Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1063
Views
0
Helpful
12
Replies

DUO OWA 2.2 App & 404 Errors through Reverse Proxy

colombo01
Level 1
Level 1

‎06-14-2023 01:20 PM

Hi All,

I am running Exchange 2019 on Server 2019 with the latest CU 13. My configuration is that my exchange server is behind an IIS reverse proxy using url rewrite to rewrite the subdomain back to the exchange server. I do not have any restrictions on the specific directories as noted in the reverse proxy document:
https://help.duo.com/s/article/3392?language=en_US

I have been using version 1.1 of the DUO OWA app for several years now without any issues. I recently upgraded to very 2.2 to take advantage of the universal prompt. After testing things the prompt shows up and everything seems to be working properly from my internal network. However, when I test things from outside my network I get a 404 error with a big long nasty url string https://subdomain.domain.com/oauth/v1/authorize client_id=…

I’ve tried changing back to the traditional prompt in the DUO admin panel and no changes. I uninstalled version 2.2 and reinstalled 1.1 and everything is working properly again.

I assume this is a result of the reverse proxy since things work properly internally, however I’m not sure what the cause is and how to resolve it. I don’t know if the specific url/error code contains anything of help but I can share if needed.

Thanks
Josh

Labels:
0 Helpful
12 Replies 12

DuoKristina
Cisco Employee
Cisco Employee

‎06-15-2023 02:51 PM

Please contact Duo Support about this if you have not already. It may be a bug with the implementation of the redirect_uri value in our OIDC API in the OWA v2 plugin with reverse-proxy/URL rewrite configurations.

Duo, not DUO.
0 Helpful

colombo01
Level 1
Level 1
In response to DuoKristina

‎06-16-2023 07:29 AM

Kristina,

Thank you for the reply. I just sent support an email and I’ll see what they come back with.

Thanks!
Josh

0 Helpful

User666
Level 1
Level 1

‎06-16-2023 03:39 AM

I have the same issues.

Everything was working perfectly with 1.1 and still works perfectly internally.

I had done everything Josh had done, but I had also tried putting a hostname block for *.duosecurity to try and stop it going through the url rewrite engine without success. (thin chance, but was worth a shot!)

Thanks
Ian

0 Helpful

Sascha K.
Level 1
Level 1

‎06-20-2023 12:30 AM

Hi everyone,

Could someone solve the problem? I have the same problem.

Thanks!

0 Helpful

colombo01
Level 1
Level 1

‎06-20-2023 06:41 AM

If you have a paid account I’d recommend contacting Support to elevate the issue. I do not have a paid account and received feedback that paid users’ issues would be a priority.

0 Helpful

Bryan_MFA
Level 1
Level 1

‎06-26-2023 08:18 AM

The OWA 2.0.x adapter uses the Duo Universal Prompt to complete multi-factor authentication. With that approach, the Duo OWA adapter performs an HTTP redirect to the Duo server, so the Duo server URL must not be rewritten by the reverse proxy.

It should be possible to resolve the reported issue by updating the outbound URL rewrite rule(s) on the reverse proxy server.

Open the IIS Manager

  • Select the ‘Site’ where the URL Rewrite rules are configured. The rewrite rules can be overridden within the site hierarchy, so be sure to select the correct site node. eg) ‘Default Web Site’ or ‘Default Web Site’\owa or ‘Default Web Site’\ecp

  • From the right-pane, double-click the URL Rewrite icon

  • You will likely see one or more ‘Outbound’ rules

  • In the “Pattern” text box, enter regex that deliberately excludes duosecurity URL from being rewritten.

For example, the regex below can be added to the existing pattern to exclude duosecurity.com URL from outbound rewrite.
(?!^..duosecurity.com/.$)(^.$)*

Before clicking ‘Apply’ to save the updated pattern, you can test/refine the pattern by clicking the ‘Test pattern…’ action button next to the text box.

In ‘Input data to test:’, enter a Duo server URL. eg) https://myserver.duosecurity.com/oauth/v1/authorize?test_param=GoDuo

The Test Results should display a message like:
The input data to does not match the pattern

Before saving, make sure that URL that should be rewritten still match the pattern.
For URL that should be rewritten, the Test Results should display a message like:
The input URL path matches the pattern

After applying the updated rewrite pattern, test the OWA logon to see if the reported issue is resolved.

I hope this helps.

0 Helpful

colombo01
Level 1
Level 1
In response to Bryan_MFA

‎06-26-2023 07:39 PM

Bryan,

Thank you for the reply! I will try and test this out this week and report back.

Thanks!
Josh

0 Helpful

Legacy777
Level 1
Level 1
In response to Bryan_MFA

‎02-16-2024 03:36 PM

Hello,

I am unable to get this to work.  I'm not sure if it's the regex expression or the specific attributes to select in the outbound rule.  Any additional feedback/input is appreciated.  Below is how I have it configured.

Thanks

Legacy777_0-1708126583405.png

 

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Legacy777

‎02-21-2024 06:40 AM

@Legacy777 You didn't enter the same regex string that Bryan suggested. What happens when you try your current rule (how does it not work)? What logging is available to you to verify processing of your rule?

Duo, not DUO.
0 Helpful

Legacy777
Level 1
Level 1
In response to DuoKristina

‎02-21-2024 07:36 AM

Hi Kristina,

The regex string Bryan suggested does not work either and doesn't provide the results mentioned when testing the expression, which is why I modified it.  Either expression actually causes OWA and ActiveSync to not work outside of the internal network.  I will need to review the logs in more detail to see what information is available to verify processing of the rule.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Legacy777

‎02-22-2024 06:07 AM

You're probably better off contacting Duo Support if you have not already. They can dedicate time to reviewing your logs, config, etc.

Duo, not DUO.
0 Helpful

Legacy777
Level 1
Level 1
In response to DuoKristina

‎02-22-2024 01:42 PM

I contacted support but didn't get a response back.

However, I did some more testing and research and the fix is actually very simple.  No outbound url rewrite rules need to be defined, "Reverse rewrite host in response headers" just needs to be unchecked in the Application Request Routing proxy settings.  Please see screen shots below showing what needs to be changed:

Open IIS Manager, select your server, and select Application Request Routing
AAR1.PNG

Select "Server Proxy Settings"
AAR2.PNG

Uncheck "Reverse rewrite host in response headers" and then select "Apply"
AAR3.PNG

Anyone that is having this issue I would suggest verifying your configuration and ensuring unchecking this won't cause any other undesirable results.

Below are some links/references regarding this setting if you want to dig into it more.

IIS Url Rewrite overwriting external urls 
URL Rewrite keeps original host Location when reverse proxy 301 redirects 
Prevent ARR with UrlRewrite from re-writing Location header for a 302 redirect 
Application Request Routing – (Reverse Proxy and Troubleshooting ARR, URLRewrite Issues) 

This works for RDWeb as well OWA and I would assume work for any other applications behind IIS's reverse proxy.

Josh

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents