Duo LDAP Proxy with MAVIS LDAP Client

Hi there

I am busy trialing duo for our environment but I am stuck in getting it to work and I am hoping someone can assist. I have followed the instructions to the letter however I am not able to get a successful auth from via the Duo LDAP proxy from my MAVIS LDAP client.

Everything is setup correctly, I have created the LDAP Proxy application in the Duo portal but when i try to auth I see the below error in the authproxy log file (using Duo on Windows Server 2012).

2021-09-21T09:48:30.332645+0200 [duoauthproxy.lib.log#info] [Request from x.x.x.x:55706] Failmode Secure - Denied Duo login on preauth failure
2021-09-21T09:48:30.332645+0200 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: b’https://■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth’>
2021-09-21T09:48:30.334678+0200 [duoauthproxy.lib.log#info] [Request from x.x.x.x:55706] Attempt to bindRequest multiple times in the same LDAP connection. Disconnecting.
2021-09-21T09:48:30.335646+0200 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x000000EDE50DB7C0>
2021-09-21T09:48:30.427646+0200 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x000000EDE50C5A30>
2021-09-21T09:48:30.430658+0200 [duoauthproxy.lib.log#info] [Request from x.x.x.x:55708] Primary bind exempted from 2FA
2021-09-21T09:48:30.443684+0200 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x000000EDE514DAC0>
2021-09-21T09:48:30.448645+0200 [duoauthproxy.lib.log#info] Got signature length 16
2021-09-21T09:48:30.450651+0200 [duoauthproxy.lib.log#info] Got signature length 16
2021-09-21T09:48:30.450651+0200 [duoauthproxy.lib.log#info] http POST to https://■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth
2021-09-21T09:48:30.453648+0200 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: b’https://■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth’>
2021-09-21T09:48:30.454645+0200 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x000000EDE514DAC0>
2021-09-21T09:48:31.074348+0200 [duoauthproxy.lib.log#critical] Duo auth failed
Traceback (most recent call last):
File “twisted\internet\defer.pyc”, line 654, in _runCallbacks

  File "twisted\internet\defer.pyc", line 1475, in gotResult
    
  File "twisted\internet\defer.pyc", line 1416, in _inlineCallbacks
    
  File "twisted\python\failure.pyc", line 512, in throwExceptionIntoGenerator
    
--- <exception caught here> ---
  File "duoauthproxy\modules\ldap_server_auto.pyc", line 571, in duo_auth
    
  File "twisted\internet\defer.pyc", line 1416, in _inlineCallbacks
    
  File "twisted\python\failure.pyc", line 512, in throwExceptionIntoGenerator
    
  File "duoauthproxy\lib\duo_api\auth_client.pyc", line 76, in preauth
    
  File "twisted\internet\defer.pyc", line 1418, in _inlineCallbacks
    
  File "duoauthproxy\lib\duo_api\base_client.pyc", line 137, in call
    
  File "duoauthproxy\lib\duo_api\base_client.pyc", line 179, in _parse_response
    
duoauthproxy.lib.duo_api.duo_api_errors.■■■■■■■■■■■■■■■■■■■■r: API request failed: HTTP Error 406

2021-09-21T09:48:31.077334+0200 [duoauthproxy.lib.log#info] [Request from 192.168.119.113:55708] Failmode Secure - Denied Duo login on preauth failure
2021-09-21T09:48:31.077334+0200 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: b’https://■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth’>
2021-09-21T09:48:31.079308+0200 [duoauthproxy.lib.log#info] [Request from x.x.x.x:55708] Attempt to bindRequest multiple times in the same LDAP connection. Disconnecting.
2021-09-21T09:48:31.080333+0200 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x000000EDE50C5A30>

I have checked connectivity to Duo cloud and all is good. I can open https://■■■■■■■■■■■■■■■■■■■■■■■:443 in the browser from the server and it goes to the Duo site.

Anyone that can assist with this error?

There are some suggestions you can try in this Duo knowledge base article. Try them from the Windows server where you installed the Duo Authentication Proxy.

Do you have SSL inspection or an outbound HTTP proxy, or anything else between your Duo proxy server and egress from your network that might interfere with or alter the outbound request?

Hi Kristina,

I do not have any proxy that would interfere with the outbound connection from this server.

I tried the steps in the article you linked and everything works as it does on the URL’s it asked me to test. No issues with connectivity.

That’s an uncommon exception among Authentication Proxy issues. You’re positive there is nothing that could be interfering with the request or response? Does your ISP or firewall do any kind of request filtering?

I suggest you contact Duo Support, or if you are working with someone from Duo Sales during your trial loop them in and they can connect you with a solutions engineer. I think your issue would benefit from 1:1 troubleshooting where someone from Duo examines your configuration, perhaps looks at packet captures, and other steps not possible in this community forum.

1 Like