Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2371
Views
1
Helpful
2
Replies

2012R2 Remote Desktop Gateway w/Duo trying to use UPN

jmhahn
Level 1
Level 1

‎03-06-2017 06:45 AM

Greetings,

I’ve been in the process of a proof-of-concept of Duo for a potential large’ish-scale implementation across our Enterprise. We’re currently syncing with Azure Active Directory as this hits a few sweet spots for us but I’ve ran into a bit of a speed bump where this directory sync is concerned. Namely Azure AD sync with Duo will only bring over our UPNs.

We’re a bit unique in that our UPNs “simplified” does not equal our SAM/NTLM account usernames. By and large this isn’t a big deal-- most of our solutions use UPN without any difficulty.

However with Remote Desktop Gateway we’ve hit a snag. After enabling debug mode in the Duo Remote Desktop Gateway application I can see even though we provide our UPN to RDG for authentication, the Duo Remote Desktop Gateway application log can only see an authentication request using our NTLM usernames-- which naturally we get “user must register” error thrown because it doesn’t recognize the username being non-UPN.

I realize this is probably something that RDG is doing behind the scenes, but I can’t for the life of me think of where I could go to to fix this. At this point it seems our only recourse is to use Local AD Sync and retest everything on SAM/NTLM usernames.

Has anyone encountered this before? Is there something easy I’m missing somewhere?

Labels:
0 Helpful
2 Replies 2

DuoKristina
Cisco Employee
Cisco Employee

‎03-06-2017 07:03 AM

You’re correct. The Duo RD Gateway application must use the sAMAccountName as the Duo username. This is not a configurable option.

If your Azure UPNs matched your sAMAccountNames, then you could continue to use Azure sync with the “Normalize usernames” option enabled. Since yours don’t match, your “best” option moving forward is AD syncing using the default Username attribute (sAMAccountName) as you mentioned (I’m assuming that changing your user’s SAM names to match UPN is a non-starter).

Feel free to contact Duo Support or your SE/CSM to submit a feature request for alternate username support in the Duo RDG application.

Duo, not DUO.

jmhahn
Level 1
Level 1
In response to DuoKristina

‎03-06-2017 07:25 AM

Thanks for the fast reply, DuoKristina! The sanity check on this was welcome-- I’d been fighting it the last few days.

You’re correct, matching the SAM to match UPN is a non-starter as this point.

We’ll explore doing a local AD sync to Duo and re-testing everything using SAM.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents