User identities with AD Sync and multiple domains

Hello everyone,

I am planning a new Duo deployment and trying to figure out a way to resolve sort of a complex scenario. We will be using RADIUS for VPN authentication.
The issues is the customer has 2 AD Domains (different forests) with 2 different VPN Gateways. We will be creating 2 Applications on DUO and have 2 Authentication Proxies/RADIUS services installed (one in each domain) but the problem is some of the users have accounts on both domains and must use VPN to connect to both domains.
If we enable AD Sync on both domains, how are the user identities going to be synchronized? The SAM account name is the same on both (except the DOMAIN\ part). I would like to avoid duplicating the users, what are our options?

Thank you,
Alex

The best option is not to import usernames into Duo that you know are duplicated in both domains.

Is it possible for the VPNs to use UPN usernames for logins? Your UPNs are (hopefully) unique throughout both forests and would not cause collisions.

Are the users who exist in both domains you want to sync the exact same people? The problem with syncing in sAMAccountNames from two domains is that Duo can’t have two different users coexist with the same username or username alias.

If the user jdoe exists in both domainA and domainB, the domainA sync will create/update the jdoe Duo user with information from domainA, and then the domainB sync will do the exact same thing, updating jdoe with the information from domainB.

If domainA\jdoe is John Doe but domainB\jdoe is Jennifer Doe (i.e. different people), that is an unworkable scenario. However, if both jdoes are John Doe, that seems possible (assuming all AD attributes synced into duo from each domain have identical values phones, email, display name, etc.), right?

No! Attempting multiple domain syncs with overlapping users is still not recommended - even when the actual humans behind those users are same people - because of the sync group memberships!

When you select a group to import into Duo, Duo creates the group in Duo and adds all direct and indirect AD groups members as direct members of the group in Duo. The Duo group is identified as being managed by the sync that created it. The user group memberships get verified/updated at every sync (because when a user is removed from all sync groups that’s Duo’s trigger to set that user to “pending deletion”.

Say you configured the domainA sync to import members of a group called Duo Users, and also configured the DomainB sync to import a group called Duo Users (the fact that I’m using identically named AD groups in each domain isn’t super relevant; unique AD group names would have the same result).

The domainA sync runs, and imports all members of the domainA\Duo Users group. Then the domainB sync runs and imports all members of the domainB\Duo Users group. Users who exist in both domains have their membership change unexpectedly.

domainA\Duo Users AD members: jdoe, qsmith
domainB\Duo Users AD members: jdoe, bjones

domainA sync runs:

  1. creates the group “Duo Users (from AD sync domain A)” in Duo
  2. creates the jdoe and qsmith users in Duo using attribute values from domainA
  3. Makes jdoe and qsmith members of “Duo Users ( from AD sync domain A)”

domainB sync runs:

  1. creates the group “Duo Users ( from AD sync domain B)” in Duo
  2. creates the bjones user in Duo using attribute values from domainB
  3. makes bjones a member of “Duo Users ( from AD sync domain B)”
  4. updates the jdoe user using attribute values from domainB
  5. moves jdoe from being a member of “Duo Users (from AD sync domain B)” to “Duo Users (from AD sync domain B)”

The unexpected change in group memberships for jdoe could affect how that user is affected by any custom application group policies, permitted groups restrictions, or administrative unit assignments.

In summary, configure directory sync for multiple directories only when usernames and username aliases are guaranteed unique between both domains, which may require choosing an alternate username attribute than sAMAccountName and configuring the application/service/device to use that chosen username format OR making changes in the source directory to ensure unique values if the source attribute cannot be changed.

Other methods of getting users into Duo, like CSV import, don’t have the same issue of constantly changing group memberships, but would still have a problem if the users with the same usernames are not in fact always the same people.

1 Like

Thank you Kristina. We decided to sync only 1 AD domain and create the exceptions manually. Good info.