Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2400
Views
0
Helpful
3
Replies

Duo Authentication Proxy gMSA

Semicolon
Level 1
Level 1

‎08-20-2019 09:50 AM

I have followed the steps in the linked article What is the least-privileged Duo Authentication Proxy Windows service account configuration to setup a Group Managed Service Account (gMSA). I have used Group Policy to configure 1) the security on the Registry Key, 2) the Log on as a service user right, and 3) the security on the log directory.

This setup works fine – as long as I specify a service account username and password in the authproxy.cfg file (of course, I have to use a different account here, as the gMSA password is generally considered unknown to humans).

Anyway, the linked article states “[i]f you’ll be running Active Directory synchronization through this Authentication proxy server using ‘Integrated’ authentication, then the account used to start the service must be a domain account with the right to perform LDAP queries against an AD domain controller.” This to me seems to imply that the LDAP connection would be initiated by the account that is running the service. However, I don’t see where I can specify an authentication type of integrated. Essentially, I don’t want to know the password, I don’t want the password stored in clear text, I don’t want the password stored in encrypted text. I want the service – running under a specified service account – to perform an LDAP bind/query using the credentials of the account that is running the service.

I could settle for using a regular user account (albeit annoying, both because I have to allocate a user license and manage another password), as long as I didn’t have to specify the username and password (in any form) in the config file.

What am I missing?


Related: this prior question, though it referrs to them as “(global) Managed Service Accounts,” does not quite contain the same detail, and has zero repiles.

0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎08-30-2019 07:42 AM

Hi @Semicolon,

It’s unclear if you are configuring Duo AD Sync, or if you are configuring 2FA for application logins through LDAP. The 3456 article is referring to the least privileges to run the proxy service, not to authenticate through it (and then goes on to reference the AD sync use case, but still isn’t talking about user authentication).

If you are setting up AD sync, when you use the Integrated authentication option the Authentication Proxy uses the machine domain account (if the Duo service is running as Local System) or as a specified domain account (if you change the service to run as that account). If the service is running as the gMSA account, then no additional configuration should be needed for the sync to run, other that populating the [cloud] section in your authproxy.cfg file with the information from the AD Sync directory details in the Duo Admin Panel.

The Duo Authentication proxy doesn’t support gMSA accounts for [ad_client] LDAP simple binds today. If you are deploying LDAP 2FA (so you have [ad_client] and [ldap_server_auto] sections in your authproxy.cfg) then I’m afraid you’ll have to settle for an account with a known password, which you can encrypt in the proxy config (it sounds like you are already aware of this).

The service account used by the Duo proxy to perform the LDAP search for the user logging in does not need to be licensed in Duo. By default the Authentication Proxy doesn’t require 2FA for the first bind in a connection. This is to support systems that bind as a service account, search for the user account, and then bind as the user.

If you find that the initial bind as the service account is requiring Duo 2FA, then your system may connect and bind as the service account and perform the LDAP search for the user, then disconnect, then connect again to bind as the end user.

Please take a look at the exempt_primary_bind and exempt_ou_1 options on this page and try setting exempt_primary_bind=false and exempt_ou_1=the DN of the AD lookup service account. With this configuration the bind from the AD service account won’t require 2FA, and therefore won’t need to exist as a Duo licensed user with bypass status. All other account binds will require 2FA.

You can contact Duo Support to submit a feature request for managed account support for LDAP Auto in the Authentication Proxy.

Duo, not DUO.
0 Helpful

rsegrin
Level 1
Level 1
In response to DuoKristina

‎07-13-2021 07:07 AM

Sorry for reviving an old thread, but 2 years later, is it still not possible to use MSA or gMSA for DUO Auth Proxy servers?
We are trying to get away from AD Service Accounts as a whole, as it’s just another account to manage changing a password every 90 days for and also a security vulnerability having a password in clear text (understanding you can encrypt the text file).

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to rsegrin

‎07-13-2021 07:58 AM

It’s true that the Authentication Proxy still doesn’t support MSA/gMSA for the ad_client service account, but if your proxy server is domain-joined you can specify auth_type=sspi to have it use integrated Windows authentication e.g. the context of whatever account runs the Duo Authentication Proxy service (the machine account if LocalSystem runs the service, or a designated user account that could be an MSA).

Learn more about the different supported auth types here and this article details some requirements for AD user accounts that run the proxy service.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents