02-02-2021 12:04 PM
Hello everyone,
I am planning a new Duo deployment and trying to figure out a way to resolve sort of a complex scenario. We will be using RADIUS for VPN authentication.
The issues is the customer has 2 AD Domains (different forests) with 2 different VPN Gateways. We will be creating 2 Applications on DUO and have 2 Authentication Proxies/RADIUS services installed (one in each domain) but the problem is some of the users have accounts on both domains and must use VPN to connect to both domains.
If we enable AD Sync on both domains, how are the user identities going to be synchronized? The SAM account name is the same on both (except the DOMAIN\ part). I would like to avoid duplicating the users, what are our options?
Thank you,
Alex
Solved! Go to Solution.
02-05-2021 02:01 PM
The best option is not to import usernames into Duo that you know are duplicated in both domains.
Is it possible for the VPNs to use UPN usernames for logins? Your UPNs are (hopefully) unique throughout both forests and would not cause collisions.
Are the users who exist in both domains you want to sync the exact same people? The problem with syncing in sAMAccountNames from two domains is that Duo can’t have two different users coexist with the same username or username alias.
If the user jdoe
exists in both domainA
and domainB
, the domainA
sync will create/update the jdoe
Duo user with information from domainA
, and then the domainB
sync will do the exact same thing, updating jdoe
with the information from domainB
.
If domainA\jdoe
is John Doe
but domainB\jdoe
is Jennifer Doe
(i.e. different people), that is an unworkable scenario. However, if both jdoe
s are John Doe
, that seems possible (assuming all AD attributes synced into duo from each domain have identical values phones, email, display name, etc.), right?
No! Attempting multiple domain syncs with overlapping users is still not recommended - even when the actual humans behind those users are same people - because of the sync group memberships!
When you select a group to import into Duo, Duo creates the group in Duo and adds all direct and indirect AD groups members as direct members of the group in Duo. The Duo group is identified as being managed by the sync that created it. The user group memberships get verified/updated at every sync (because when a user is removed from all sync groups that’s Duo’s trigger to set that user to “pending deletion”.
Say you configured the domainA
sync to import members of a group called Duo Users
, and also configured the DomainB
sync to import a group called Duo Users
(the fact that I’m using identically named AD groups in each domain isn’t super relevant; unique AD group names would have the same result).
The domainA
sync runs, and imports all members of the domainA\Duo Users
group. Then the domainB
sync runs and imports all members of the domainB\Duo Users
group. Users who exist in both domains have their membership change unexpectedly.
domainA\Duo Users
AD members: jdoe
, qsmith
domainB\Duo Users
AD members: jdoe
, bjones
domainA
sync runs:
jdoe
and qsmith
users in Duo using attribute values from domainA
jdoe
and qsmith
members of “Duo Users ( from AD sync domain A)”domainB
sync runs:
bjones
user in Duo using attribute values from domainB
bjones
a member of “Duo Users ( from AD sync domain B)”jdoe
user using attribute values from domainB
jdoe
from being a member of “Duo Users (from AD sync domain B)” to “Duo Users (from AD sync domain B)”The unexpected change in group memberships for jdoe
could affect how that user is affected by any custom application group policies, permitted groups restrictions, or administrative unit assignments.
In summary, configure directory sync for multiple directories only when usernames and username aliases are guaranteed unique between both domains, which may require choosing an alternate username attribute than sAMAccountName
and configuring the application/service/device to use that chosen username format OR making changes in the source directory to ensure unique values if the source attribute cannot be changed.
Other methods of getting users into Duo, like CSV import, don’t have the same issue of constantly changing group memberships, but would still have a problem if the users with the same usernames are not in fact always the same people.
02-05-2021 02:01 PM
The best option is not to import usernames into Duo that you know are duplicated in both domains.
Is it possible for the VPNs to use UPN usernames for logins? Your UPNs are (hopefully) unique throughout both forests and would not cause collisions.
Are the users who exist in both domains you want to sync the exact same people? The problem with syncing in sAMAccountNames from two domains is that Duo can’t have two different users coexist with the same username or username alias.
If the user jdoe
exists in both domainA
and domainB
, the domainA
sync will create/update the jdoe
Duo user with information from domainA
, and then the domainB
sync will do the exact same thing, updating jdoe
with the information from domainB
.
If domainA\jdoe
is John Doe
but domainB\jdoe
is Jennifer Doe
(i.e. different people), that is an unworkable scenario. However, if both jdoe
s are John Doe
, that seems possible (assuming all AD attributes synced into duo from each domain have identical values phones, email, display name, etc.), right?
No! Attempting multiple domain syncs with overlapping users is still not recommended - even when the actual humans behind those users are same people - because of the sync group memberships!
When you select a group to import into Duo, Duo creates the group in Duo and adds all direct and indirect AD groups members as direct members of the group in Duo. The Duo group is identified as being managed by the sync that created it. The user group memberships get verified/updated at every sync (because when a user is removed from all sync groups that’s Duo’s trigger to set that user to “pending deletion”.
Say you configured the domainA
sync to import members of a group called Duo Users
, and also configured the DomainB
sync to import a group called Duo Users
(the fact that I’m using identically named AD groups in each domain isn’t super relevant; unique AD group names would have the same result).
The domainA
sync runs, and imports all members of the domainA\Duo Users
group. Then the domainB
sync runs and imports all members of the domainB\Duo Users
group. Users who exist in both domains have their membership change unexpectedly.
domainA\Duo Users
AD members: jdoe
, qsmith
domainB\Duo Users
AD members: jdoe
, bjones
domainA
sync runs:
jdoe
and qsmith
users in Duo using attribute values from domainA
jdoe
and qsmith
members of “Duo Users ( from AD sync domain A)”domainB
sync runs:
bjones
user in Duo using attribute values from domainB
bjones
a member of “Duo Users ( from AD sync domain B)”jdoe
user using attribute values from domainB
jdoe
from being a member of “Duo Users (from AD sync domain B)” to “Duo Users (from AD sync domain B)”The unexpected change in group memberships for jdoe
could affect how that user is affected by any custom application group policies, permitted groups restrictions, or administrative unit assignments.
In summary, configure directory sync for multiple directories only when usernames and username aliases are guaranteed unique between both domains, which may require choosing an alternate username attribute than sAMAccountName
and configuring the application/service/device to use that chosen username format OR making changes in the source directory to ensure unique values if the source attribute cannot be changed.
Other methods of getting users into Duo, like CSV import, don’t have the same issue of constantly changing group memberships, but would still have a problem if the users with the same usernames are not in fact always the same people.
02-23-2021 08:53 AM
Thank you Kristina. We decided to sync only 1 AD domain and create the exceptions manually. Good info.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: