Vcenter 6.7 2fa working except for service accounts

I understand duo 2fa for vcenter 6.7 is more of a work around and not fully supported. That being said I followed the implementation by one of the other users here, John1, and it is working like a charm - except for service accounts. Even using the exempt_ou_1 and making sure that the account in question is in that OU they still fail. This only happens when the account is used from the application itself (specifically netbackup and veeam) If the account is used to log in directly to vsphere it works fine.

Anyone run into this problem before or have any thoughts?

It was implemented using active directory over ldap, service name as DN, and normal ldap. (not ldaps) OpenLDAP did not seem to work even though I could get it to save as an identity source.

Our security team shows that duo is seeing it being exempted and replying back to vcenter correctly.

from the psc I see these errors when switching to the duo ldap:
[2020-05-18T17:52:47.318Z tomcat-http–12 vsphere.local 17f78299-18c2-4a60-b7fe-769af06bca28 ERROR com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [someaccount]. Access denied
[2020-05-18T17:52:47.321Z tomcat-http–12 vsphere.local 17f78299-18c2-4a60-b7fe-769af06bca28 INFO com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [someaccount] in tenant [vsphere.local] in [16] milliseconds because the provider is not registered
root@DC02PSCP006 [ /var/log/vmware/sso ]# timed out waiting for input: auto-logout

when just using AD identity source it works as expected:
[2020-05-18T14:03:08.469Z tomcat-http–23 vsphere.local f9f0ccae-e464-4155-845b-7269b59a6a43 INFO com.vmware.identity.idm.server.IdentityManager] Authentication succeeded for user [someaccount] in tenant [vsphere.local] in [59] milliseconds with provider [somedomain] of type [com.vmware .identity.idm.server.provider.activedirectory.ActiveDirectoryProvider]


We don’t use exceptions for our service accounts. We have assigned a persistent Duo pin to those user accounts and we pass it with the password by sending , the same as we would for a pin from the app or a token. I don’t actually know how those pins are generated - we just request them from our identity management team.

We use that method to do logins for Commvault backup users and all of our PowerShell scripting accounts.