Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3148
Views
1
Helpful
2
Replies

Duo RDP: one Duo account for multiple Windows domains

Go to solution
Egor2
Level 1
Level 1

‎05-25-2017 07:04 AM

Good morning everyone!

I’m deploying Duo RDP to protect some of our servers. We have servers in multiple domains, but user accounts share same username (e.g. MYCOMPANY\johndoe, MYCOMPANYTEST\johndoe, MYCOMPANYEXT\johndoe) etc. I was hoping to set UPN suffixes for johndoe accounts across the domains to the the same value (e.g. johndoe@corp.mycompany.com) and use only one Duo account to manage all servers.

However, it appears that Duo RDP software doesn’t use UPN and automatically prepends NetBIOS domain name to username, so requests to API look like “POST ■■■■■■■■■■■■■■■■■■■■■■■■■:443/auth/v2/preauth?ipaddr=127.0.0.1&username=MYCOMPANYTEST\johndoe” Naturally if my Duo username is MYCOMPANY\johndoe, this will fail due to username mismatch as I’m trying to log into TEST domain.

My question is – is there a way to modify this and make it submit UPN name or just username? Alternatively - can we assign an alias or a secondary username to a Duo account? Would you suggest another approach to using one Duo account to manage servers in multiple domains?

Thank you very much for your input!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎05-25-2017 07:16 AM

Egor,

Currently the Duo Authentication for Windows Logon application sends the username to Duo as the sAMAccountName only. We plan to make the username formation configurable in the near future, but in the mean time you can enable the Simple Username Normalization for your RDP application so that the Windows usernames “MYCOMPANY\johndoe”, “MYCOMPANYTEST\johndoe”, “MYCOMPANYEXT\johndoe” can all authenticate to a single “johndoe” Duo user.

Thanks for using Duo!

Duo, not DUO.

View solution in original post

2 Replies 2

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎05-25-2017 07:16 AM

Egor,

Currently the Duo Authentication for Windows Logon application sends the username to Duo as the sAMAccountName only. We plan to make the username formation configurable in the near future, but in the mean time you can enable the Simple Username Normalization for your RDP application so that the Windows usernames “MYCOMPANY\johndoe”, “MYCOMPANYTEST\johndoe”, “MYCOMPANYEXT\johndoe” can all authenticate to a single “johndoe” Duo user.

Thanks for using Duo!

Duo, not DUO.

Go to solution
Egor2
Level 1
Level 1

‎05-25-2017 07:56 AM

That’s exactly what I was looking for! Thank you!!

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents