In version 7.5.1.1 and higher, integration with DUO authentication is supported by Active Directory and LDAP
2019.07.09
DUO is a second factor authentication system. Integrating this with KeyServer means that all directory based logins for Active Directory or LDAP authentication will require a DUO response, most common a mobile app push. This integration does not affect local accounts in KeyServer. It will apply to logins to both KeyConfigure and the Web UI. The general setup of DUO as a service, and installation of the Gateway are outside the scope of our product and left to the customer. This document details the verified configuration of the Gateway and KeyServer that we have reliably tested in production.
It is suggested you be familiar with Admin Authentication and Authentication Modules before proceeding, and have tested a standard AD or LDAP authentication configuration before introducing DUO. The details below are presented for AD as that is the most common, but can easily be applied to LDAP as well as the general principals are the same.
In KeyConfigure go to Config -> Admin Authentication:
You should have a service account in the domain that has read only access for performing queries. It is highly recommended you not use a standard user or admin account, especially as the password will be in plain text in the DUO Gateway (see below)
In the DUO Proxy Config file:
[ad_client] host=(Domain controller IP) service_account_username=(Service account name) service_account_password=(Service account pass) search_dn=DC=domain,DC=com (change per your domain) [ldap_server_auto] ikey=(provided by DUO account) skey=(provided by DUO account) api_host=(provided by DUO account) client=ad_client exempt_primary_bind=false exempt_ou_1=CN=service account,CN=Users,DC=domain,DC=com (change to the DN of the service account in KC -> Admin Auth)
Note the CN is the user name NOT the account name in most cases. Check the account properties in Active Directory to verify. See the DUO logs for any issues troubleshooting the name DN that DUO is using.
On any machine using KeyConfigure, set this registry key. Note this is a per user setting, as the operation of KeyConfigure generally assumes a single admin user of the system where it is installed. Multi user situations like RemoteApp need to be aware of this.
HKCU\Software\Sassafras\KeyConfigure\7.5\Logon String value = Protocol, data = tcp
Per normal DUO operation, the DUO account and AD account names must match.
Per normal KeyServer operation with external accounts, set role by group membership in Window -> Admin Access (for create new accounts as needed), or manually create the external accounts and drag in the desired role so they are pre populated. You can set the role after auto create, but that means logins for that account will fail until a role is added if no role is auto assigned in the configuration.
Not setting the registry key for KeyConfigure