Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
1
Helpful
4
Replies

Duo AD Sync unacceptable 12 hour initial sync

Go to solution
joe19366
Level 1
Level 1

‎08-24-2024 02:15 PM

we are setting up duo ad sync to an on premise domain

duo proxy client installed

duo ad sync configured

duo ad sync says connected

we are now sitting here unable to continue becuase duo is waiting for the initial sync

(per the documentation)

"Duo's directory sync for users runs automatically twice a day, at 12 hour intervals chosen at random when you create your sync."

The Sync now button does not appear because we can't fully configure the duo sync and select "Groups" until duo gets our group list from the initial sync

also, due to this the SYNC NOW button does not appear

this is undesirable behavior because we would like to complete the duo sync setup in a few minutes and not wait a random time up to 12 hours.

Perhaps in future versions of the release an instant initial sync can be allowed?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ccieexpert
Spotlight
Spotlight

‎08-24-2024 04:27 PM

the sync now should always work... something is wrong in your setup

ccieexpert_0-1724541995073.png

make sure that director sync show as connected ?

ccieexpert_1-1724542038208.png

 

are you using on prem AD or Azure ?

Please show screenshots..

View solution in original post

0 Helpful

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎08-24-2024 04:32 PM

Once everything is configured correctly initially, it does an immediate sync, and the sync now button becomes available.
You don't need to wait for 12 hours or any specific time for initial sync to be become available.

So you are probably missing a configuration step.

Once you initially add the ad sync part, you need to add the relevant [cloud] config to the auth proxy config file, and then you may need to restart the auth proxy service. (And verify it starts up.)

If everything's set up correctly at that point, the group selection in the duo portal becomes instantly available.

I've done this a number of times, last time was in July, and you can absolutely finish configuring everything in one session, no need to wait.

In my experience, if there's an issue it's usually one of these 3:

  • Forget to restart the authentication proxy service after cloud section is added
  • Someone used an editor on authproxy.cfg that messed up the config and the authproxy service doesn't start
  • Something blocking (or SSL decrypting) outbound connections from authproxy to the DUO cloud.

 

 

 

View solution in original post

4 Replies 4

Go to solution
ccieexpert
Spotlight
Spotlight

‎08-24-2024 04:27 PM

the sync now should always work... something is wrong in your setup

ccieexpert_0-1724541995073.png

make sure that director sync show as connected ?

ccieexpert_1-1724542038208.png

 

are you using on prem AD or Azure ?

Please show screenshots..

0 Helpful

Go to solution
joe19366
Level 1
Level 1
In response to ccieexpert

‎08-24-2024 04:44 PM

thanks i spent time setting up a new domain in azure and signed up for a duo trial

it all works instantly there with the same settings i have used before

thanks - this one on prem domain must be corrupt even though we were installing the duo proxy on the local dc as i normally do

0 Helpful

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎08-24-2024 04:32 PM

Once everything is configured correctly initially, it does an immediate sync, and the sync now button becomes available.
You don't need to wait for 12 hours or any specific time for initial sync to be become available.

So you are probably missing a configuration step.

Once you initially add the ad sync part, you need to add the relevant [cloud] config to the auth proxy config file, and then you may need to restart the auth proxy service. (And verify it starts up.)

If everything's set up correctly at that point, the group selection in the duo portal becomes instantly available.

I've done this a number of times, last time was in July, and you can absolutely finish configuring everything in one session, no need to wait.

In my experience, if there's an issue it's usually one of these 3:

  • Forget to restart the authentication proxy service after cloud section is added
  • Someone used an editor on authproxy.cfg that messed up the config and the authproxy service doesn't start
  • Something blocking (or SSL decrypting) outbound connections from authproxy to the DUO cloud.

 

 

 

Go to solution
joe19366
Level 1
Level 1
In response to Jonatan Jonasson

‎08-24-2024 04:42 PM - edited ‎08-24-2024 04:43 PM

"So you are probably missing a configuration step."

definitely not - i just built a new domain on azure and setup a duo trial account and it worked instantly like you described.

i didn't know there are things on AD can that can break it... 

must be a corrupt domain etc

i'll just tell the customer to use something else thanks!

0 Helpful
Customers Also Viewed These Support Documents