Can't login to DUO Network Gateway

jeremy81 · ‎11-01-2024

I am attempting to use the DUO Network Gateway to enable 2FA for our internal web applications.
From my understanding, this is something that it can do. Please let me know if this is incorrect.

I followed the DUO Network Gateway Documentation here: https://duo.com/docs/dng
-I have an Active Directory Server and DUO Authentication Proxy setup. I was able to perform an AD Sync for the User database.
-I have deployed and configured the DUO Network Gateway Virtual Machine.
-I have added the necessary certificates to the DUO Gateway Admin Web Portal and connected it to the DUO Gateway Application.
-I completed the DNS A and CNAME records to point the web application towards the DUO Gateway.
-The FQDN of the DUO Gateway and Web Application in question do resolve over the public internet.
-In the DUO Admin Portal under the 'Protect Application' I have created 'Duo Network Gateway - SSO' and 'Duo Network Gateway - Web Application'.
-Going to the web application's URL correctly re-directs you to a DUO SSO Login screen.

The Problem: When I try to login at the DUO SSO Portal, it says 'Invalid Credentials'. This is the same login I am trying that I've used previously with DUO 2FA for Windows/Linux, which does work.

I feel like it is expecting a login from something other than users I added via AD Sync.
Where does this DUO Network Gateway SSO Web Portal reference for logins? It does ask for an email address instead of a username. I have added an appropriate email address to the login I am trying with the matching domain name.

jeremy81 · ‎11-01-2024

I believe I'm having a similar issue as described here: https://help.duo.com/s/article/3988?language=en_US
-I'm not using LDAP, but I am getting errors about that, shown in the authproxy log:

2024-11-01T17:17:56.049858-0500 [duoauthproxy.lib.log#critical] LDAP bind failed

2024-11-01T17:17:56.052863-0500 [duoauthproxy.modules.drpc_plugins.ldap_sso.LdapSsoClientFactory#info] Stopping factory <duoauthproxy.modules.drpc_plugins.ldap_sso.LdapSsoClientFactory object at 0x000001B4C7E62F10>

Note: 'LDAP' is not anywhere in the DUO Network Gateway Documentation.

DuoKristina · ‎11-04-2024

When you set up Duo Network Gateway you have to configure an SSO directory to provide DNG authentication. https://duo.com/docs/dng#configure-the-duo-network-gateway-authentication-source

It sounds like you opted to use Duo Single Sign-On with Active Directory as your SSO auth source.https://duo.com/docs/sso#active-directory This uses LDAP for AD username/password verification, so you ARE using LDAP. If you look at the diagram here, your issue is at the SAML IdP, which in your case is Duo SSO with an LDAP connection to your AD.

So, if you are having LDAP issues during DNG login you need to troubleshoot your Duo SSO Active Directory authentication source configuration. There are multiple reasons why the LDAP bind could fail, channel binding + config mismatch, as you found in article 3988, or simply that the AD username or password is not correct for your SSO config. If you enable debug logging on the Duo Authentication Proxy and reproduce the issue you may be able to find a match to the output in https://help.duo.com/s/article/2953 that will put you on the right track. You are also welcome to contact Duo Support for assistance.

Duo, not DUO.