KB ID 0001648
Problem
Before you can use Duo 2FA/MFA you need to have your users enrolled. Theres a number of ways to enrol them, you can bulk email them, or manually add them. Below I’m going to Sync Duo with my Active Directory, so that if users are members of a specific AD group, they will ‘appear’ in the Duo Admin Portal. Then I’m going to enter a users mobile phone number and send them an SMS to enrol.
Tip: When setting up your Duo Account, I’d recommend creating as new user, just for Duo admin, you can use your own account, but it means enrolling twice.
Duo: Setup ADSync
Log into the Duo Admin Portal > Users > Directory Sync > Active Directory > Add New Active Directory Sync > Take note of the Integration Key, Secret Key, and the API hostname (copy them to a text file). Add your domain controllers (internal IP address(s) and set the port to 636 (LDAPS). Scroll down.
Set the ‘Base DN’ of your domain, here I’m simply using the root of the domain, you can set to to a specific OU of you prefer. Scroll down.
Select LDAPS > Paste in the PEM certificate file of your CA Server certificate. Save Directory.
Note: If you don’t know what a PEM file is, read this post.
On a member server in your domain, install the Duo Security Authentication Proxy software. (Note: This server needs TCP port 443 (HTTPS) outbound permitted on your corporate firewall.
Navigate to C:\Program Files (x86) Duo Security Authentication Proxy/conf folder locate the authproxy.cfg file and open it with WORDPAD.
Delete the contents, and paste in the following, change the values in red to match you domain and put in the keys you coped to Notepad earlier;
[ad_client] host=192.168.100.3 service_account_username=svc_duo service_account_password=Password1 search_dn=dc=pnl,dc=com [cloud] ikey=XXXXXXXXXXXXXXXXXXXX skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX api_host=XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: Where 192.168.100.3 is your domain controller, and svc_duo is the service account you created for the proxy service, and Password1 is the password for that account.
Then start the service with the following command;
net start DuoAuthProxy
Note: If your service wont start, you may need to grant your ‘service user’ some additional rights, see this post for further information.
Back in the Duo Admin Portal your ADSync should now say ‘Connected’.
Now you can see your groups, select the group that contains the users you want to sync.
Note: DON’T USE ‘Domain Users’, it wont work, neither will creating a group and putting the domain users group within it. Add your users, if theres a lot, you can bulk add users to the group.
Duo: Enrol Users via SMS
Obviously you will need know the users mobile phone number, and they will need to have the Duo app installed, this can be done on Android/iPhone/iPAD from either the App Store or Google Play. (The app is free).
Select your user in the portal > Add Phone > Enter the mobile number > Add Phone.
Activate Duo Mobile.
Generate Duo Mobile Activation Code.
Send instructions by SMS.
On the users phone, they will see something like this, they need to click the link.
This is what it should look like when successful, (Note: The reason I have TWO entries is because I’m also the Duo Admin for this site).
Related Articles, References, Credits, or External Links
NA
18/09/2020
According to the documentation at duo you don’t need a service account if the machine is domain-joined. https://duo.com/docs/authproxy-reference#ad_client
Also it’s pretty nice to encrypt your passwords in the config.https://duo.com/docs/authproxy-reference#encrypting-passwords
But this might have changed after you did this guide