I first want to say that if this post is wrongly categorized, please let me know so I can post it in the correct category.
We recently purchased Duo and have slowly started to enroll our users. We’re doing this in phases. Our last phase will be to put the nail in the coffin and disallow any logins if the user is not enrolled. We don’t want to enable that setting yet as it would create absolute chaos. So for right now, it’s not enabled.
We have a Remote Desktop Service (RDS) environment, with a Remote Desktop (RD) web access, RD gateway, RD connection broker, and several RD session hosts. All of these servers run Windows Server 2016 and have the January 2020 cumulative update.
We have Duo working and set up with our RDS environment and has been working quite well for us so far. Since we have Duo working in our environment, we are able to see all authentications against us. We have recently started to see some very strange authentication logs. These authentication logs use the users SID to log in rather than the user names, and they’re at very strange times. The are apparently coming from Microsoft RD Web and have an unknown location with an IP address of 0.0.0.0:
We are getting lots of these. What’s more scary is that some of these SIDs are users who already have Duo enabled and working. So it’s not even prompting the user to allow or deny the login attempt. Now, this could be ended by simply disallowing any user login that’s unenrolled, but we’re not there yet. However to think that it’s happening regardless, is a tad concerning as well. I noticed that my SID was included in the list. I’ve recently changed my password about a week ago, and it still appeared.
Anyway, I hopped on our RD Web server and dug through the events in the event viewer. I found logs at the same time as the timestamps in the Duo authentication log. The logs were:
(2/21/2020 12:38:39 AM) Event ID 4624 - An account was successfully logged on
(2/21/2020 12:38:39 AM) Event ID 4634 - An account was logged off.
These happened at the same time which I thought was odd too.
Has anyone seen SIDs in the Duo authentication log before? Is Duo doing something to our RD servers or vice versa? Is our RD servers interacting idle sessions on our session host? Should we be concerned with anything?