OWA Integration shows denials before acceptance for all attempts

kcolagio · ‎10-31-2019

In reviewing our logs, ever attempt by someone to check their email using OWA and/or possibly Exchange results in multiple denials followed by a Granted entry.

We have multiple Accounts.

In one Account, we see four Denied and then a Granted.
In another Account we see three Denied and then Granted.

Other things we noticed:

The reasons for the Denied are listed as “Location Unknown” with an IP of 0.0.0.0 but the matching Granted has a proper location and IP.
This does not happen for every user, but it does happen for most.
All four or five log entries are within the same minute as well.

Can anyone explain why this may be happening and/or what we can do to to clean it up?

Thanks!

–Kevin Colagio.

DuoKristina · ‎11-04-2019

There is a known issue with the Duo OWA application when a customer has both a Duo authorized networks policy and also the policy for new users is set to deny access. It does not affect authentication, but it does create additional misleading authentication events.

If this describes your situation you can contact Duo Support to be added to the existing issue (and to be notified when it’s addressed).

Edited response to add KB article link: Why do the Authentication Logs show both “Denied access” and “Access granted” for unenrolled users in a single authentication to an IIS-based application?

Duo, not DUO.