Setup problems with Duo Access Gateway for Windows


#1

Hello,

I got some problems with the initial setup of DAG.
The logging is not giving me anything to go on, at least I cant see it.

I have installed a fresh windows server 2016 standard. Followed the DUO guide to install DAG.
No errors or anything, so far so good.

But now when I launch my browser to continue I only get prompted with the error “Bad request received”.

DAG_ERROR1

Entry in my dag.log is the following:

May 02 08:27:29 simplesamlphp ERROR [b05873c03c] SimpleSAML_Error_BadRequest: BADREQUEST_HIDE_REASON(’%REASON%’ => ‘The Duo Access Gateway Launcher is not configured. Please create a Duo Access Gateway application in the Duo Admin Panel and configure it in the Launcher settings page of the Access Gateway Admin Console.’)|Backtrace:|0 C:\inetpub\wwwroot\dag\www\launcher.php:18 (N/A)
May 02 08:27:29 simplesamlphp ERROR [b05873c03c] Error report with id 6fdf72b5 generated.

Cant get past this, any help is welcomed! :slight_smile:

Edit: Yes I have search the forums but did not find anything related to this.

Thank you!

//Best Regards


#2

Hi Patrik,

Please ensure you’re going to https://yourserver.example.com/dag, not just https://yourserver.example.com to reach the DAG Admin Console.

There is also the following shortcut available in Windows: Start Menu > Duo Access Gateway > Configure


#3

Hi Dooley,

Ah yes now you reminded me about one thing that seems a bit confusing, lets see if I can explain this :slight_smile:

When I browse for https://yourserver.example.com/ I get the above error page
When I browse for https://yourserver.example.com/dag/ I get a 404

The https://yourserver.example.com/ url redirects me to https://yourserver.example.com/dag/launcher.php

So actually the …/launcher.php gives me the error, and that might not be so strange. But then the questions is, how come I get a 404 on the main page.

//Best Regards


#4

Ah, It is solved now.

Had my mind set on the first error.

The issue was in our network and that the DAG-server was reporting that is tried to access the webpage from an other ip (or gateway acctually).

Resolved it and now I can access the “set password” page.

Thanks! :slight_smile:


#5

Hi Patrik,

I chatted with some members of our Support Team about this, and they suggested the two following possible solutions:

  1. This could be related to your browser’s security settings. Please try accessing from a freshly updated version of Chrome or Firefox to see if it resolves your issue.
  2. If you’re running the DAG on an externally-hosted VM, please reference this knowledge base article: https://help.duo.com/s/article/3069 to resolve your 404 issue.

#6

I’ve got the exact same error in dag.log as reported in Patrick’s original post, and subsequent follow-up reporting that https://fqdn/dag gives a 404 despite this being an actual shortcut put in the start menu by the installer.

I have verified that the client IP address as revealed in the IIS logs (which incidentally matches the server’s only IP) is listed in the dag/www/web.config file:

<additionalLocalIps>
   <add IP="x.x.x.x" />
</additionalLocalIps>

Any ideas where I go from here? I’ve searched the web and this forum to no avail.

This is a fresh install on WS2019 Std inside a DMZ as per the requirements. I’ve also backed out the DAG install and re-installed - no joy either.

@Patrick it sounds like in the end you didn’t have the client IP in the additionalLocalIps config block in web.config. Was that or the network change that made the client present as one of the additionalLocalIPs the resolution in the end?

Thanks in advance all!


#7

After a call with the very helpful @MacD it was determined that proceeding down the Azure AD Conditional Access [1] to be a much simpler way to achieve Office 365 without requiring a DAG. I didn’t know that was even an option from looking at the documentation.

So now there’s no additional server needed, no CA cert, no server licensing and no server or network fault-tolerance considerations either.

The only downside is that needs an Azure AD Premium P1 licensed for a single admin - but at £4.50 / mo that’s easily a better option than running a DAG.

[1] Microsoft Azure Active Directory | Duo Security