10-07-2016 03:07 PM
We are DUO Platform subscribers and are currently using SAML via the access gateway to protect multiple applications. We recently began testing Microsoft’s protected user group in AD and are running into an issue with our existing SAML integrations. Whenever a user is added to the protected users group SAML authentication fails. We see a failed login attempt on the DC, so it’s passing through the attempt it’s just failing to auth. Has anyone used the protected users group in conjunction with Access Gateway/SAML? Does anyone know why this would fail?
To clarify, this is the protected users group in Server 2012 R2 Domain functional level:
https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx
10-10-2016 06:56 AM
Hello Generic Name,
DAG LDAP auth uses NTLM. Members of the Protected Users group can not authenticate using NTLM, as documented in the TechNet article linked in your question. You can see event ID 100 indicating this if you enable the Applications and Services Logs \ Microsoft \ Windows \ Microsoft \ Authentication \ ProtectedUserFailures-DomainController log in the Windows Event Viewer and try SAML authentication again.
10-11-2016 08:04 AM
Thanks for the info Kristina. Does DUO have any plans to support a method that will work with the protected users group?
10-11-2016 11:13 AM
You may contact Duo Support to submit your feature request.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide