Solved: Windows Log/DUO Push timeout causing multiple logins

dwoodson · ‎12-02-2021

I’ve been dealing with an issue of when I log in to my workstation, that is the standard domain based AD server log in, it takes so long for DUO to send me a push notification to authenticate using my phone that Windows has timed out and even if I approve the login using the mobile app, I have to log in again. The second time is most often then not successful, although I have at times had the login timeout twice in a row.

I know there are a few things Windows wise we could do, such as setting the login timeout timer to a larger value in the registry keys. We have also tried ensuring that the system is up to date on drivers, BIOS, Windows updates, etc. just to be safe. Lastly we disabled all High demand start up services that are not required to see if the problem might lie in Windows itself taking too long to start, and therefore the DUO notification coming in too late.

However, the Windows login timeout timer is managed by security groups on our AD server, and I seem to be the only one amongst my immediate peers that has this issue. I was hoping to ask the community if there is anyone who has experienced such an issue and if it is for some odd reason related to DUO and not my startup time that makes the push notification come late.

I can’t test my start up time now that DUO is implemented company wide but I don’t recall it taking long to login at all prior to the implementation. I will be continuing to investigate why it might be Windows of course, as to tackle the issue both ways. But any feedback or experiences would be appreciated!

Thank you!

Amy2 · ‎12-03-2021

Hi @dwoodson, and welcome to the Duo Community! Thank you for sharing your question with us in the forum. From what you’ve described here and looking at similar support cases, it seems that the issue may be on the Windows side. In order to know for sure, you can review the debug logs to look for a delay in primary authentication as in the example shared at the end of this post. Please see our help article on how to enable or view Duo Authentication for Windows Logon debug logging.

Adding a credential provider to Windows such as Duo changes the way that the Windows OS handles authentication. When on the domain, the OS will wait for primary authentication to complete on the domain rather than log in quickly with cached Windows credentials if the domain is taking long to respond. The Duo 2FA credential provider will only be called once Microsoft has successfully completed primary authentication. Because primary authentication is handled by the Windows OS and is internal to Microsoft, unfortunately Duo has no control over this process.

Slow logon issues are common in Windows, and Microsoft has documented how this can be resolved. The following Microsoft blogs are helpful resources to troubleshooting a slow or delayed logon experience:

In the majority of cases customers have resolved these issues by following the MS guidelines here https://social.technet.microsoft.com/wiki/contents/articles/10123.windows-troubleshooting-slow-operating-system-boot-times-and-slow-user-logons-sbsl.aspx

Again, you can identify this in the logs. Here is an example of what it will look like:

02/12/21 15:13:18 [26836](5824) [Info] PasswordCredential LogonUser username=jdoe, domain=BRAVO

02/12/21 15:13:42 [26836](5824) [Debug] Querying username from logon token

02/12/21 15:13:42 [26836](5824) [Debug] Username obtained from logon token: BRAVO/jdoe

02/12/21 15:13:42 [26836](5824) [Info] Users specifiedUsernameOnly: “jdoe" specifiedDomainnameOnly "BRAVO"

02/12/21 15:13:42 [26836](5824) [Debug] RegReadLocalMachineDword found 0 value for key TranslateDomainName

02/12/21 15:13:42 [26836](5824) [Info] Duo username format is NTLM

02/12/21 15:13:42 [26836](5824) [Info] Primary authentication succeeded {logon: Local}.

02/12/21 15:13:42 [26836](5824) [Info] Primary authentication succeeded for user BRAVO\jdoe

Here the OS is responding that primary authentication has succeeded with a 24 second delay. After this, the Duo process is rather speedy.

For more advanced troubleshooting of this, you’ll need to contact and work with Duo Support. But hopefully this was helpful and gave you some good options to explore further!

View solution in original post

Amy2 · ‎12-03-2021

Hi @dwoodson, and welcome to the Duo Community! Thank you for sharing your question with us in the forum. From what you’ve described here and looking at similar support cases, it seems that the issue may be on the Windows side. In order to know for sure, you can review the debug logs to look for a delay in primary authentication as in the example shared at the end of this post. Please see our help article on how to enable or view Duo Authentication for Windows Logon debug logging.

Adding a credential provider to Windows such as Duo changes the way that the Windows OS handles authentication. When on the domain, the OS will wait for primary authentication to complete on the domain rather than log in quickly with cached Windows credentials if the domain is taking long to respond. The Duo 2FA credential provider will only be called once Microsoft has successfully completed primary authentication. Because primary authentication is handled by the Windows OS and is internal to Microsoft, unfortunately Duo has no control over this process.

Slow logon issues are common in Windows, and Microsoft has documented how this can be resolved. The following Microsoft blogs are helpful resources to troubleshooting a slow or delayed logon experience:

In the majority of cases customers have resolved these issues by following the MS guidelines here https://social.technet.microsoft.com/wiki/contents/articles/10123.windows-troubleshooting-slow-operating-system-boot-times-and-slow-user-logons-sbsl.aspx

Again, you can identify this in the logs. Here is an example of what it will look like:

02/12/21 15:13:18 [26836](5824) [Info] PasswordCredential LogonUser username=jdoe, domain=BRAVO

02/12/21 15:13:42 [26836](5824) [Debug] Querying username from logon token

02/12/21 15:13:42 [26836](5824) [Debug] Username obtained from logon token: BRAVO/jdoe

02/12/21 15:13:42 [26836](5824) [Info] Users specifiedUsernameOnly: “jdoe" specifiedDomainnameOnly "BRAVO"

02/12/21 15:13:42 [26836](5824) [Debug] RegReadLocalMachineDword found 0 value for key TranslateDomainName

02/12/21 15:13:42 [26836](5824) [Info] Duo username format is NTLM

02/12/21 15:13:42 [26836](5824) [Info] Primary authentication succeeded {logon: Local}.

02/12/21 15:13:42 [26836](5824) [Info] Primary authentication succeeded for user BRAVO\jdoe

Here the OS is responding that primary authentication has succeeded with a 24 second delay. After this, the Duo process is rather speedy.

For more advanced troubleshooting of this, you’ll need to contact and work with Duo Support. But hopefully this was helpful and gave you some good options to explore further!

dwoodson · ‎12-03-2021

Wow Amy,

This is a great response, and incredible thorough! I appreciate your feedback.

I had a hunch that this was the ‘order of events’ when it came to DUO, that the call for the TFA push came only after Windows had completed its necessary steps to log in. So I’ll continue looking into why on our end my login is taking so long.

Thank you also for the reference to the logs for me to investigate, and taking the time to reply to my post!

Cheers!

Amy2 · ‎12-03-2021

Happy to help! You are quite welcome