08-20-2019 09:50 AM
I have followed the steps in the linked article What is the least-privileged Duo Authentication Proxy Windows service account configuration to setup a Group Managed Service Account (gMSA). I have used Group Policy to configure 1) the security on the Registry Key, 2) the Log on as a service user right, and 3) the security on the log directory.
This setup works fine – as long as I specify a service account username and password in the authproxy.cfg file (of course, I have to use a different account here, as the gMSA password is generally considered unknown to humans).
Anyway, the linked article states “[i]f you’ll be running Active Directory synchronization through this Authentication proxy server using ‘Integrated’ authentication, then the account used to start the service must be a domain account with the right to perform LDAP queries against an AD domain controller.” This to me seems to imply that the LDAP connection would be initiated by the account that is running the service. However, I don’t see where I can specify an authentication type of integrated. Essentially, I don’t want to know the password, I don’t want the password stored in clear text, I don’t want the password stored in encrypted text. I want the service – running under a specified service account – to perform an LDAP bind/query using the credentials of the account that is running the service.
I could settle for using a regular user account (albeit annoying, both because I have to allocate a user license and manage another password), as long as I didn’t have to specify the username and password (in any form) in the config file.
What am I missing?
–
Related: this prior question, though it referrs to them as “(global) Managed Service Accounts,” does not quite contain the same detail, and has zero repiles.
08-30-2019 07:42 AM
Hi @Semicolon,
It’s unclear if you are configuring Duo AD Sync, or if you are configuring 2FA for application logins through LDAP. The 3456 article is referring to the least privileges to run the proxy service, not to authenticate through it (and then goes on to reference the AD sync use case, but still isn’t talking about user authentication).
If you are setting up AD sync, when you use the Integrated authentication option the Authentication Proxy uses the machine domain account (if the Duo service is running as Local System) or as a specified domain account (if you change the service to run as that account). If the service is running as the gMSA account, then no additional configuration should be needed for the sync to run, other that populating the [cloud]
section in your authproxy.cfg
file with the information from the AD Sync directory details in the Duo Admin Panel.
The Duo Authentication proxy doesn’t support gMSA accounts for [ad_client]
LDAP simple binds today. If you are deploying LDAP 2FA (so you have [ad_client]
and [ldap_server_auto]
sections in your authproxy.cfg
) then I’m afraid you’ll have to settle for an account with a known password, which you can encrypt in the proxy config (it sounds like you are already aware of this).
The service account used by the Duo proxy to perform the LDAP search for the user logging in does not need to be licensed in Duo. By default the Authentication Proxy doesn’t require 2FA for the first bind in a connection. This is to support systems that bind as a service account, search for the user account, and then bind as the user.
If you find that the initial bind as the service account is requiring Duo 2FA, then your system may connect and bind as the service account and perform the LDAP search for the user, then disconnect, then connect again to bind as the end user.
Please take a look at the exempt_primary_bind
and exempt_ou_1
options on this page and try setting exempt_primary_bind=false
and exempt_ou_1=the DN of the AD lookup service account
. With this configuration the bind from the AD service account won’t require 2FA, and therefore won’t need to exist as a Duo licensed user with bypass status. All other account binds will require 2FA.
You can contact Duo Support to submit a feature request for managed account support for LDAP Auto in the Authentication Proxy.
07-13-2021 07:07 AM
Sorry for reviving an old thread, but 2 years later, is it still not possible to use MSA or gMSA for DUO Auth Proxy servers?
We are trying to get away from AD Service Accounts as a whole, as it’s just another account to manage changing a password every 90 days for and also a security vulnerability having a password in clear text (understanding you can encrypt the text file).
07-13-2021 07:58 AM
It’s true that the Authentication Proxy still doesn’t support MSA/gMSA for the ad_client
service account, but if your proxy server is domain-joined you can specify auth_type=sspi
to have it use integrated Windows authentication e.g. the context of whatever account runs the Duo Authentication Proxy service (the machine account if LocalSystem runs the service, or a designated user account that could be an MSA).
Learn more about the different supported auth types here and this article details some requirements for AD user accounts that run the proxy service.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide