07-18-2023 11:04 AM - last edited on 07-21-2023 10:48 AM by shaiksh
Struggling to make duo-rdgateway-2.3.0 connect from my RDP gateway (Windows Server 2012R2) to Duo. Followed TLS 1.2 enablement guidelines and observing test below reaching Duo successfully with TLS 1.2 in the network traces. However, all connections attempts by the DuoTsgPlugIn.dll are initiated with TLS v1.
IIS Crypto shows only 1.2 enabled. Any suggestions how to tell DuoTsgPlugIn to use 1.2?
StatusCode : 200
StatusDescription : OK
Content : {"response": {"time": 1689651728}, "stat": "OK"}
RawContent : HTTP/1.1 200 OK
07-19-2023 05:44 AM
IISCrypto shows the OS settings. Did you also verify that TLS 1.2 is on for the .NET used by Duo TSG via the registry?
Guide to TLS support for Duo applications and TLS 1.0 and 1.1 end of support
We have a PowerShell script that will check all the registry settings for crypto and output the current values. See here: How do I use the Support Script for Duo's Windows Applications?
07-19-2023 07:51 PM
Thank you. I went trough the https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net doc several times. Ran the Powershell script and it shows 1's in the .NET settings. Several reboots and uninstall/install duo-rdgateway-2.3.0.msi. Still failing with TSG to Duo network traces showing TLSV1
7/19/2023 9:39:10 PM - System Proxy: No System Proxy
7/19/2023 9:39:10 PM - Browser Proxy: No Browser Proxy
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:10 PM - TLS Check
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:10 PM - TLS 1.0 DisabledByDefault: 1
7/19/2023 9:39:10 PM - TLS 1.0 Enabled path does not exist in the registry
7/19/2023 9:39:10 PM - TLS 1.1 DisabledByDefault: 1
7/19/2023 9:39:10 PM - TLS 1.1 Enabled path does not exist in the registry
7/19/2023 9:39:10 PM - TLS 1.2 DisabledByDefault: 0
7/19/2023 9:39:10 PM - TLS 1.2 Enabled: 1
7/19/2023 9:39:10 PM - TLS 1.3 path does not exist in the registry
7/19/2023 9:39:10 PM - SSL 2.0 DisabledByDefault: 1
7/19/2023 9:39:10 PM - SSL 2.0 Enabled: 0
7/19/2023 9:39:10 PM - SSL 3.0 DisabledByDefault path does not exist in the registry
7/19/2023 9:39:10 PM - SSL 3.0 Enabled path does not exist in the registry
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:10 PM - Strong Cryptography Check
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:10 PM - HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SystemDefaultTlsVersions is: 1
7/19/2023 9:39:10 PM - HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 SchUseStrongCrypto is: 1
7/19/2023 9:39:10 PM - HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SystemDefaultTlsVersions is: 1
7/19/2023 9:39:10 PM - HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto is: 1
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:10 PM - DUO API check
7/19/2023 9:39:10 PM - ==============================================================================
7/19/2023 9:39:11 PM - Connectivity Response to Duo API : HTTP/1.1 200 OK
Connection: keep-alive
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: default-src 'self'; frame-src 'self' ; img-src 'self' ; connect-src 'self'
Content-Length: 48
Cache-Control: no-store
Content-Type: application/json
Date: Thu, 20 Jul 2023 02:39:10 GMT
ETag: "06c8931652e71fd2e63d2172634cf284b90530c5"
Server: Duo/1.0
{"response": {"time": 1689820750}, "stat": "OK"}
7/19/2023 9:39:11 PM - ==============================================================================
7/19/2023 9:39:11 PM - Custom API check
7/19/2023 9:39:11 PM - ==============================================================================
7/19/2023 9:39:11 PM - HKLM:\SOFTWARE\Duo Security\DuoADFS path does not exist in the registry
7/19/2023 9:39:11 PM - HKLM:\SOFTWARE\Duo Security\DuoRdweb path does not exist in the registry
7/19/2023 9:39:11 PM - HKLM:\SOFTWARE\Duo Security\DuoTsg does not have a Version or DuoVersion property
7/19/2023 9:39:11 PM - HKLM:\SOFTWARE\Duo Security\DuoOwa path does not exist in the registry
7/19/2023 9:39:11 PM - HKLM:\SOFTWARE\Duo Security\DuoIis path does not exist in the registry
7/19/2023 9:39:11 PM - Connectivity Response to Duo HKLM:\SOFTWARE\Duo Security\DuoTsg : HTTP/1.1 200 OK
Connection: keep-alive
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: default-src 'self'; frame-src 'self' ; img-src 'self' ; connect-src 'self'
Content-Length: 48
Cache-Control: no-store
Content-Type: application/json
Date: Thu, 20 Jul 2023 02:39:11 GMT
ETag: "e2b881b41e7d1ca1f9ef0ab97519725f82b8b47c"
Server: Duo/1.0
{"response": {"time": 1689820751}, "stat": "OK"}
7/19/2023 9:39:11 PM - ==============================================================================
07-20-2023 09:19 AM
Hmm, weird. I recommend you open a case with Duo Support if you have not already. You can send your packet capture and the script output to the technical support engineer.
07-21-2023 05:37 PM
Thank you, Kristina. Does not look the account tier I am using offers any form of support:
07-25-2023 07:20 AM
Try emailing support@duo.com.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide