cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1833
Views
0
Helpful
3
Replies

Protected Users and DUO Platform

Generic_Name
Level 1
Level 1

We are DUO Platform subscribers and are currently using SAML via the access gateway to protect multiple applications. We recently began testing Microsoft’s protected user group in AD and are running into an issue with our existing SAML integrations. Whenever a user is added to the protected users group SAML authentication fails. We see a failed login attempt on the DC, so it’s passing through the attempt it’s just failing to auth. Has anyone used the protected users group in conjunction with Access Gateway/SAML? Does anyone know why this would fail?

To clarify, this is the protected users group in Server 2012 R2 Domain functional level:

https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx

3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

Hello Generic Name,

DAG LDAP auth uses NTLM. Members of the Protected Users group can not authenticate using NTLM, as documented in the TechNet article linked in your question. You can see event ID 100 indicating this if you enable the Applications and Services Logs \ Microsoft \ Windows \ Microsoft \ Authentication \ ProtectedUserFailures-DomainController log in the Windows Event Viewer and try SAML authentication again.

Duo, not DUO.

Thanks for the info Kristina. Does DUO have any plans to support a method that will work with the protected users group?

DuoKristina
Cisco Employee
Cisco Employee

You may contact Duo Support to submit your feature request.

Duo, not DUO.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links