Link to home
Create AccountLog in
Avatar of WORKS2020
WORKS2020Flag for United States of America

asked on

Installing DUO on Windows Server 2019 Standard - LDAP Question

Testing in our lab environment installing LDAP on a Windows 2019 Server Standard. DUO is used to provide 2FA and we would like to test out installation, security, and how well DUO syncs with our on-premise active directory LDAP server and their web portal.

Does anyone have any experience with DUO, if not what are the best tools to configure an LDAP server to work with an application? We're having some minor issues and support is limited.
Avatar of arnold
arnold
Flag of United States of America image

LDAP you mean openldap, or using the windows AD and configuring it to allow LDAP queries?

Please clarify.
DUA as a secondary authorization (MFA/2FA)?
there is a guide, please clarify what you mean.
on window sserver 2019, you would likely need NPS to handle things...
did you install the auth proxy?  that is required for the AD sync

https://duo.com/docs/authproxy-reference
We use Duo and after you install the Auth proxy (the directions from Duo are pretty self explanatory, you follow the install guides on the website for the agents.
  The Auth Agent takes care of the AD integration. You just need a service account in AD
Avatar of WORKS2020

ASKER

@arnold, we configured using the windows AD allowing LDAP queries.
DUA as a secondary authorization (MFA/2FA)?
yes, and to clarify I think you meant DUO.

there is a guide
yes, following the guide and can't set the correct permissions to the config file, tried using icacl to set permissions according to their documentation and it continues to fail. 

you would likely need NPS to handle things...
please clarify, thank you.

ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
@Seth, yes this is what I can't get working. It won't launch, I get an error message that relates to the config file not having the correct permissions. 
is  it the config in the file or the tie=in into duo.com ?
@Jeff, thanks. I keep hearing how it's simple and I often don't have any issues with things like this. I read that I have to use a local administrator account and I'm trying to install it on the PDC, so this is not an options. Thought I read if I want to use certain features the proxy needs to be installed on the PDC, of course on the PDC I can't create a local administrator account.

I could install it on the main server under a local admin account. I believe this will resolve the permissions issues then I assume the app will launch. I'll give it a try this way and let you know. 
@arnold, the config file won't open, the app fails because it can't read it. This is because the config folder doesn't have the correct permissions. Since I'm attempting to install using a domain admin account I have to change the permission using icacl. I follow the instructions DUO offers and it doesn't work. I manually tried to update the permissions and this doesn't work either.

Did you install it using a local admin account or domain admin account? 
we were trying to sync active directory and now realizing this really isn't needed. I created a user, downloaded the RDP client and testing now. This is what we need most at the moment.

Question, I chose to only have DUO prompt for 2FA when outside the local network and now I want to turn this on so users use 2FA even while on the local network. Is this a setting in the admin panel under the user? I can't find it. I also ran the installer again on the desktop and it didn't give me options to make any changes. 
I think this is part of the installation of the DUO installer as to when it applies. The local system is the one enforcing the requirement for 2FA/MFA
I just installed the RDP client under applications and assigned it to three users, it's working great. Happy with this for now however it would be nice to have Active Directory sync and be able to manage users this way. 
It won't launch, I get an error message that relates to the config file not having the correct permissions.

is the file owned by the service account with permissions 640?

Is this a setting in the admin panel under the user?

it would be in policies -> global policy (or if you created a custom one) -> authorized networks
just remove your public address range(s) from there to force internally

its a windows system install.
Possibly a step was missed in the instructions tunning the password command and  then the write out password command to config.
Is it running with a service account?
I've not worried about the Active Sync for this particular client because the user count is relatively small and I don't mind adding them manually.

@Arnold, you mentioned the RDP application that I wasn't aware could be used without first connecting DUO to active directory. Not sure where I got this idea. I installed the RDP protection on computers, sent automated DUO mobile setup links to end users and it's working great.

I'm going to open a new thread with questions regarding OWA and DUO