we are running on single onpremises Server 2019 domain. We currently only have AD DS role installed and not the AD FS role installed. Will we need to install the AD FS role to get Duo to work with our server? If so, is there any special configuring that needs to be done in this AD FS role? Will it affect the way everyone logins in? We are trying to only test Duo on a few users in our Domain.
Thanks in advance.
Hi @JoeD ,
Which integration type are you looking to configure for Duo? If you are looking to protect AD FS app/logins, then you will need the AD FS role as well as the Duo AD FS package installed. Please see Microsoft AD FS for Windows 2012 R2 and later | Duo Security.
If you are looking to protect the server itself (via local login or RDP) with Duo, you only will need the Duo for Winlogon installer. Please see Duo Authentication for Windows Logon & RDP | Duo Security
Testing a group of users will differ based on the integration type needed for your use case.
Hope this helps!
I am looking to protect a few users local Windows Logins on the domain computers and our Domain Admin account logging into the server.
Thanks for the information. You would need to install the Duo for Winlogon client on each workstation and server that you wish to protect. It can be deployed via GPO, too: Duo Authentication for Windows Logon & RDP | Duo Security
In addition to the main doc I sent over previously, please see the Deployment Tip for scoping this to a group of test users.
so because there is no direct connect to the domain controller, we would really need to install the Duo Winlogon client on every device in our network then to be protected by MFA?
Installing the Duo for Winlogon client on a domain controller does not inherently protect or prompt users when logging into domain joined workstations/servers. Each Windows endpoint will require the Duo for Winlogon client to be installed since this is how Duo works as a Windows Credential Provider. This would be true for non-domain joined Windows systems as well.
For more information, please see our FAQ: Duo Authentication Windows Logon RDP: FAQ | Duo Security