Where to look up ProvidersWhitelist values?

Hi,

I’m getting ready to upgrade Duo 4.0.7 to 4.2.0. I’ll be using Group Policy and the MSI installer.

Checking the registry on a few machines, I’m finding that several have a ProvidersWhitelist value defined. I don’t remember setting these. It’s in the standard registry key (HKLM\SOFTWARE\Duo Security\DuoCredProv), not under the Policies key (HKLM\SOFTWARE\Policies\Duo Security\DuoCredProv), so it’s not coming from Group Policy.

How do these ProvidersWhitelist keys get set? Where can I look up the GUIDs to find out what providers have been allowed?

Most machines have only one GUID. However on one machine, I found this particularly odd value:

{A5044BD4-0823-493B-ADED-3F0A36BB63F0}
<
$
<
7
&
{7351EE85-B834-4C4A-947C-C40D4F91A253}

Thanks for your help.

How do these ProvidersWhitelist keys get set?

They got set when someone set them. The Duo installer does’t populate GUID info about third-party credential providers in that registry key.

Where can I look up the GUIDs to find out what providers have been allowed?

We don’t maintain a list of credential provider GUIDs for other vendors.

The GUID for Duo Authentication for Windows Logon is 44E2ED41-48C7-4712-A3C3-250C5E6D5D84.

I usually just do a web search for the unknown GUID, but these two you have posted don’t turn up any Google results, which is interesting.

Try stepping through each of the keys in the registry on that machine under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers . The values in each GUID’s key should say the application.

Beyond that, I’d suggest taking a look at the applications installed on that machine and contacting the vendors of those applications - particularly the ones that support password recovery, endpoint encryption, and fingerprint or other biometric login device.

1 Like

Thanks. That registry key is especially helpful. Here are a few examples from various machines:

{A5044BD4-0823-493B-ADED-3F0A36BB63F0} - MSPACredentialProvider_7.00.30.202112131608_LOGICnow

{7A2EC5DE-5C91-454F-8D12-22B907F2D217} - MSPACredentialProvider_7.00.32.202202161226_LOGICnow

{7351EE85-B834-4C4A-947C-C40D4F91A253} - MSPACredentialProvider_7.00.32.202202161226_LOGICnow

{590DCBFF-D928-4B65-A009-CF7C8492986C} - MSPACredentialProvider_7.00.32.202202161226_LOGICnow

“LOGICnow” was acquired by SolarWinds and later renamed N-able. I have confirmed that their Take Control (remote control) host updates the Duo registry key on the fly during a remote authentication. So, legitimate if a little concerning that they add Duo exceptions without notice.

Any thoughts on the special characters between the GUIDs in yesterday’s example?
<
$
<
7
&
Is this somehow requird for adding multiple GUIDs to the REG_MULTI_SZ value?

I don’t recognize that sequence. According to this the line termination characters for REG_MULTI_SZ are \0, which is how it looks when you query a multi-string value with reg.

test REG_MULTI_SZ {A5044BD4-0823-493B-ADED-3F0A36BB63F0}\0{A5044BD4-0823-493B-ADED-3F0A36BB63F0}

Thanks. Since the only known app that is using ProvidersWhitelist re-creates the values as needed on the fly, I just decided to delete ProvidersWhitelist value on all machines as I upgraded to Duo 4.2. Weird separators are now gone!