Cannot communicate to duo authentication proxy server


#1

i am using DuoAuthProxy to communicate to duo service. i can install duo windows login but after that i cannot get access to duo service. when try to login into windows it gives a message " There was an error communication with duo authentication server. Please try again.(12007). someone please look into this?

duoauthproxy log shows:

2018-10-16T10:18:46+0500 [twisted.python.log#info] “192.168.x.xxx” - - [16/Oct/2018:05:18:45 +0000] “CONNECT https://settings-win.data.microsoft.com:443 HTTP/1.1” 403 83 “-” “-”
2018-10-16T10:18:46+0500 [ConnectProxy,29,192.168.x.xxx] Bad Proxy Request: Attempted connection creation to non-approved host: settings-win.data.microsoft.com
2018-10-16T10:18:58+0500 [twisted.python.log#info] “192.168.x.xxx” - - [16/Oct/2018:05:18:58 +0000] “CONNECT https://login.live.com:443 HTTP/1.1” 403 66 “-” “-”
2018-10-16T10:18:58+0500 [ConnectProxy,30,192.168.x.xxx] Bad Proxy Request: Attempted connection creation to non-approved host: login.live.com
2018-10-16T10:18:58+0500 [twisted.python.log#info] “192.168.x.xxx” - - [16/Oct/2018:05:18:58 +0000] “CONNECT https://login.live.com:443 HTTP/1.1” 403 66 “-” “-”
2018-10-16T10:18:58+0500 [ConnectProxy,31,192.168.x.xxx] Bad Proxy Request: Attempted connection creation to non-approved host: login.live.com
2018-10-16T10:19:21+0500 [twisted.python.log#info] “192.168.x.xxx” - - [16/Oct/2018:05:19:20 +0000] “CONNECT https://settings-win.data.microsoft.com:443 HTTP/1.1” 403 83 “-” “-”
2018-10-16T10:19:21+0500 [ConnectProxy,32,192.168.x.xxx] Bad Proxy Request: Attempted connection creation to non-approved host: settings-win.data.microsoft.com

duoauthproxy configuration:
[main]
debug=true
log_max_files=10
log_max_size=20971520

[duo_only_client]

[http_proxy]
api_host=■■■■
port=80
client_ip=192.168.xx.xxx


#2

Are you trying to install Duo for Windows Logon/RDP or a different integration that uses the Authentication Proxy? Duo for Windows Logon/RDP does not utilize the Authentication Proxy.

In any case, it might be best for you to reach out to Duo Support for assistance.


#3

yes, i am trying windows logon/RDP. is there any other way to configure duo windows logon to connect to duo service , if duo windows logon/RDP install PC does not have internet access?


#4

Currently, Duo for Windows Logon/RDP will invoke failmode if it cannot contact the Duo service (for example, if the PC does not have internet access - see step 4 in the “Run the Installer” section of the documentation).

However, we are planning on releasing a new version of our Duo for Windows Logon integration that features offline access in the next few weeks.


#5

Hey there,

Duo for Windows Logon can use the Duo Authentication Proxy as an HTTP proxy for the connection to Duo, but the Duo Authentication proxy itself cannot also be using an HTTP proxy, and it can ONLY proxy the outbound connection to the duosecurity.com API host defined in the [http_proxy] section of authproxy.cfg.

The log output you posted looks like something is trying to use the Duo Authentication proxy to reach web sites other than the Duo API host. This is not permitted.

How did you configure the Duo proxy on the Windows client? You should have created a registry entry as described in Duo Authentication for Windows Logon and RDP: FAQ | Duo Security that points to the hostname or IP address of the Duo Authentication Proxy server.

Do not attempt to configure the Duo Authentication proxy server as a system proxy for the Windows client (like with netsh).