Duo RDP: one Duo account for multiple Windows domains


#1

Good morning everyone!

I’m deploying Duo RDP to protect some of our servers. We have servers in multiple domains, but user accounts share same username (e.g. MYCOMPANY\johndoe, MYCOMPANYTEST\johndoe, MYCOMPANYEXT\johndoe) etc. I was hoping to set UPN suffixes for johndoe accounts across the domains to the the same value (e.g. johndoe@corp.mycompany.com) and use only one Duo account to manage all servers.

However, it appears that Duo RDP software doesn’t use UPN and automatically prepends NetBIOS domain name to username, so requests to API look like “POST ■■■■■■■■■■■■■■■■■■■■■■■■■:443/auth/v2/preauth?ipaddr=127.0.0.1&username=MYCOMPANYTEST\johndoe” Naturally if my Duo username is MYCOMPANY\johndoe, this will fail due to username mismatch as I’m trying to log into TEST domain.

My question is – is there a way to modify this and make it submit UPN name or just username? Alternatively - can we assign an alias or a secondary username to a Duo account? Would you suggest another approach to using one Duo account to manage servers in multiple domains?

Thank you very much for your input!


#2

Egor,

Currently the Duo Authentication for Windows Logon application sends the username to Duo as the sAMAccountName only. We plan to make the username formation configurable in the near future, but in the mean time you can enable the Simple Username Normalization for your RDP application so that the Windows usernames “MYCOMPANY\johndoe”, “MYCOMPANYTEST\johndoe”, “MYCOMPANYEXT\johndoe” can all authenticate to a single “johndoe” Duo user.

Thanks for using Duo!


#3

That’s exactly what I was looking for! Thank you!!