Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1098
Views
0
Helpful
1
Replies

Duo MFA with Windows UAC

rswitt
Level 1
Level 1

‎08-19-2022 08:23 AM

I’m attempting to setup our domain joined Windows clients to require DUO MFA whenever the user needs admin right, i.e., at a UAC prompt. I have modified policy to require the user enter credentials at the UAC prompt even if they are admins, which does trigger MFA.

My issue is that I always get the error “Access is not allowed because you are not enrolled in duo”. Apparently the logs show that Windows/Duo is sending the user to duo as “domain\user” instead of “user@domain”. How do I get the “Duo Authentication for Windows Logon” application to send the username in the correct format?

Labels:
0 Helpful
1 Reply 1

DuoPablo
Cisco Employee
Cisco Employee

‎09-02-2022 01:08 PM

Hi @rswitt ,

If you wish to send the username to Duo as the UPN (user@domain.com), then you can configure this in the registry settings of the Duo for Winlogon client under HKLM\SOFTWARE\Duo Security\DuoCredProv (taken from this KB):

Setting Description Default
UsernameFormatForService The username format sent to Duo. One of: 0 for sAMAccountName (narroway), 1 for the NTLM domain and username (ACME\narroway), or 2 for the userPrincipalName (narroway@acme.corp). 1

Also, ensure that Username Normalization is set to “None” in the application via Duo Admin Panel: Duo Administration - Protecting Applications | Duo Security

Hope this helps!

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents