cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1136
Views
0
Helpful
3
Replies

Office365 - VDI non-persistent (Instant Clones)

Karsten2
Level 1
Level 1

Hello, everyone,

I have a question - we use Office365 and VMware View (Horizon) with instant clones. This means that a new W10 machine is created every time you log in and destroyed every time you log out.

However, we have the problem
that we have to authenticate ourselves to Cisco Duo (outlook etc.) with a username and password every time we log in. We federated the domain to Duo. Can anyone tell me if this is “normal” from experience? It is very annoying that the users have to log in to Horizon and then again to Office and that there is no clean SSO.

BR
Karsten

3 Replies 3

raphka
Cisco Employee
Cisco Employee

Hi Karsten, Welcome to the Duo Community.

Duo remembered devices rely on cookies to store your “session” and reduce the number of 2fa authentications required.

Given the clones are wiped each time, it therefore follows that the cookies are also wiped and the remembered devices will not work beyond a shutdown, and there is no workaround for this other than using persistent clones.

It would be great to be able to leverage a 2fa Authenticated Windows session with subsequent 2fa authentications from other web based applications within the same session. I recommend reaching out to Duo Support to create a feature request for this functionality.

Kingsy
Level 1
Level 1

Hello

On the same topic, does duo have a setting where we can stipulate trusted locations/IPs which would thus prevent MFA prompts in non persistent sessions?

vmanthe
Level 1
Level 1

How are you setup with DUO to M365? via DUO SSO or via DUO for Entra/Azure ID.
If using DUO for Entra ID and your computers are domain joined, sync'd to O365 and have communications with a DC you can enable Seemless SSO with Microsoft and then in DUO use a Policy that bypasses MFA for your public IP's on the Entra ID DUO App.

Issues here are the Azure AD Connect sync time and the time needed to sync back the device registration into AD(default of 20min) If you have new machines pool created ahead of time you maybe able to do this. But if on the fly the Seemless SSO for Azure may not work

 

Quick Links