Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1718
Views
0
Helpful
1
Replies

Vcenter 6.7 2fa working except for service accounts

mb303
Level 1
Level 1

‎05-18-2020 11:56 AM

I understand duo 2fa for vcenter 6.7 is more of a work around and not fully supported. That being said I followed the implementation by one of the other users here, John1, and it is working like a charm - except for service accounts. Even using the exempt_ou_1 and making sure that the account in question is in that OU they still fail. This only happens when the account is used from the application itself (specifically netbackup and veeam) If the account is used to log in directly to vsphere it works fine.

Anyone run into this problem before or have any thoughts?

It was implemented using active directory over ldap, service name as DN, and normal ldap. (not ldaps) OpenLDAP did not seem to work even though I could get it to save as an identity source.

Our security team shows that duo is seeing it being exempted and replying back to vcenter correctly.

from the psc I see these errors when switching to the duo ldap:
[2020-05-18T17:52:47.318Z tomcat-http–12 vsphere.local 17f78299-18c2-4a60-b7fe-769af06bca28 ERROR com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [someaccount]. Access denied
[2020-05-18T17:52:47.321Z tomcat-http–12 vsphere.local 17f78299-18c2-4a60-b7fe-769af06bca28 INFO com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [someaccount] in tenant [vsphere.local] in [16] milliseconds because the provider is not registered
root@DC02PSCP006 [ /var/log/vmware/sso ]# timed out waiting for input: auto-logout

when just using AD identity source it works as expected:
[2020-05-18T14:03:08.469Z tomcat-http–23 vsphere.local f9f0ccae-e464-4155-845b-7269b59a6a43 INFO com.vmware.identity.idm.server.IdentityManager] Authentication succeeded for user [someaccount] in tenant [vsphere.local] in [59] milliseconds with provider [somedomain] of type [com.vmware .identity.idm.server.provider.activedirectory.ActiveDirectoryProvider]

Thanks!

0 Helpful
1 Reply 1

John110
Level 1
Level 1

‎05-29-2020 02:30 PM

We don’t use exceptions for our service accounts. We have assigned a persistent Duo pin to those user accounts and we pass it with the password by sending , the same as we would for a pin from the app or a token. I don’t actually know how those pins are generated - we just request them from our identity management team.

We use that method to do logins for Commvault backup users and all of our PowerShell scripting accounts.

-John

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents