09-11-2018 03:52 PM
I have a Duo for OWA installation on Exchange 2016, about to be rolled out. But after each CU installation (quarterly release for Microsoft) for Exchange, we have to remove/reinstall the Duo agent. This can be quite cumbersome and error prone with a cluster of multiple CAS servers.
Is there a method to run the Duo for OWA installation agent via script? So I can write something in powershell with the iKey, sKey, API host already baked in, so that the script can be run on all CAS nodes after each CU installation?
Even better yet, any chance if the issue can be fixed entirely by Duo, so that it’s no longer necessary to remove/reinstall Duo agent after Exchange CU installation?
Thanks,
Thomas
09-12-2018 09:44 AM
Microsoft’s default CU install behavior used to overwrite the existing web.config
file, removing the Duo information added when you installed Duo for OWA.
This was first corrected in Exchange 2016 CU 1 - https://support.microsoft.com/en-us/help/3135688/update-preserves-the-web-config-file-for-outlook-web-app-when-you-appl.
Are you still seeing that the CU installers wipe the Duo config from your web.config
file?
https://duo.com/docs/owa-faq#why-did-duo-stop-working-after-i-installed-an-exchange-cumulative-update-(cu)? for reference
09-12-2018 12:47 PM
Hi Kristina,
We were installing CU 9, and it did make Duo stop working. The Duo agent (1.3.2) also didn’t fail gracefully but failed hard, blocking authentication. The only solution was to uninstall then reinstall. Even just reinstalling first did not work.
It is possible that the issue would happen only during the first CU installation, and will not happen again in subsequent CU installation. We’ll try installing CU 10 and see what happens.
Could you also try replicating the issue in the lab?
Best,
Thomas
09-12-2018 02:07 PM
Note that if the Microsoft CU installer chooses to overwrite the existing web.config
file (removing the additions made by the Duo installer) it is not an issue with the Duo software.
I notice that https://docs.microsoft.com/en-us/Exchange/plan-and-deploy/install-cumulative-updates still warns admins that “Any customized per-server Exchange or Internet Information Server settings you make in Exchange XML application configuration files (for example, web.config files or the EdgeTransport.exe.config file) will be overwritten when you install an Exchange Cumulative Update (CU)”.
So it seems like a best practice is to continue the practice of uninstalling Duo before the CU update and reinstalling after.
If you’d like to continue troubleshooting your issue, please contact Duo Support to open a case. You may also contact Duo Support if you’d like to submit a feature request for updating the Duo OWA installer to support silent/scripted installations or have a “fix” flag to restore the web.config
information without requiring a full un/re-install.
If you have Microsoft Support it may be worthwhile to open a case with them, so they can investigate whether some unintended regression made it into the CU releases since CU1, reverting the previous fix for this problem.
09-12-2018 02:33 PM
Thanks Kristina, I’ll contact my CSM then. I was just hoping that the wisdom of the community have seen the same issue first and was able to resolve it.
09-17-2018 01:27 PM
Hi Kristina,
I just confirmed that the web.config overwrite is definitely happening again. After installing CU 10, Duo stops working again, and require an uninstall / reinstall of the Duo agent.
The ability to script the Duo agent install (some way to feed the ikey / skey / hostname) params into the installation process from powershell instead of copy and paste through the UI, would smooth out the impact of this issue almost entirely, since we can make the Duo step automatic after all CU install on Exchange.
Cheers,
Thomas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide