Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1946
Views
0
Helpful
1
Replies

OWA Integration shows denials before acceptance for all attempts

kcolagio
Level 1
Level 1

‎10-31-2019 12:16 PM

In reviewing our logs, ever attempt by someone to check their email using OWA and/or possibly Exchange results in multiple denials followed by a Granted entry.

We have multiple Accounts.

  • In one Account, we see four Denied and then a Granted.
  • In another Account we see three Denied and then Granted.

Other things we noticed:

  • The reasons for the Denied are listed as “Location Unknown” with an IP of 0.0.0.0 but the matching Granted has a proper location and IP.
  • This does not happen for every user, but it does happen for most.
  • All four or five log entries are within the same minute as well.

Can anyone explain why this may be happening and/or what we can do to to clean it up?

Thanks!

–Kevin Colagio.

Labels:
0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎11-04-2019 01:08 PM

There is a known issue with the Duo OWA application when a customer has both a Duo authorized networks policy and also the policy for new users is set to deny access. It does not affect authentication, but it does create additional misleading authentication events.

If this describes your situation you can contact Duo Support to be added to the existing issue (and to be notified when it’s addressed).

Edited response to add KB article link: Why do the Authentication Logs show both “Denied access” and “Access granted” for unenrolled users in a single authentication to an IIS-based application?

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents