Windows Client 3.0 connection issue

WLanphear · ‎06-08-2017

While rolling out the Windows client I had a user whose client would not prompt for MFA even though it was installed with the correct IKEY,SKEY and proxy configurations.
While troubleshooting we saw this error in the client log:
06/08/17 15:07:21 (8980) Making request: POST api-.duosecurity.com:443/auth/v2/preauth?
ipaddr=[ItDoesntMatter]
06/08/17 15:07:22 (3376) Caught WINHTTP_CALLBACK_STATUS_SECURE_FAILURE notification: WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA
06/08/17 15:07:22 (3376) Caught WinHttp exception
06/08/17 15:07:22 (3376) Caught WinHttp exception; retrying up to limit
06/08/17 15:07:22 (3376) Making request: POST api-.duosecurity.com:443/auth/v2/preauth?
ipaddr=[ItDoesntMatter]
06/08/17 15:07:22 (3376) Caught WINHTTP_CALLBACK_STATUS_SECURE_FAILURE notification: WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA
06/08/17 15:07:22 (3376) Caught WinHttp exception
06/08/17 15:07:22 (3376) Timeout or network error on all attempts to connect to Duo; failing open
06/08/17 15:07:22 (3376) Cancelling request…
06/08/17 15:07:22 (8980) WARNING: Interactive authentication failed open: Timeout or other network error
06/08/17 15:07:22 (8980) Failsafe Duo login for ‘Domain\username’: Timeout or other network error
06/08/17 15:07:22 (8980) Secondary authentication succeeded
06/08/17 15:07:22 (8980) CDuoCredential::GetSerialization: Cleanup and return with access permitted, serializationResponse : 2

Upon Further investigation it turns out he was missing the following certs in his trusted root store:
DigiCert High Assurance EV Root CA
DigiCert SHA2 High Assurance Server CA

After we installed them in the trust store the client was able to connect.

We plan on creating a GPO to install these certificates in the trusted root stores.

DuoKristina · ‎06-12-2017

You don’t mention the Windows version of the client that experienced the issue. Is in an older version or one that hasn’t had Windows Updates applied for a while? Have you disabled automatic updates to certificate trust lists (CTLs)? DigiCert participates in Microsoft Trusted Root Certificate Program, so a modern and updated Windows OS should trust that CA automatically.

See https://technet.microsoft.com/en-us/library/dn265983.aspx for more information.

Duo, not DUO.

WLanphear · ‎06-12-2017

Sorry about that it is version 3.0. The machines that this happened on (one workstation and a couple of servers) were initially built to never go out to the internet so my guess is the CTL never got updated and someone went through and removed all except our own enterprise CA’s and the default MS certificates required for day to day operation. I can imagine it will be a rare occurrence but I couldn’t find a reference to the “Caught WINHTTP_CALLBACK_STATUS_SECURE_FAILURE notification: WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA” error in the KB’s so I thought I would post it here to save someone the trouble of researching. Not a Duo issue at all, just a potential problem for some organizations.

DuoKristina · ‎06-12-2017

Thanks for that follow-up! We do mention making sure a client system trusts the DigiCert CAs as the last suggestion in this KB article but it would probably help future users if we created an additional KB item with the Windows Logon installer error and the CA suggestion.

Thanks again for using Duo!

Duo, not DUO.

WLanphear · ‎06-12-2017

Windows 10 and Server 2008.