I was highly disappointed to see that the feature for Windows interactive logins was only applicable to all logins on a target workstations. I assumed incorrectly that the credential provider relied on the use of the Auth Proxy, which performed the necessary lookups and bypassed secondary auth or required secondary auth.
I see that it’s possible to administer credential providers in a variety of ways, but do not see a way to redirect login requests from a workstation to an alternate LDAP server (for instance), which is okay and a little bit out of scope.
If I remove the key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\, with the GUID for Duo, I am able to select “Sign-in Options,” which is unavailable with the Credential Provider Filter present. This is partially acceptable, as once this change is made, the Default Provider falls back to the PasswordProvider (the “regular” provider in Windows), however we would require the enforcement of the use of a Credential Provider for a specific user… something that I’m not sure is possible as Credential Providers are “stand-alone” on local systems and only integrate into systems as they are specifically designed (there isn’t an AD attribute that I have found that would specifically require a credential provider having been used for User N).
I have posted about a hopeful alternative in the MSFT forums: https://social.technet.microsoft.com/Forums/en-US/8e77105c-dcd3-4b10-9660-dff4c7418568/is-it-possible-to-enforce-credential-provider-per-active-directory-user?forum=win10itprosecurity and cross posted on serverfault http://serverfault.com/questions/832570/is-it-possible-to-enforce-a-specific-credential-provider-per-active-directory-us
Is it possible to use Duo for secondary authentication only for specific user accounts for interactive Windows logins across any host on a network? For instance, we wish to protect only certain accounts, let’s say contoso\admmatt, but not bother others, like my user contoso\matt. Is it possible to leverage SAML with ADFS in some way?