No permitted email domains have been verified (AD Authentication Sources)

Dasty · ‎06-27-2021

Hello Dear Team,
I have the next problem:
No permitted email domains have been verified. Please verify at least one permitted email domain.
What should i do for resolve it? I am using virtual machine with Windows 2016 and AD role (domain.loc) + SMTP role

Thanks and be well

jamieis · ‎06-28-2021

Hey there @Dasty,

Duo SSO requires e-mail domains being typed into Duo SSO are verified via DNS first. Please see Duo Single Sign-On | Duo Security.

Dasty · ‎06-28-2021

Dear @jamie Jamie, I read it but… I do not understand that I must to do,
I am preparing demo environment I would like to use DUO for 2FA tool, for this env I am using Virtual Machine with Windows + AD + my main system
In your docs I saw mention about:

Akamai EdgeDNS
```
AWS Route53
```
```
Azure
```
```
CloudFlare
```
```
Google Cloud
```
```
Google Domains
```
```
GoDaddy
```

… Please to kick me on the right way, Should i registered my domain.loc in one of these services?

Thanks and be well!

DanielLarsson63527 · ‎01-30-2025

Hi,

I am bumping this question/post to check if anyone solved the issue?

DUO documentation very clearly states that you need to place this in a public (external) DNS-record and it seems extremely backwards and very restricted to have a "proxy" that simply doesn't proxy authentications to other sources than what is listed above...meaning, *any sort of private environment* cannot be used as authentication source. It should just forward *.local domains through the proxy for the verifications since it seems to be a security feature to only allow "listed domains" to be processed.

There should really be a "i know what i'm doing, let me bypass the email domain verification", since 99% of all domains will have a "local" domain that needs to be authenticated without exposing public information. I'm also thinking in terms of integration with various other tools like CSA/SSE, the auth proxy should just proxy authentications ...otherwise what is the point of the proxy if it supports local domains for service-accounts, local radius-servers etc.

You should be able to use the DUO SSO-url for that since it is connected to the proxy.

-Daniel

DuoKristina · ‎01-30-2025

It's operating as intended. There's some more info about why here: Can I only use a username instead of an email address when authenticating with Duo SSO?.

Feel free to submit a feature request for an advanced mode that bypasses SSO domain verification through your Cisco account team, Duo Care team, or Duo Support.

Duo, not DUO.

DanielLarsson63527 · ‎01-30-2025

I am fully aware that it is operating as intended (it was also to highlight that fact since this post is the first that comes up if you dig a little bit on the original question), but it *still* doesn't make any sense that a proxy cannot be configured as intended, since the proxy actually connects to local domains. It *really* doesn't make any security-sense to verify proxy-servers connected to local domains with public records at all.

And i have been requesting this feature since Cisco partnered with Duo. And *every* real world case i work with asks the same question as well...since pretty much every AD-domain in the world is following best-practice of not using public domains as their domains if they want things to work...

DuoKristina · ‎01-30-2025

Thanks for the explanation. I do just want to make sure that you have raised this as a formal feature request or "upvote" via the avenues I mentioned so that it can get reviewed by the right teams. I do see that a prior feature request for domain verification via an alternate method than DNS TXT records was not prioritized but I do not see one for completely bypassing verification.

Duo, not DUO.