cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1069
Views
0
Helpful
1
Replies

Use FQDN of AD as host in Proxy Authenticator Configuration

arwinters
Level 1
Level 1

Can you use the fqdn of the Active Directory Domain instead of specifying the FQDN of all the individual domain controllers you have in your domain.

For example use the config below:

[ad]
host=domain.com

instead of

[ad]
host=dc1.domain.com
host_2=dc2.domain.com
host_3=dc3.domain.com

It would make sense to create a SAN certificate (only for LDAPs) where you specify the dc’s in the SAN extension attribute of the certificate. And it should work I guess. The advantage here, is that you don’t need to specify the static domain controllers fqdn. Can Duo Proxy make use of this? Or is it really a requirement to specify the DC’s separately.

1 Accepted Solution

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee

No, you need to specify the hosts individually by FQDN or IP.

However, if this is about enabling SSL in an [ad_client] section, feel free to issue one cert with SANs for all your domain controllers. You enable SSL on the Duo proxy to DC connection by providing the CA information to the proxy (ssl_ca_certs_file option mentioned here. If the Duo proxy has the CA chain for your SAN cert, and ssl_verify_hostname is true (the default), and each of the DCs listed as hosts have a SAN in the cert that matches the host FQDNs specified, you should be fine.

Duo, not DUO.

View solution in original post

1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

No, you need to specify the hosts individually by FQDN or IP.

However, if this is about enabling SSL in an [ad_client] section, feel free to issue one cert with SANs for all your domain controllers. You enable SSL on the Duo proxy to DC connection by providing the CA information to the proxy (ssl_ca_certs_file option mentioned here. If the Duo proxy has the CA chain for your SAN cert, and ssl_verify_hostname is true (the default), and each of the DCs listed as hosts have a SAN in the cert that matches the host FQDNs specified, you should be fine.

Duo, not DUO.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links