2012R2 Remote Desktop Gateway w/Duo trying to use UPN



I’ve been in the process of a proof-of-concept of Duo for a potential large’ish-scale implementation across our Enterprise. We’re currently syncing with Azure Active Directory as this hits a few sweet spots for us but I’ve ran into a bit of a speed bump where this directory sync is concerned. Namely Azure AD sync with Duo will only bring over our UPNs.

We’re a bit unique in that our UPNs “simplified” does not equal our SAM/NTLM account usernames. By and large this isn’t a big deal-- most of our solutions use UPN without any difficulty.

However with Remote Desktop Gateway we’ve hit a snag. After enabling debug mode in the Duo Remote Desktop Gateway application I can see even though we provide our UPN to RDG for authentication, the Duo Remote Desktop Gateway application log can only see an authentication request using our NTLM usernames-- which naturally we get “user must register” error thrown because it doesn’t recognize the username being non-UPN.

I realize this is probably something that RDG is doing behind the scenes, but I can’t for the life of me think of where I could go to to fix this. At this point it seems our only recourse is to use Local AD Sync and retest everything on SAM/NTLM usernames.

Has anyone encountered this before? Is there something easy I’m missing somewhere?


You’re correct. The Duo RD Gateway application must use the sAMAccountName as the Duo username. This is not a configurable option.

If your Azure UPNs matched your sAMAccountNames, then you could continue to use Azure sync with the “Normalize usernames” option enabled. Since yours don’t match, your “best” option moving forward is AD syncing using the default Username attribute (sAMAccountName) as you mentioned (I’m assuming that changing your user’s SAM names to match UPN is a non-starter).

Feel free to contact Duo Support or your SE/CSM to submit a feature request for alternate username support in the Duo RDG application.


Thanks for the fast reply, DuoKristina! The sanity check on this was welcome-- I’d been fighting it the last few days.

You’re correct, matching the SAM to match UPN is a non-starter as this point.

We’ll explore doing a local AD sync to Duo and re-testing everything using SAM.