Solved: Issues with windows logon

dianawinskymartin · ‎03-11-2025

Has anyone experienced trouble logging in Windows using Duo MFA? Our setup is having azure AD in synced, we also followed the guide for windows logon but we still encountered an issue logging in to windows (issue that we still need to enroll to proceed, but the account is already enrolled). We also set the username normalization of Microsoft RDP in application to "None", the issue still persists. But using local account, it works. It's just an issue with AD.

DuoKristina · ‎03-12-2025

That the the location of the Duo Authentication for Windows Logon application's log output on the Windows system where it is installed. %PROGRAMDATA% is usually set to C:\ProgramData.

Here's an example of what to look for in the log:

03/12/25 16:04:54 [6140](6952) [Info] PasswordCredential LogonUser username=kristina, domain=ACME
03/12/25 16:04:54 [6140](6952) [Info] Users specifiedUsernameOnly: "kristina" specifiedDomainnameOnly "ACME"
03/12/25 16:04:54 [6140](6952) [Info] Duo username format is NTLM
03/12/25 16:04:54 [6140](6952) [Info] Primary authentication succeeded {logon: RDP}.
03/12/25 16:04:54 [6140](6952) [Info] Primary authentication succeeded for user ACME\kristina
03/12/25 16:04:54 [6140](6952) [Info] Attempting secondary authentication for ACME\kristina

"Duo username format is NTLM" = The Duo client will send the username to Duo's Service as DOMAIN\samaccountname.

"Attempting secondary authentication for ACME\kristina" = the Duo client is going to send ACME\kristina because that's my username in NTLM format.

If my "Microsoft RDP" application has username normalization set to "None", I need a user with the username or username alias ACME\kristina to exist in Duo with an auth device other than platform/roaming authenticator,

If my "Microsoft RDP" application has username normalization set to "Simple" (the default for this type of application), then the username or username alias that must exist would be kristina.

So, see what your client is sending as the username to Duo in your log. Hope this helps!

Duo, not DUO.

View solution in original post

DuoKristina · ‎03-11-2025

If you look at the%PROGRAMDATA%\Duo Security\duo.log output for the Duo for Windows Logon application what username does it show it is sending to Duo's service, and is that username actually a username or username alias for a user that has a device capable of Duo Push, SMS, or phone call attached?

Duo, not DUO.

dianawinskymartin · ‎03-11-2025

%PROGRAMDATA%\Duo Security\duo.log, is it in directory part?

DuoKristina · ‎03-12-2025

That the the location of the Duo Authentication for Windows Logon application's log output on the Windows system where it is installed. %PROGRAMDATA% is usually set to C:\ProgramData.

Here's an example of what to look for in the log:

03/12/25 16:04:54 [6140](6952) [Info] PasswordCredential LogonUser username=kristina, domain=ACME
03/12/25 16:04:54 [6140](6952) [Info] Users specifiedUsernameOnly: "kristina" specifiedDomainnameOnly "ACME"
03/12/25 16:04:54 [6140](6952) [Info] Duo username format is NTLM
03/12/25 16:04:54 [6140](6952) [Info] Primary authentication succeeded {logon: RDP}.
03/12/25 16:04:54 [6140](6952) [Info] Primary authentication succeeded for user ACME\kristina
03/12/25 16:04:54 [6140](6952) [Info] Attempting secondary authentication for ACME\kristina

"Duo username format is NTLM" = The Duo client will send the username to Duo's Service as DOMAIN\samaccountname.

"Attempting secondary authentication for ACME\kristina" = the Duo client is going to send ACME\kristina because that's my username in NTLM format.

If my "Microsoft RDP" application has username normalization set to "None", I need a user with the username or username alias ACME\kristina to exist in Duo with an auth device other than platform/roaming authenticator,

If my "Microsoft RDP" application has username normalization set to "Simple" (the default for this type of application), then the username or username alias that must exist would be kristina.

So, see what your client is sending as the username to Duo in your log. Hope this helps!

Duo, not DUO.

dianawinskymartin · ‎03-17-2025

I can see the issue now, based on the logs. Duo username format is also NTLM. Meaning, should I add username alias?

"message" : "Invalid request parameters", "message_detail" : "username", "stat" : "FAIL

But in terms of username normalization, what is the best practice option? Simple or None?

DuoKristina · ‎03-18-2025

RDP application's default is to username normalization = simple. You can choose whatever makes the most sense for your organization, and the best choice usually depends on how you have formatted your Duo usernames.

For example, if you choose to sync your users into Duo from Active Directory, and in your sync config you chose to use sAMAccountName as the username attribute, your resulting Duo users would not have NTLM-formatted usernames (no domain prefix), so it would make sense for the RDP app to use simple username normalization so that the domain prefix is dropped during Duo authentication.

Duo, not DUO.

dianawinskymartin · ‎03-20-2025

We use again the username normalization to simple and added an alias for the username for this account user@example.com, example "user", and it works.