Duo MFA with Windows UAC

I’m attempting to setup our domain joined Windows clients to require DUO MFA whenever the user needs admin right, i.e., at a UAC prompt. I have modified policy to require the user enter credentials at the UAC prompt even if they are admins, which does trigger MFA.

My issue is that I always get the error “Access is not allowed because you are not enrolled in duo”. Apparently the logs show that Windows/Duo is sending the user to duo as “domain\user” instead of “user@domain”. How do I get the “Duo Authentication for Windows Logon” application to send the username in the correct format?

Hi @rswitt ,

If you wish to send the username to Duo as the UPN (user@domain.com), then you can configure this in the registry settings of the Duo for Winlogon client under HKLM\SOFTWARE\Duo Security\DuoCredProv (taken from this KB):

Setting Description Default
UsernameFormatForService The username format sent to Duo. One of: 0 for sAMAccountName (narroway), 1 for the NTLM domain and username (ACME\narroway), or 2 for the userPrincipalName (narroway@acme.corp). 1

Also, ensure that Username Normalization is set to “None” in the application via Duo Admin Panel: Duo Administration - Protecting Applications | Duo Security

Hope this helps!