Duo Authentication Proxy gMSA

I have followed the steps in the linked article What is the least-privileged Duo Authentication Proxy Windows service account configuration to setup a Group Managed Service Account (gMSA). I have used Group Policy to configure 1) the security on the Registry Key, 2) the Log on as a service user right, and 3) the security on the log directory.

This setup works fine – as long as I specify a service account username and password in the authproxy.cfg file (of course, I have to use a different account here, as the gMSA password is generally considered unknown to humans).

Anyway, the linked article states “[i]f you’ll be running Active Directory synchronization through this Authentication proxy server using ‘Integrated’ authentication, then the account used to start the service must be a domain account with the right to perform LDAP queries against an AD domain controller.” This to me seems to imply that the LDAP connection would be initiated by the account that is running the service. However, I don’t see where I can specify an authentication type of integrated. Essentially, I don’t want to know the password, I don’t want the password stored in clear text, I don’t want the password stored in encrypted text. I want the service – running under a specified service account – to perform an LDAP bind/query using the credentials of the account that is running the service.

I could settle for using a regular user account (albeit annoying, both because I have to allocate a user license and manage another password), as long as I didn’t have to specify the username and password (in any form) in the config file.

What am I missing?


Related: this prior question, though it referrs to them as “(global) Managed Service Accounts,” does not quite contain the same detail, and has zero repiles.

Hi @Semicolon,

It’s unclear if you are configuring Duo AD Sync, or if you are configuring 2FA for application logins through LDAP. The 3456 article is referring to the least privileges to run the proxy service, not to authenticate through it (and then goes on to reference the AD sync use case, but still isn’t talking about user authentication).

If you are setting up AD sync, when you use the Integrated authentication option the Authentication Proxy uses the machine domain account (if the Duo service is running as Local System) or as a specified domain account (if you change the service to run as that account). If the service is running as the gMSA account, then no additional configuration should be needed for the sync to run, other that populating the [cloud] section in your authproxy.cfg file with the information from the AD Sync directory details in the Duo Admin Panel.

The Duo Authentication proxy doesn’t support gMSA accounts for [ad_client] LDAP simple binds today. If you are deploying LDAP 2FA (so you have [ad_client] and [ldap_server_auto] sections in your authproxy.cfg) then I’m afraid you’ll have to settle for an account with a known password, which you can encrypt in the proxy config (it sounds like you are already aware of this).

The service account used by the Duo proxy to perform the LDAP search for the user logging in does not need to be licensed in Duo. By default the Authentication Proxy doesn’t require 2FA for the first bind in a connection. This is to support systems that bind as a service account, search for the user account, and then bind as the user.

If you find that the initial bind as the service account is requiring Duo 2FA, then your system may connect and bind as the service account and perform the LDAP search for the user, then disconnect, then connect again to bind as the end user.

Please take a look at the exempt_primary_bind and exempt_ou_1 options on this page and try setting exempt_primary_bind=false and exempt_ou_1=the DN of the AD lookup service account. With this configuration the bind from the AD service account won’t require 2FA, and therefore won’t need to exist as a Duo licensed user with bypass status. All other account binds will require 2FA.

You can contact Duo Support to submit a feature request for managed account support for LDAP Auto in the Authentication Proxy.