Integrate Duo with VMware VCSA 6.5 (VMware vCenter Server Appliance)?


#1

Hello guys,

I am in a position where I am unable to find a solution to rollout Duo with VMware VCSA 6.5 (VMware vCenter Server Appliance). I called Duo Support and they provided me the 2 solutions, using Proxy LDAP or Radius authentication. I reviewed the VMware documentation and found out these 2 methods are not supported by VMware. https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-ACFFCBEC-6C1C-4BF9-9971-04AEE9362AFE.html

I am writing this post in the hope that anyone out there can share some light into this problem? I am sure someone have already tried to implement DUO with their VMware environment already. What is your solution and how do you please?

Thanks,
T.


#2

While you’re right that VMWare removed support for other RADIUS two-factor providers in vSphere (gotta love corporate synergy), LDAP authentication is still supported.

With that said, we don’t recommend or support Duo MFA with vCenter SSO because we found that in some vCenter configurations it’s trivially easy to bypass two-factor.

Thanks for trying Duo!


#3

The vCenter SSO “Use Windows session authentication” does not apply to us because we use a different superadmin account with Domain Admins access to login into vCenter instead of our regular normal login account.

I got the LDAP authentication working with DUO. However, I cannot get the DUO login screen to come up so that I can choose to “Send a Push, Call me, or Enter a passcode” or choose Hardware tokens as the MFA method to login. With that said, as soon as I enter my username and password, click login, I immediately get the Duo Push notification on my phone right away. It didn’t let me choose if I can use my hardware token to login. This will be an issue when we don’t have access to our phone or if the phone run out of battery. Is there away that I can get the Duo login screen to come up when using LDAP authentication please?

Thanks,
T.


#4

Sorry, there is no way to show the interactive, browser-based Duo Prompt in your configuration. The [ldap_server_auto] configuration implies exactly that: it defaults to automatic Duo auth request during ldap auth.

You can find a full explanation of which Duo factor types may be used with the Authentication Proxy’s LDAP server config in our LDAP application documentation.


#5

Thanks Kristina. In that case, do we have a workaround so the situation when my phone battery is out and I have the hardware token with me… ?


#6

Excerpt from linked documentation (emphasis mine):

When you enter your username and password, you will receive an automatic push or phone callback. Alternatively you can add a comma (",") to the end of your password, followed by a Duo passcode.

So, use the token passcode as your Duo passcode.

It’s also a good idea to have more than one device enrolled in Duo as a backup, like a landline or Google Voice number. Then you’d specify the other phone with password,phone2.


#7

This alternative work-around works. Thanks!


#8

Can you comment more on the nature of the bypass ability/support for venter SSO or is that a support case type conversation? I don’t see a public kb/statement on the issues.


#9
  1. You configure LDAP auth with vCenter pointing to the Duo Authentication Proxy.
  2. Users on Windows workstations may use integrated/SSPI authentication to sign into vCenter (the “Use Windows session authentication” option TheZealous mentioned earlier in this thread).
  3. Integrated/SSPI logins aren’t using the vCenter’s Duo LDAP authenticator, so they don’t get 2FA.

This doesn’t apply if you’re in an environment where nobody can sign into vCenter with Windows pass-through creds.


#10

I’m trying to use Duo for VCenter as well. I understand the Use Windows Authentication issue, my plan is to disable that feature with the sso-config.sh option.

The issue i’m having is i can’t get LDAP to function correctly. I can get it to prompt me but it keeps doing the binding login and the regular login as well even if i specify the below for my domain.
exempt_primary_bind=false
exempt_ou_1=CN=ldaplookup,dc=acme,dc=org

If you were able to get this working for Vcenter, what does your ldapserver section look like?


#11

It would look like that, but the service account username in vCenter must also be in DN format, not just the sAMAccountName or UPN.


#12

I do have vcenter LDAP settings using DN; however, it still keeps prompting me for the Duo on the service account and then my account and then back to server and then mine. It’s an endless loop, never gets me in.

This is what i have for the ldap setting in the proxy, does this look correct? I’m using a weird port as i have a few ldaps setup with the proxy.

[ldap_server_auto2]
client=ad_client
ikey=###
skey=###
■■■■
exempt_primary_bind=false
exempt_ou_1=CN=USER,CN=Users,DC=DOMAIN,DC=local
port=18225
failmode=secure


#13

Nix that remark, it seems vmware was picky and not saving my DN change to the setup. It looks to be working now with the above setting and the user setup to be exempt in DN format.

Thank you!


#14

I’m trying the same thing. Does the user specified in the exemption have to be registered in DUO? If no, does the Duo integration being used require that unenrolled user be allowed to authenticate?

The service user bind is failing, and when I test with ldp.exe using the service account I get something to the effect of The username you have entered is not enrolled with Duo Security


#15

Do I need to add service account to duo as by pass users?


#16

@leejohnc

The user you specify in exempt_ou_1 does not need to be enrolled in Duo (that’s the purpose of that option, to skip Duo auth).

If the user DN you specified in exempt_ou_1 isn’t getting exempted from MFA, ensure that you’ve configured VMWare to send the username in DN format, and not just the username.


#17

When testing via ldp.exe I get this

res = ldap_simple_bind_s(ld, ‘CN=xxxx,OU=Service Accounts,DC=example,DC=com’, ); // v.3
Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
Server error: Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.

exempt_ou_1=OU=Service Accounts,DC=example,DC=com


#18

Duo doesn’t like the space between “Service Accounts”. Eliminating that, and changing to the DN format seems to have solved that issue.


#19

The Duo proxy accepts spaces in a DN, so I think it’s your other change (to send the DN from the downstream authenticating service) that might have fixed it. I just double-checked with LDP and an account that has multiple spaces in its DN.

Did you set the exempt value to an OU as in your example exempt_ou_1=OU=Service Accounts,DC=example,DC=com? This bypasses Duo for every account in that Service Accounts OU. I’d suggest you set that to the DN of just the one account you’re using for Duo lookup i.e. exempt_ou_1=CN=xxx,OU=Service Accounts,DC=example,DC=com.