Avatar of WORKS2011
WORKS2011Flag for United States of America

asked on 

Installing DUO on Windows Server 2019 Standard - LDAP Question

Testing in our lab environment installing LDAP on a Windows 2019 Server Standard. DUO is used to provide 2FA and we would like to test out installation, security, and how well DUO syncs with our on-premise active directory LDAP server and their web portal.

Does anyone have any experience with DUO, if not what are the best tools to configure an LDAP server to work with an application? We're having some minor issues and support is limited.
Windows Server 2019Windows OSActive Directory

Avatar of undefined
Last Comment
WORKS2011
Avatar of arnold
arnold
Flag of United States of America image

LDAP you mean openldap, or using the windows AD and configuring it to allow LDAP queries?

Please clarify.
DUA as a secondary authorization (MFA/2FA)?
there is a guide, please clarify what you mean.
on window sserver 2019, you would likely need NPS to handle things...
Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

did you install the auth proxy?  that is required for the AD sync

https://duo.com/docs/authproxy-reference
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

We use Duo and after you install the Auth proxy (the directions from Duo are pretty self explanatory, you follow the install guides on the website for the agents.
  The Auth Agent takes care of the AD integration. You just need a service account in AD
Avatar of WORKS2011
WORKS2011
Flag of United States of America image

ASKER

@arnold, we configured using the windows AD allowing LDAP queries.
DUA as a secondary authorization (MFA/2FA)?
yes, and to clarify I think you meant DUO.

there is a guide
yes, following the guide and can't set the correct permissions to the config file, tried using icacl to set permissions according to their documentation and it continues to fail. 

you would likely need NPS to handle things...
please clarify, thank you.

ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of WORKS2011
WORKS2011
Flag of United States of America image

ASKER

@Seth, yes this is what I can't get working. It won't launch, I get an error message that relates to the config file not having the correct permissions. 
Avatar of arnold
arnold
Flag of United States of America image

is  it the config in the file or the tie=in into duo.com ?
Avatar of WORKS2011
WORKS2011
Flag of United States of America image

ASKER

@Jeff, thanks. I keep hearing how it's simple and I often don't have any issues with things like this. I read that I have to use a local administrator account and I'm trying to install it on the PDC, so this is not an options. Thought I read if I want to use certain features the proxy needs to be installed on the PDC, of course on the PDC I can't create a local administrator account.

I could install it on the main server under a local admin account. I believe this will resolve the permissions issues then I assume the app will launch. I'll give it a try this way and let you know. 
Avatar of WORKS2011
WORKS2011
Flag of United States of America image

ASKER

@arnold, the config file won't open, the app fails because it can't read it. This is because the config folder doesn't have the correct permissions. Since I'm attempting to install using a domain admin account I have to change the permission using icacl. I follow the instructions DUO offers and it doesn't work. I manually tried to update the permissions and this doesn't work either.

Did you install it using a local admin account or domain admin account? 
Avatar of WORKS2011
WORKS2011
Flag of United States of America image

ASKER

we were trying to sync active directory and now realizing this really isn't needed. I created a user, downloaded the RDP client and testing now. This is what we need most at the moment.

Question, I chose to only have DUO prompt for 2FA when outside the local network and now I want to turn this on so users use 2FA even while on the local network. Is this a setting in the admin panel under the user? I can't find it. I also ran the installer again on the desktop and it didn't give me options to make any changes. 
Avatar of arnold
arnold
Flag of United States of America image

I think this is part of the installation of the DUO installer as to when it applies. The local system is the one enforcing the requirement for 2FA/MFA
Avatar of WORKS2011
WORKS2011
Flag of United States of America image

ASKER

I just installed the RDP client under applications and assigned it to three users, it's working great. Happy with this for now however it would be nice to have Active Directory sync and be able to manage users this way. 
Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

It won't launch, I get an error message that relates to the config file not having the correct permissions.

is the file owned by the service account with permissions 640?

Is this a setting in the admin panel under the user?

it would be in policies -> global policy (or if you created a custom one) -> authorized networks
just remove your public address range(s) from there to force internally

Avatar of arnold
arnold
Flag of United States of America image

its a windows system install.
Possibly a step was missed in the instructions tunning the password command and  then the write out password command to config.
Is it running with a service account?
Avatar of WORKS2011
WORKS2011
Flag of United States of America image

ASKER

I've not worried about the Active Sync for this particular client because the user count is relatively small and I don't mind adding them manually.

@Arnold, you mentioned the RDP application that I wasn't aware could be used without first connecting DUO to active directory. Not sure where I got this idea. I installed the RDP protection on computers, sent automated DUO mobile setup links to end users and it's working great.

I'm going to open a new thread with questions regarding OWA and DUO 
Windows OS
Windows OS

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo