Duo Authentication Proxy version 5.0.0 released with support for LDAP Signing for specific authentication types


We are happy to announce that version 5.0.0 of the Duo Authentication Proxy has been released, with support for LDAP Signing plus LDAP Encryption (also known as “Sign and Seal”) for the ntlm2 and sspi authentication types using CLEAR transport.

First, please note that the Authentication Proxy binaries for Windows have been migrated from 32-bit to 64-bit. Duo supports installing the Authentication Proxy on Windows Server 2012 and later, which are 64-bit operating systems.

The installation file path has been changed accordingly:

Old path: C:\Program Files (x86)\Duo Security Authentication Proxy
New path: C:\Program Files\Duo Security Authentication Proxy

If your authproxy.cfg file contains any references to the 32-bit installation path, for example, if you specified the absolute path to your SSL certificate file, the v5.0.0 installer updates those references to the new installation destination.

This change has no effect on Authentication Proxy releases for Linux.

Here are the details on version 5.0.0:

  • Primary LDAP authentication with [ad_client] now supports integrated Windows authentication via SSPI using both NTLMv2 and Kerberos with the auth_type=sspi option.
  • Primary LDAP authentication with [ad_client] now supports LDAP Signing plus LDAP Encryption (also known as “Sign and Seal”) for the ntlm2 and sspi authentication types when using CLEAR transport.
  • Extends LDAP channel binding support to NTLMv2 authentication.
  • LDAP anonymous bind identification now conforms with LDAP RFC 4513.
  • Now supports LDAP binds using samAccountName and Common Name CN style usernames, including for exempt_ou username to Distinguished Name DN match.
  • The connectivity tool issues a warning when the [ad_client] authentication type is sspi (Windows integrated) and LDAP account username/password are also provided.
  • Now consistently respects the order of the factors specified via the factors optional setting for [radius_server_auto] and [ldap_server_auto].
  • RADIUS authentication now handles MPPE responses properly per RFC 2548.
  • RADIUS authenticator and Message-Authenticator verification succeeds when a packet includes multiple non-adjacent attributes of the same type.
  • Fixed an issue where incorrectly encoding attributes in RADIUS packets may have resulted in the Authentication Proxy failing to process further RADIUS packets, causing a Denial of Service (DoS) condition.
  • Logging enhancements.

You can download the latest version from the Checksums and Downloads page. Please refer to our documentation for upgrade instructions.