Server 2019 Duo Prompt Delay

Summary
My company has been having significant issues with Microsoft Server 2019 and Duo MFA Prompts. After removing external internet access from multiple VLANs/Individual Servers Duo has started to take 2.5 minutes to bring up the MFA prompt and then another 2.5 minutes to finish logging in after the prompt is answered. This affects all users.

Logs

We found the following in the logs,
05/04/21 16:46:08 2888 CDuoCredFilter::Filter: Provider {44E2ED41-48C7-4712-A3C3-250C5E6D5D84} is DISABLED.
05/04/21 16:46:08 2888 CDuoCredFilter::Filter: Provider {B7A5BA48-DF88-4F47-B648-64F27990480B} is DISABLED.

Duo’s KB says the following about the respective errors but doesn’t say how to fix it:

  • “!!! This is the GUID for Windows Logon’s Credential Provider . If it is reporting as disabled, the system will not prompt for a second factor”
  • !!! This is the GUID for Windows Logon’s Credential Filter. If it is reporting as disabled, the system will not prompt for a second factor

Additionally, when we turned on debugging there was a full 2-minute gap between Duo Initializing and actually doing something

05/11/21 16:45:41 404 CDuoCredFilter::ShowWhiteListedCredentialProviders: Enabling Duo and the other whitelisted credential providers
05/11/21 16:45:41 404 C■■■■■■■■■■■■■■■■■■■■rCredentialEvents::Initialize: Wrapped credential supports ICredentialProviderCredentialEvents2
05/11/21 16:47:47 404 [DuoUser] specifiedUsernameOnly: “USERNAME” specifiedDomainnameOnly “DOMAIN”

Common Threads
The issue only appears on Server 2019, and only appears to affect those that had internet access that was then revoked. Deploying a new server to one of the VLANs that had internet access blocked does not result in the same issue, however, two other servers deployed to a different VLAN that then had their individual internet access revoked started to exhibit the same behavior.

Setup
We define our policies via GPO, use a Duo Authentication Proxy and, we have found no examples of Server 2012R2 nor Server 2016 having these issues. Additionally, we have other servers where internet access has been restricted with no issues. We can see it hitting the proxy in the logs.

**Troubleshooting **
We have tried the following with no change:

  • Rebooted with no change

  • disabled and uninstalled all security monitoring software

  • Upgrading from 4.0.5 (Our current standard) to the most recent version, 4.1.7

  • Completely uninstalling Duo and deleting the reg keys. I found no remaining folders to delete

Changing VLANS
With one of the servers, we attempted to change the VLAN to one that still has internet access. This allowed us to normally authenticate (No delay) while it was on the new VLAN and for a while after we changed it back to the original VLAN. However, coming back the next day it was back to being delayed.

I have not yet seen what happens to a new server that is working when I move it back and forth and if it causes the issue.

Consoling
We do not require Duo when accessing the console and going in through the console has no delay. Login takes <10 seconds. For this reason and a number of others, we do not believe this to be a domain config issue as Duo Support has suggested on our ticket and in many forum posts.

Firewall Logs
We are seeing no drops in the firewall logs and can see the traffic between the proxy and the problem servers.

If anyone has any insight into this issue we would greatly appreciate it as this has been an issue for us since December 2020, and we have no made much progress working with support over the last month.

Also if there are any logs that would be helpful I will be happy to provide them once I can scrub them of anything sensitive.

Hi @Jom,
Welcome to the Community! Thank you for taking the time to document your question in such a neat, orderly way that’s easy to understand. You’ve included a lot of details we’d need to be able to answer you, particularly with regard to what troubleshooting steps you’ve already tried. I’m sorry to hear that you haven’t had luck resolving this with our support team yet.
Unfortunately, I’m not able to provide any more insight into this, as the Duo Support team is better equipped to answer this and my initial searches so far haven’t turned up anything. I am hopeful another admin can weigh in here with some pointers for you.