the Settings and enter a name.
  9. Click Save.
  10. From the Details section, copy the Integration key (Client ID), Secret key, and API hostname into their corresponding fields in the Specops Authentication Client .
    NOTE
    the Attribute name field can be left blank to use the default Active Directory attribute (sAMAccountName), unless you need to use a different AD attribute.
  11. Select your desired setting for Auto-enroll users in Specops Authentication. Setting it to yes will automatically enroll all users.
    NOTE
    In order to use Duo Security with Quick Verification, this setting must be set to Yes
  12. Select Test connection. If the connection was successful, a message saying Connection test successful will apear.
  13. Click Save.

Configuring Duo Security with OpenID Connect (OIDC)

You can configure Duo Security to use the OpenID Connect protocol to deliver two-factor authentication to users. This means that instead of using Specops' login page, users will be redirected to a Duo Security URL where they can authenticate through Duo Security's Universal Prompt. The Universal Prompt will present the user with a number code, which the user will have to input into the push notification on the device where they have the Duo Security app installed. This authentication method can be used to counter so-called fatigue attacks where users are presented with multiple simple push notifications, by introducing the extra step of confirming the on-screen code.

NOTE
Auth API needs to be configured before configuring OIDC.

To configure OIDC:

  1. Log in to the Specops Authentication Web : https://login.specopssoft.com/authentication/admin
  2. Select Identity Services in the left sidebar navigation, then select Duo Security.
  3. The service should already have been enabled when Auth API was configured.
  4. Select the Use Duo prompt for end-users checkbox.
  5. Log into the Duo Security Admin Panel.
  6. Select Applications in the left sidebar navigation, then select Protect an Application.
  7. The next page shows a list of the different types of services that can be integrated with Duo Security. In the list, find Web SDK and select Protect this application.
  8. Set the same policy as the one set for Auth API for the application by clicking on Apply a policy to all users and selecting the policy in the drop-down.
    NOTE
    You need to select the same policy as the one set for Auth API to avoid configurations where users would be prevented from using Duo Security to authenticate.
  9. Configure the Settings and enter a name.
  10. Select Save.
  11. From the Details section, copy the Client Id and the Client secret into their corresponding fields in the Specops Authentication Client .
  12. Select Test connection. If the connection was successful, a message saying Connection test successful will apear.
    NOTE
    The test will check both the Auth API and the OIDC connection, so both will have to be correctly configured. Any error message will indicate which part of the configuration was incorrect.
  13. Click Save.

To add Duo Security to your policy

  1. Select Authentication for O365 in the left sidebar navigation, then select Configure in the Policies section.
  2. Drag Duo Security from the Unselected Identity Services section to the Selected Identity Services section, and configure Weight, Required and Protected settings.
  3. Select Save.

Using Duo Security with Quick Verification


Quick Verification can only be used with Auth API. Note that when the Auto-enroll users in Specops Authentication setting is set to No, you can not use Quick Verification (or Advanced Verification) for users who have not enrolled with Duo Security.

NOTE
customers using Web SDK to configure Duo Security are not able to use Duo Security for Quick Verification. It will only be availabe as an Advanced Verification.

Duo Security Authentication for Windows Login


The Specops Authentication Client provides enhancements to the Windows logon experience by wrapping the built-in Windows credential provider (GINA). This includes allowing users to reset their passwords from the login screen, as well as enhancing the feedback users receive when changing their password via CTRL+ALT+DEL. The Specops Authentication Client also supports wrapping third party credential providers, as long as that credential provider supports being wrapped. Some certain credential providers, such as Duo Security’s Authentication for Windows Logon require additional configuration in order to allow the Specops Authentication Client to wrap them.

  1. Set a registry key in the Duo Security client order to allow wrapping by the Specops Authentication Client. On a machine with the Duo Security client installed, create or update the following registry key:
    • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv
    • Value name: ProvidersWhitelist
    • Value type: REG_MULTI_SZ
    • Value data: enter (or add) the following two GUIDs on separate lines — these are the GUIDs that identify the Specops Authentication client:
      {00002ba3-bcc4-4c7d-aec7-363f164fd178}
      {4834dbc7-4a06-424d-a67f-20ddebcf08e1}
      Duo credential providers whitelist
  2. Next, use the Specops Authentication ADMX Template to specify that we should wrap the Duo Security credential provider. Under Specops Authentication Client Wrap Duo Security Specops Authentication Client/Enhance Windows logon and password change, set GUID of credential provider to wrap to the GUID of the Duo Security client, including the curly brackets: {44E2ED41-48C7-4712-A3C3-250C5E6D5D84}. Note the Specops Authentication client, ADMX templates, and instructions for installing both can be found here.
    Duo credential providers whitelist

Once the group policy has been applied to the affected computers, both Duo Security login functionality and Specops Authentication functionality for password change and password reset should work seamlessly together. For uReset customers, this means you can continue to use the Reset Password link at the logon screen just as you would on workstations without the Duo Security client. For Dynamic Feedback at Password Change (available to both uReset and Password Policy customers with Specops Authentication Client version 7.15 or later) the dynamic feedback will be displayed. Duo Security will prompt for MFA after the password change is submitted as it would normally.

NOTE
When using Duo Security as credential provider, Specops Authentication Client 7.17 or later is required.
Duo credential providers whitelist

Duo Security and RdpOnly

By default, Duo Security MFA is invoked for both console logins and remote sessions (RDP).

It is possible to configure the Duo Security second factor prompt, to be displayed only for RDP sessions by setting "RdpOnly" to 1 according to Duo Security's documentation. If using RdpOnly set to 1, it is required to configure the Specops ADMX setting Wrapping in console login sessions and set it to Disabled.

Enforce Network Level Authentication

Network Level Authentication (NLA), is already enforced in most organizations. Allowing RDP without NLA is considered unsecure and should not be used.

Using the Specops Authentication credential provider without enforcing NLA is not supported.

NOTE
In ionstances where users are logging in or unlocking with the parameter User must change password at next logon set, the Duo Security credential provider does not pre-populate the password entered at login/unlock to the next screen when performing the password change. This means that when the Specops RulesUI is displayed, the current password must be entered again.