Duo AuthProxy.cnf - what permissions are needed for ad_client ServiceAccountUsername?

We have Duo Authentication Proxy setup on our DC to provide 2FA to users for our VPN logins. We had been using the Domain Admin as the ‘service_account_username’ in the [ad_client] section. Of course, we want to get away from that.

Since gMSA accounts aren’t supported in the ad_client section, I created a regular domain user (DuoAuthUser) for that login. But when I put DuoAuthUser there with its password (and encrypt the file of course), our employees’ VPN logins are rejected. If I make the DuoAuthUser a member of Domain Admins, employees can login to the VPN.

The AuthProxy reference says that service_account_username should be “The username of an account that has permission to read from your Active Directory database. We recommend creating a service account that has read-only access.”

Shouldn’t a regular domain user have enough read permissions over AD to work here? Or are additional permissions needed?

Yes, generally speaking a regular domain user should have enough read permissions for other users sufficient for the Authentication Proxy’s user lookups. I’ve tested the proxy extensively with ad_client and AD directory sync using an AD account that is not a Domain Admin.

You may have delegation restrictions in your domain preventing this. Some good tests would be to do something like run Powershell as your unprivileged service account and try to use get-aduser from the ActiveDirectory PS module to get information about another user, or to run ldp.exe and bind as your unprivileged service account and see if it can retrieve info for other AD users via search.

Thank you so much for the guidance. I verified that the regular domain user I created is able to read other Domain Users from the domain. But the list I’m verifying from is in a Security Group. I gave the user Read permissions on that security group. But the user still isn’t able to enumerate a list of users in that security group.

(In LDP, if I change the scope to SubTree, the users belonging to the Security Group do show up in a section under the Security Group called ‘member’. But that doesn’t seem to be enough to allow it to authenticate for Duo.)

Do I need to move the users from a Security Group to just a regular Users group? (This group is used only to permit VPN access; it isn’t used for anything else in the domain.)

I looked more closely at our AD OUs. I guess they are all Security Groups, whether they are in the Security Group OU or in the Users OU.

I’ll look more into the delegation restrictions in the domain.

the list I’m verifying from is in a Security Group

Do you mean that you specified some AD security group in the ad_client section of your authproxy.cfg file with the security_group_dn or ldap_filter options?

If so, does it function with the unprivileged account but without that group filter in place?

This article has some tips for the service account delegations. Did you note if in LDP the service account was able to return values for memberOf for a user in that group, or to return the objectSID for the group?

Thank you!! The article you pointed me to fixed the issue. It was a read-privilege error.

Now it works perfectly. Thank you so much!

1 Like