How to Synchronize Users to Duo from Active Directory

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi i'm matt from duo security in this video i'm going to show you how to synchronize duo users and groups from an existing Active Directory domain via the duo authentication proxy installed on a Windows system before watching this video please be sure to read the documentation for synchronizing users from Active Directory also known as ad located at duo comm slash Docs slash ad sync duos directory sync feature is part of all paid duo editions note that duo can also synchronize users from Azure Active Directory or open LDAP directories you can read about these other synchronization options at duo com slash Docs slash directory sync while we will be using the authentication proxy on a Windows system in this video the Linux version of the proxy is also compatible with certain Active Directory sync configurations in addition if you are already running an authentication proxy server in your environment you can also use that host for Directory synchronization before you setup directory sync with Active Directory which is also referred to as ad sync make sure you have the necessary prerequisites in place you need to know your Active Directory server hostname or IP address the port you want to use and the base DN if you would like to secure the network traffic between the authentication proxy in your domain controller using LDAP s or start TLS you will need an SSL certificate when using Windows you will need a Windows Server 2012 or later system for running the duo authentication proxy software we recommend a Windows Server 2012 r2 or later system and will use a Windows Server 2016 system in this video to use the configuration shown in this video this system must be joined to your ad domain finally you need a duo administrator account with the owner administrator or user manager role log into the duo admin panel as an owner administrator or user manager in the left sidebar click users then click directory sync in the sidebar submenu or at the top of the page click the active directory tab then click the add new active directory sync button you are taken to the details page for your new directory sync in the duo admin panel the new directories name defaults to ad sync and increments for each additional directory added click the rename link to change the directory syncs name to something different click Save to apply the new name the status section of the page shows the current state of your directory sync when your Active Directory sync setup is complete you can verify the connection here as you have just created the new directory the status indicates that the next step is to deploy and configure the do authentication proxy for this example we already have the proxy installed on a system in our environment and will only need to configure it this video also assumes that you have some familiarity with the proxy and its configuration file you can learn more about the authentication proxy in the documentation the system the proxy is installed on needs LDAP connectivity to your ad domain controller / ports 3 8 9 + 6 36 or whichever ports accept active directory binds it also needs HTTP 443 connectivity to duo the minimum recommended authentication proxy version for active directory synchronization is 2.6 point 0 but we always recommend installing or updating to the latest version on the system the proxy is installed on login to the duo admin panel and navigate to the details page for the directory sync you just created navigate to the authentication proxy section you can use the information provided here to manually configure your authentication proxy or click the link in step 2 to download an automatically generated configuration file in this example we will use the generated configuration I'll download the file run a word processor such as WordPad as an administrator and open the pre-configured file copy the contents of the generated configuration file then open your current proxy configuration file our current configuration file only contains sample text at this time so we can delete it paste the content from the automatically generated file into the current configuration file save your edited configuration file the documentation contains additional information about how to configure your proxy to handle ntlm or plain authentication after editing the configuration file start the authentication proxy launch an administrator command prompt and run the command net start duo auth proxy to start the proxy service once the service is started return to the directory sync configuration page in the admin panel and click the test connection link in the authentication proxy section the directory status will indicate the proxy is connected and you can move on to directory configuration if you encounter errors double check the information in your proxy configuration file and make sure the proxy service is running then test the connection again next configure your directory sync in the duo admin panel return to the directory details page in the admin panel navigate to the directory configuration section in the domain controller field enter the hostname or IP address of your ad domain controller followed by the port the authentication proxy server should use to contact the domain controller you can click Add domain controller to input additional hosts if the first server in the list does not respond when performing a sync the next server is used as a fallback if you decommission any of your domain controllers be sure to return to duo and remove it from the list in the base DN field enter an organizational unit or container in your directory that contains both the users and groups to sync enter a level in your directory structure above both the users and groups you plan to synchronize in the authentication type section select the type of authentication the proxy will use to connect to your ad domain controller reference the documentation for more information about these options in this example we will use integrated this option requires no additional configuration but the proxy server must be a Windows system that is joined to the domain you will sync with duo in the transport type section select an option to determine how the connection between the proxy software and the ad domain server is encrypted if at all note that connectivity between the duo authentication proxy software and the duo security cloud service is always HTTP secured with SSL and is not affected by the setting in this example we will use clear which requires no additional configuration reference the documentation for more information about the other settings next scroll down to the synced attributes section here you can customize which 80 attribute values get imported to duo the duo attributes that have default 80 attributes defined indicate those defaults as helper text you can change these default attributes to custom attributes of your choice note that the user name attribute cannot be customised after the first directory synchronization occurs you may also add up to 4 username alias attributes for this example we will leave these attributes set to their default settings scroll down to below the email section check the import notes box if you want directory sync to import information for your users in this example we will not check this box you can check the import phones box if you want directory sync to create phones for your users imported devices default to the generic smartphone platform note that if you enable both the enrollment email and import phones options enrollment links are only sent to users with email addresses who do not have phone information populated in AD in this example we will not import phones when you finish with the synced attribute section click the save directory button scroll down to the selected group section click within the box and start typing an ad group name that you want to sync the list of available groups to sync will match the filter if you have a very large number of groups in your directory duo limits the search results to 100 groups so you may need to type in most of your desired sync groups name or DN to locate it once you see your intended group or a list of groups click to select the desired group or groups to sync then click Save directory once you have added all the groups you want to import you can select up to 400 groups to sync from the source directory members of the groups you choose here will be synced into duo nested groups are supported directory sync imports users from groups nested within your sync group but creates only the top-level group in duo with all nested group members as direct members of that duo group scroll down to the enrolment emails section check the send enrollment emails to sync users box if you want imported users to automatically receive an enrollment link email when the sync process completes only users imported with active status a valid email address and who do not already have any enrolled authentication devices in duo receive an email link the email address is populated by ad sync the contents of the enrollment email subject and body can be changed on the global settings page of the duo admin panel if your organization uses email filtering be sure to whitelist the sender no - reply at duo security comm more information about enrollment emails is available in the documentation in this example we will check this box click Save directory to finish your directory sync setup once you have configured the directory settings installed the duo authentication proxy software and chosen the groups to synchronize you are ready to perform the actual synchronization with AD on the directory details page in the admin panel click sync directory now to run your first sync and immediately import all members of your selected ad groups into duo when complete you will see a count of users and groups synced into duo whether you run your first sync immediately after setup or not directory sync runs automatically once a day at a set time chosen at random you can always return to the duo admin panel to initiate a manual sync note that once you import users from Active Directory into duo you may not change the ad username source attribute but you can enable or disable username normalization reference the FAQ for more information when you just need to import information for a few users from Active Directory you can use the sync individual users feature instead of syncing the entire directory this can be done via the admin panel or the admin API in this video we will examine the admin panel functionality this task can be performed by a duo administrator with the owner administrator user manager or helpdesk role at the top of the directory details page there is a sync individual users field here you can type in up to 50 user names separated by commas if you used a different source attribute than Sam account name for the duo username you must type each user name exactly as it is shown or will be shown in duo for example if you opted to use mail as the user name attribute you must enter the values of the mail attribute as the user names to sync these users must be members of an ad group specified in the selected group section of your directories configuration if you try to sync users who are not members of the selected groups no update will occur click sync users to synchronize the target user names a detailed output of the sync is provided below the field when initiated the sync verifies that each specified user is a member of a group currently synced with duo and then imports information for that user into duo the sync creates new users in duo or updates existing users if you enable the option to send enrollment emails when adding the directory the new users created by this sync will receive an email with an enrollment link if you include a specified user that is no longer a member of any group synced into duo than the sync marks the user for deletion after adding new users 2 Duo through Active Directory synchronization your next step is to have them activate their duo access if you chose not to send enrollment emails to sync users when creating your directory in duo on the users page you will see a notification bar indicating that users have not yet activated the duo mobile smartphone app this bar provides a link to click to send these users activation links if you did choose to send enrollment emails to users synced automatically the pending enrollments table shows which users created by ad sync or bulk enrollment have not yet completed enrolling their 2fa devices in duo along with the user's email address and the expiration date for the enrollment link previously sent if you need to send the user another copy of the enrollment link email click the reset button reset in the email does not change the current enrollment links expiration date you have successfully set up duo Active Directory sync

Info

Channel: Duo Security

Views: 7,379

Rating: undefined out of 5

Keywords: duo, duo security, duosec, duo 2fa, 2fa, ad sync, duo active directory, duo sync, duo directory sync, user sync, duo user, two factor, yt:cc=on

Id: JVBzszfGITY

Channel Id: undefined

Length: 14min 19sec (859 seconds)

Published: Thu May 21 2020