Protected Users and DUO Platform


We are DUO Platform subscribers and are currently using SAML via the access gateway to protect multiple applications. We recently began testing Microsoft’s protected user group in AD and are running into an issue with our existing SAML integrations. Whenever a user is added to the protected users group SAML authentication fails. We see a failed login attempt on the DC, so it’s passing through the attempt it’s just failing to auth. Has anyone used the protected users group in conjunction with Access Gateway/SAML? Does anyone know why this would fail?

To clarify, this is the protected users group in Server 2012 R2 Domain functional level:


Hello Generic Name,

DAG LDAP auth uses NTLM. Members of the Protected Users group can not authenticate using NTLM, as documented in the TechNet article linked in your question. You can see event ID 100 indicating this if you enable the Applications and Services Logs \ Microsoft \ Windows \ Microsoft \ Authentication \ ProtectedUserFailures-DomainController log in the Windows Event Viewer and try SAML authentication again.


Thanks for the info Kristina. Does DUO have any plans to support a method that will work with the protected users group?


You may contact Duo Support to submit your feature request.