I’ve been in the process of a proof-of-concept of Duo for a potential large’ish-scale implementation across our Enterprise. We’re currently syncing with Azure Active Directory as this hits a few sweet spots for us but I’ve ran into a bit of a speed bump where this directory sync is concerned. Namely Azure AD sync with Duo will only bring over our UPNs.
We’re a bit unique in that our UPNs “simplified” does not equal our SAM/NTLM account usernames. By and large this isn’t a big deal-- most of our solutions use UPN without any difficulty.
However with Remote Desktop Gateway we’ve hit a snag. After enabling debug mode in the Duo Remote Desktop Gateway application I can see even though we provide our UPN to RDG for authentication, the Duo Remote Desktop Gateway application log can only see an authentication request using our NTLM usernames-- which naturally we get “user must register” error thrown because it doesn’t recognize the username being non-UPN.
I realize this is probably something that RDG is doing behind the scenes, but I can’t for the life of me think of where I could go to to fix this. At this point it seems our only recourse is to use Local AD Sync and retest everything on SAM/NTLM usernames.
Has anyone encountered this before? Is there something easy I’m missing somewhere?