Use FQDN of AD as host in Proxy Authenticator Configuration

Can you use the fqdn of the Active Directory Domain instead of specifying the FQDN of all the individual domain controllers you have in your domain.

For example use the config below:

[ad]
host=domain.com

instead of

[ad]
host=dc1.domain.com
host_2=dc2.domain.com
host_3=dc3.domain.com

It would make sense to create a SAN certificate (only for LDAPs) where you specify the dc’s in the SAN extension attribute of the certificate. And it should work I guess. The advantage here, is that you don’t need to specify the static domain controllers fqdn. Can Duo Proxy make use of this? Or is it really a requirement to specify the DC’s separately.

No, you need to specify the hosts individually by FQDN or IP.

However, if this is about enabling SSL in an [ad_client] section, feel free to issue one cert with SANs for all your domain controllers. You enable SSL on the Duo proxy to DC connection by providing the CA information to the proxy (ssl_ca_certs_file option mentioned here. If the Duo proxy has the CA chain for your SAN cert, and ssl_verify_hostname is true (the default), and each of the DCs listed as hosts have a SAN in the cert that matches the host FQDNs specified, you should be fine.