Which of the following items are not supported as a method of authentication in windows 10?
Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons and credentialed UAC elevation prompts. Show
Be sure to read through these instructions before you download and install Duo for Windows Logon. OverviewDuo Authentication for Windows Logon adds Duo two-factor authentication to these Windows and Windows Server logon scenarios:
Duo's Windows Logon client does not add a secondary authentication prompt to the following logon types:
Important NotesPlease review all these compatibility and installation notes before proceeding.
Connectivity Requirements This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article. TLS Requirements for Australia RegionDue to government restrictions, Duo’s services in Australia no longer support TLS versions prior to 1.2. The current version of the Duo for Windows Authentication installer performs connectivity checks with Duo that use TLS v1.0. Customers in Australia must perform a silent installation to install this product. Please refer to the Duo Knowledge Base article Can I silently install or update Duo Authentication for Windows Logon from a command line or PowerShell? for silent installation instructions. In addition, the Windows systems where you install Duo must also support and use TLS 1.2 or higher. See the Guide to updating to TLS version 1.2 for Windows-based Duo applications for more information. A future release of Duo for Windows Authentication will include TLS 1.2 support in the installer. System RequirementsDuo Authentication for Windows Logon supports both client and server operating systems. Clients:
Servers (GUI and core installs):
Ensure your system's time is correct before installing Duo. Duo Factor SupportDuo for Windows Logon supports these factor types for online two-factor authentication:
U2F security key support is limited to Offline Access only. Enroll Users Before InstallationDuo Authentication for Windows Logon doesn't support inline self-service enrollment for new Duo users. Unenrolled users, that is, users that do not yet exist in Duo with an attached 2FA device, must be created manually by an administrator, imported by an administrator or self-enrolled through another application which supports Duo’s self-service enrollment (see Test Your Setup) before those users can log in with Duo for Windows Logon. The Duo username (or username alias) should match the Windows username. When you create your new RDP application in Duo the username normalization setting defaults to "Simple", which means that the if the application sends the usernames "jsmith," "DOMAIN\jsmith," and "" to Duo at login these would all resolve to a single "jsmith" Duo user. Duo for Windows Logon supports Duo Push, phone callback or SMS passcodes, and passcodes generated by Duo Mobile or a hardware token as authentication methods. Duo users must have one of these methods available to complete 2FA authentication. If the user logging in to Windows after Duo is installed does not exist in Duo, the user may not be able to log in to the system. Read the enrollment documentation to learn more about enrolling your users in Duo. Video OverviewFirst StepsBefore moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.
Treat your secret key like a password The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances! Remembered Devices for Windows LogonDuo plan required: Duo MFA, Duo Access, or Duo Beyond Version 4.2.0 of Duo Authentication for Windows Logon adds support for local trusted sessions, reducing how often users must repeat Duo two-factor authentication. The Remembered Devices policy now includes a setting for Windows logon sessions, which when enabled offers users a “Remember me” checkbox during local console login for the duration specified in the policy. When users check this box and complete Duo authentication, they aren't prompted for Duo secondary authentication when they unlock the workstation after that initial authentication until the configured trusted session time expires. If the user changes networks, authenticates with offline access while the workstation is disconnected, logs out of Windows, reboots the workstation, or clicks the "Cancel" button during workstation unlock, Duo for Windows Logon invalidates the current trusted session and the next Windows logon or unlock attempt will require Duo authentication again. To enable remembered devices for Windows Logon:
With this policy setting applied, users who log on to the local Windows console see an additional option on the Duo for Windows Logon prompt for remembering the device. This option will not display for RDP/remote logins to Windows systems with Duo Authentication for Windows Logon installed, regardless of the effective remembered devices policy setting for Windows Logon. Administrators may revoke the Windows local trusted Duo session by unassigning a remembered devices policy for Windows Logon from a Microsoft RDP application, editing the policy attached to a Microsoft RDP application to disable the Windows Logon remembered devices setting, or by deleting the registry entry for the user session from the Windows client. Learn more about this in the Windows Logon FAQ. Deployment TipTo test Duo on your Windows system with a group of pilot users, we suggest setting your application's New User Policy to "Allow Access" while testing. The pilot users that you've enrolled in Duo with an associated 2FA device get prompted to complete Duo authentication, while all other users will be transparently let through. If you want to deploy Duo to your Windows systems but have no users complete 2FA until a specific date (after all user enrollment is complete), set the New User Policy to "Allow Access" and set the Authentication Policy to "Bypass 2FA". With these two policy settings in place users who have and who have not enrolled in Duo log in to the Windows system as usual without experiencing Duo. When you're ready to require Duo authentication for all users of the target Windows system, change the "New User Policy" to "Deny access" and change the "Authentication Policy" to "Enforce 2FA". This will prompt all enrolled users to perform Duo 2FA after they type in their usernames and passwords, and prevent users who have not enrolled in Duo from logging in without 2FA. If you chose to enable offline access on your application, then enrolled users who bypass 2FA due to the effective Authentication Policy would still be prompted to complete offline enrollment. To avoid confusion, we recommend leaving offline access off until you require users to complete Duo 2FA while online. Run the Installer
If you need to change any of your chosen options after installation, you can do so by updating the registry. See the Duo for Windows Logon FAQ for instructions on how to update the settings. Test Your SetupTo test your setup, attempt to log in to your newly-configured system as a user enrolled in Duo. The Duo authentication prompt appears after you successfully submit your Windows credentials. With automatic push enabled (the default installation option), the prompt indicates that Duo pushed an approval request to your phone. Duo sends the push request to the first phone activated for Duo Push and associated with that Duo user. With automatic push disabled, or if you click the Cancel button on the Duo authentication prompt after a 2FA request was sent, you can select a different device from the drop-down at the top (if you've enrolled more than one) or select any available factor to verify your identity to Duo:
Remembered DeviceIf you applied a policy to your Microsoft RDP application that enables remembered devices for Windows Logon, then during Duo authentication at the local system's console you'll see the Remember me for... option, reflecting the number of hours or days you set in the policy. If you check this box when authenticating you won't need to perform Duo second-factor authentication again for the duration specified on the prompt the next time you unlock the workstation to continue the logged-in Windows session. Duo will prompt you to complete two-factor authentication at the next Windows logon or unlock after the remembered device session ends, and at that time you can choose to begin a new trusted logon session. UAC ElevationIf you enabled User Elevation in Duo for Windows Logon v4.1.0 or later, you'll see the Duo authentication prompt after you enter your password for a credentialed elevation request. The application you were trying to launch runs after you approve the Duo two-factor request. If you chose to remember the device at the Windows desktop login, then you won't need to approve Duo authentication for UAC elevations made by the same logged-in account either until the trusted Duo session ends. Remember: if you find that Duo Authentication for Windows Logon has locked you out of your Windows system (e.g. due to a configuration error), you can reboot into Safe Mode to bypass it. Offline AccessDuo Authentication for Windows Logon v4.0.0 introduces offline access, allowing secure local logons to Windows systems even when unable to contact Duo’s cloud service. Offline Access Video OverviewOffline Access Requirements
Users must have either:
We strongly suggest you test offline access with one of the security keys you plan to use before purchasing them for all your users. HyperFIDO tokens are not supported for offline access activation, nor are simple OTP passcode tokens or Duo D-100 hardware tokens. Note these functional limitations for offline access authentication devices:
Offline Access Configuration
Offline Access LoggingNo information about logins using offline access is reported in Duo Admin Panel authentication reports while the Windows system is offline. At the next online authentication, login events that occurred while the system was offline are sent to Duo's service. These events show up in the Authentication Log with other user access results, and show the offline authentication method used. Advanced ConfigurationChange How Many Users May Use Offline AccessBy default, five (5) users may enroll in offline access. To increase or reduce the number of users that may activate offline access on a given Windows client, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value: Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:
Once the maximum number of users have activated offline access, the next user receives an error when attempting to enroll in offline access. Force Offline Reactivation for a UserTo force offline reactivation for a previously activated user on a given Windows system, use the Registry Editor (regedit.exe) with administrator privileges to delete the entire registry key that includes the username from HKLM\SOFTWARE\Duo Security\DuoCredProv\Offline. Prevent Offline Access Use on a ClientYou may have Windows systems where no users should log in using offline access, regardless of the application setting in the Duo Admin Panel. To prevent offline authentication for any user on a given Windows client, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value: Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:
Offline Access Activation and LoginThe next time you (or your end user) logs in to or unlocks the workstation while it’s online and able to contact Duo, the offline activation prompt displays after successful two-factor authentication. Step through the guided activation process to configure Duo Mobile or a U2F security key for offline MFA. Once you’ve activated offline access for your account, when your computer isn’t able to contact Duo’s cloud service you’ll automatically be offered the option to login with an offline code or security key after successfully submitting your Windows username and password. You can also reactivate offline access from the online Duo prompt. Note that only one authentication device — a single phone with Duo Mobile or a single security key — may be activated for offline login. Activating a second device via the reactivation process deactivates the first. See the full offline activation and login experience in the Duo User Guide for Windows Logon. Updating Duo Authentication for Windows LogonYou can upgrade your Duo installation over the existing version; there's no need to uninstall first. The installer maintains your existing application information and configuration options.
If you're upgrading to a version that includes new installer options, the configuration screen for those options won't be shown during an upgrade install. You'll need to configure those new options via Regedit or GPO update. See the Configuration section of the FAQ to learn how to enable and configure Duo for Windows Logon options in the registry, or the Group Policy documentation to learn how to configure options with GPO. Uninstalling DuoIf you'd like to remove Duo Authentication for Windows Logon from your system, open the Windows Control Panel "Programs and Features" applet, click on the "Duo Authentication for Windows Logon" program in the list, and then click Uninstall. Do not delete the Microsoft RDP application from the Duo Admin Panel until you have uninstalled the Duo application from all Windows systems using that application. If you delete the Admin Panel application before uninstalling the Duo software you may block users from logging in to Windows. Advanced Deployment and Configuration using Group PolicyPlease see our Duo Authentication for Windows Logon Group Policy documentation. TroubleshootingNeed some help? Take a look at the Windows Logon Frequently Asked Questions (FAQ) page or try searching our Windows Logon Knowledge Base articles or Community discussions. For further assistance, contact Support. If the Duo application denies access to your users, ensure that you have enrolled them in Duo with a username or username alias that matches the username they use to log into Windows, and with a 2FA device attached that is activated for Duo Push, can receive phone calls from Duo, or can generate a one-time passcode. If you applied a new user policy that allows access without 2FA and expect it to allow the blocked users through that the blocked users do not exist in Duo. Refer to these articles to learn more about user enrollment states and how they combine with policy settings to affect user logins.
Network Diagram
Which authentication protocol is used when authenticating to a server that belongs to a different Active Directory forest?Which authentication protocol is used when authenticating to a server that belongs to a different Active Directory forest? C - NTLM is used for systems running Windows NT 4.0 and earlier and for computers that are a member of a workgroup.
Do not allow storage of credentials or .NET Passports for network authentication?Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow storage of passwords and credentials for network authentication" to "Enabled".
Do not allow storage of passwords and credentials for network authentication registry?You can disable password saving by following these steps:. Go to “Computer Configuration”. Go to “Windows Settings”. Go to “Security Settings”. Go to “Local Policies”. Go to “Security Options”. Go to “Network Access: Do not allow storage of passwords and credentials for network authentication”. Should I disable Credential Manager?It's a recommended practice to disable the ability of the Windows operating system to cache credentials on any device where credentials aren't needed.
|