https://community.cisco.com/t5/deployment-strategy/using-multiple-domain/m-p/5118458#M211 <P>If this is about a Duo customer please instruct them to contact <A href="https://duo.com/support" target="_self">Duo Support</A>. I'm not in support; don't @ me.</P> <P>However, it is correct that they will receive the error you mentioned if there are duplicate usernames coming from the two domains. Is this SSO + AD authentication? It is noted in the documentation that email addresses must be unique across all domains and forests:</P> <UL> <LI><A href="https://duo.com/docs/sso#active-directory:~:text=When%20a%20user,all%20the%20directories" target="_self">If Duo Single Sign-On gets results for multiple users matching the email address, it will show an error to the user. All email addresses that users log-in with should be unique across all the directories.</A></LI> </UL> <P>They should check the users that can't log in to make sure their email is not duplicated between forests. Again, if you don't know how to proceed advise the customer to contact Duo Support.</P> Tue, 28 May 2024 12:07:41 GMT DuoKristina 2024-05-28T12:07:41Z https://community.cisco.com/t5/deployment-strategy/using-multiple-domain/m-p/5117884#M210 <P><SPAN class="">The issue you are facing with the Duo Authentication Proxy and the two domains (abc.com and xyz.com) seems to be related to the user directory configuration. Based</SPAN><SPAN class="">&nbsp;on the information provided:</SPAN></P> <OL class="list-decimal marker:font-mono marker:text-sm pl-11"> <LI><SPAN class="">Customer had only one domain (abc.com) configured on Duo and the Authentication Proxy was also configured for only that domain.</SPAN></LI> <LI><SPAN class="">Some users from the xyz.com domain were trying to log in, but they were getting an error saying their organization was not allowed to log in. This is because the Duo Authentication Proxy was only configured for the abc.com domain.</SPAN></LI> </OL> <P><SPAN class="">To resolve this issue:</SPAN></P> <OL class="list-decimal marker:font-mono marker:text-sm pl-11"> <LI><SPAN class="">We advised the customer to add a new Authentication Proxy server in Duo with the xyz.com domain. This was the right approach, as it would allow users from both domains to authenticate through Duo.</SPAN></LI> <LI><SPAN class="">However, Customer mentioned that even after this configuration, some users from the xyz.com domain are still not able to log in, and the Duo dashboard is indicating that there are multiple, duplicate user accounts with invalid credentials.&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/878627">@DuoKristina</a>&nbsp;Need your expertise.</SPAN></LI> </OL> Mon, 27 May 2024 19:28:50 GMT https://community.cisco.com/t5/deployment-strategy/using-multiple-domain/m-p/5117884#M210 mumbai.support 2024-05-27T19:28:50Z https://community.cisco.com/t5/deployment-strategy/using-multiple-domain/m-p/5118458#M211 <P>If this is about a Duo customer please instruct them to contact <A href="https://duo.com/support" target="_self">Duo Support</A>. I'm not in support; don't @ me.</P> <P>However, it is correct that they will receive the error you mentioned if there are duplicate usernames coming from the two domains. Is this SSO + AD authentication? It is noted in the documentation that email addresses must be unique across all domains and forests:</P> <UL> <LI><A href="https://duo.com/docs/sso#active-directory:~:text=When%20a%20user,all%20the%20directories" target="_self">If Duo Single Sign-On gets results for multiple users matching the email address, it will show an error to the user. All email addresses that users log-in with should be unique across all the directories.</A></LI> </UL> <P>They should check the users that can't log in to make sure their email is not duplicated between forests. Again, if you don't know how to proceed advise the customer to contact Duo Support.</P> Tue, 28 May 2024 12:07:41 GMT https://community.cisco.com/t5/deployment-strategy/using-multiple-domain/m-p/5118458#M211 DuoKristina 2024-05-28T12:07:41Z https://community.cisco.com/t5/deployment-strategy/using-multiple-domain/m-p/5118570#M212 <P>I'm told that TAC can create a case in CSOne and bond the case to the Duo Support queue.</P> Tue, 28 May 2024 13:47:50 GMT https://community.cisco.com/t5/deployment-strategy/using-multiple-domain/m-p/5118570#M212 DuoKristina 2024-05-28T13:47:50Z