VMware View Erroring Out

Hi, I’m trying to get Duo working with a pre-production VMware Horizon View 7.10. I had the configuration working in the past, but now it doesn’t and for the life of me I don’t see a meaningful error message.

Can you all take a look at the following and let me know what may be causing this specific set of logs:

2019-09-26T13:24:31-0700 [DuoForwardServer (UDP)] Sending request from XXX.XXX.XXX.XXX to radius_server_auto
2019-09-26T13:24:31-0700 [DuoForwardServer (UDP)] Received new request id 242 from (‘XXX.XXX.XXX.XXX’, 63634)
2019-09-26T13:24:31-0700 [DuoForwardServer (UDP)] ((‘XXX.XXX.XXX.XXX’, 63634), 242): login attempt for username u’corp\someuser’
2019-09-26T13:24:31-0700 [DuoForwardServer (UDP)] Sending AD authentication request for ‘corp\someuser’ to ‘XXX.XXX.XXX.XXX’
2019-09-26T13:24:31-0700 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x03AEED30>
2019-09-26T13:24:31-0700 [_ADAuthClientProtocol,client] http POST to https://api-.duosecurity.com:443/rest/v1/preauth
2019-09-26T13:24:31-0700 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: https://api-.duosecurity.com:443/rest/v1/preauth>
2019-09-26T13:24:31-0700 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x03AEED30>
2019-09-26T13:24:31-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘XXX.XXX.XXX.XXX’, 63634), 242): Got preauth result for: u’deny’
2019-09-26T13:24:31-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘XXX.XXX.XXX.XXX’, 63634), 242): Returning response code 3: AccessReject
2019-09-26T13:24:31-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘XXX.XXX.XXX.XXX’, 63634), 242): Sending response
2019-09-26T13:24:31-0700 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: https://api-.duosecurity.com:443/rest/v1/preauth>

Here is the meaningful information:

Duo’s service returned a deny for that user. It could be for many reasons…

  • The user exists in Duo but is disabled.
  • The user exists in Duo but the application has the group access policy set to deny access.
  • The user exists in Duo but the application has access restricted to a specified permitted group and the user is not a member of that group.
  • The user does not exist in Duo and the new user policy for the application is set to deny access to unenrolled users.
  • An authorized networks policy is set to deny auth from that network.
  • Some other policy or configuration setting…

Now that you know Duo’s service denied the user, take a look at the authentication logs in the Duo Admin Panel to see the exact reason the user’s authentication request was denied.

You may find these links helpful: