04-02-2017 08:11 AM
So I upgraded the client on a Windows Server 2012 R2 to the latest version and when I try to log back in, I am now faced with this error message. I’m effectively locked out of my server with no way in either directly logging into the server (physical access) or from remote. I found an article that mentioned to make sure the server is properly synched with a time server but I can’t get access to make that happen! And this wasn’t an issue with the previous version of the Duo client.
Any suggestions?
04-05-2017 10:26 AM
Hello NashBrydges!
I have three suggestions:
Log into your Duo Admin Panel and see if you can find your failed authentication attempt in the Authentication Logs. If you do see it, this indicates your Windows Server has connectivity to Duo’s cloud service. If this is the case, put your user in bypass status and try logging in again.
If the authentication attempt is not appearing in the Authentication Logs, that’s a good indicator your Windows Server does not have connectivity to Duo’s cloud service. You could push an update to that Windows Server via GPO to tell it to FailOpen under this condition.
https://duo.com/docs/rdp-faq#how-can-i-configure-the-fail-mode?
If you have physical access to the Windows Server, you could try booting into safe mode and uninstalling Duo.
https://duo.com/docs/rdp-faq#how-do-i-disable-or-uninstall-duo-authentication-for-windows-logon-in-safe-mode?
best,
-Greg
01-05-2018 12:52 AM
I don’t really see this as solution. Answers to the suggestions provided:
So we are locked out of the server due to the time on the server to be out. Enable bypass on the user does not work. Now we need to power down the production server, attach the windows os disk to another virtual server, modify the registry to bypass/disable duo at login, reattach to original server and boot it up. This causes us to have down time on production servers due to the time to be out by a few minutes.
There must be better solutions for this issue.
01-08-2018 01:48 PM
Do you not have console access to the host via whatever virtualization hypervisor you’re using (e.g. if VMWare connect to the console from vCenter)?
If so, you could try the previous suggestion #3 to remove the Duo software, or perhaps one of these solutions:
Similarly to #2, if you accepted the default “fail open” setting and have remote file system access to the server (like via the UNC path \\servername\c$
), you could add an entry for your Duo API host with a fake IP to the server’s hosts file, and then RDP to the machine to update the system time or uninstall Duo.
01-08-2018 10:40 PM
No access to console, using 3rd party virtual environment and they do not provide console access.
Thanks for the idea on editing the hosts file to force fail communications with duo. Easier might be to block duo servers on the outgoing firewall.
I still think that the easiest solution will be that the duo app will comply with the ‘bypass’ setting set on the duo admin console. Thus, if this happens we can disable duo for the account with no access / changes required on the server/firewall.
01-09-2018 06:19 AM
I do understand your idea about respecting the user’s bypass status to let a user log in, but if the Duo service isn’t able to verify the integrity of the incoming request (due to the bad timestamp or invalid integration information) then we’d be remiss to allow access.
01-09-2018 06:38 AM
Ah, thought it might be a blocker. Thanks
07-10-2018 12:27 PM
I received the same message.
I removed network connectivity and was able to login.
10-27-2018 03:03 PM
Actually, a server is not recognized you. You use VPN for access to this server. You can set to allow remote.If you have any issue in your window then you can check it https://babasupport.org/windows/windows-error-0x8024200b/ for more help
08-21-2019 08:17 AM
I’ve just run into this too, on a remote hosting server, and at the moment I can’t work out how to fix it. Judging by another server nearby the clock must have been out by something like 30 seconds, and now I’m completely locked out with no easy way to get back in.
There really needs to be a better solution than just locking people out with an unfriendly error message. Thankfully this isn’t yet a production server, but I can’t risk being locked out when it goes live so I’m going to have to uninstall Duo permanently when I do get back in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide