Thank you so much for making this! Just implemented it and it works flawlessly. If you want to only allow a specific security group in AD access to this server, which causes all other AD logins to fail, make sure you specify the "security_group_dn" field under the ad_client config. One thing that tripped me up was that when I used a specific OU for the search_dn that points to where my admin accounts are, it caused vSphere to fail the AD authentication because my service account was in a different OU. If you want to keep it locked down but still allow it to work with multiple OUs, make your search_dn more broad (I just used the base domain DN) and then specify your security_group_dn.
I absolutely agree with @Joshua Desjardine. This!!! There's so little documentation on it and this has been a major help! We've hit the apex of instructional guides right here, a masterpiece that made this otherwise garbled mess of a process understandable. Thank you very much, you rock! A quick tip for others that tripped me up: - While editing the vSphere config, it consistently kept timing out after inputting the primary server URL I knew it was supposed to point to (the DUO Proxy) and figured something was wrong. Turned out to be a simple oversight, as you may receive an additional DUO push when attempting to save the correct configuration.
InSilentNova, so glad the tutorial helped! Part of the motivation to get this video out is the lack of decent walkthroughs on how to set this up with Duo. ADFS is just absolute overkill just to have two-factor auth which you can accomplish this way. Thanks for the notes on the vSphere config as well. Thanks for the comment and take care.
I couldn't get this to work. looked at the logs and found i had my LDAP user not being found. In the LDAP setup, you need to enter the DN of theLDP user for exempt OU after you set "exempt_primary_bind" to false. So, if you have no working MFA, but can authenticate with the new ldap from vcenter, make sure to set "exempt_primary_bind" to false. then, you must make certain your ldaps user is exempted from needing to use duo mfa with "exempt_ou_1=" and set your LDAP user's dn.
Thanks for the video. Didn't work for me, not sure why. The LDAP lookup works, my account is authenticated, but no DUO Push. As an FYI, you can use the authentication proxy server to setup 2FA for pretty much any application that will support LDAP or Radius authentication - I have setup 2FA on quite a few apps - but could not get it working with Vcenter :(
Very late to this game. I got everything setup and it works, only after I hit "approve" on my app, my browser just spins and then the Duo app pops up again (I approve) and again (I approve) and again (etc.). Any suggestions? My logs are not helping at all.
I tried implementing this, but the credentials passed to the duo proxy seem to be only the credentials used to set up the identity source and not the credentials of the user logging in. Did I set something up wrong?
Great video! Thanks for making it. Is there any way to configure the connectivity between vCenter and the duo authentication proxy as LDAPS when you are adding it as a IDP?
@@VirtualizationHowtothanks! When adding the identity source on vCenter and you point it to the duo auth proxy via ldaps, which SSL certificate would you need to upload? Would it be the SSL certificate for the duo proxy or would it be the CA root certificate?
THX fot the Video! Sorry, but you should have mentioned that: Guide to Duo Access Gateway end of life 2023. I work in the critical infrastructure sector and for us a pure cloud solution is an absolute no-go. Are there any alternatives?
Excellent Video. I have configured my proxy using windows. No errors reported when validating. However, when I log into vSphere, it logs me straight in with no Push from Duo. I changed the port to 636 and as expected my credentials came back as invalid so the Duo Proxy is working. I just cannot get the Duo Push to my phone hence logging me straight in. Any help on this please. Thanks!
@@Neios9 Make sure in your Duo Portal for the application you have ticked the box that asks for MFA to be enabled. I had missed this and this was logging me straight in with no Duo prompt to my phone.
I want to try this, but I have a current AD identity in vcenter for SSO.. It uses integrated windows authentication. It does not allow a second AD identity. Is it OK to delete the current identity source to try this? I assume I can still get into vcenter by using the vsphere.local system domain?
Trying to use the Windows version of the Duo proxy but when adding identify source in VCenter, keep getting message saying "Check the newtork settings and make sure you have network access to the identity source". How does this work if we already have AD as our identifty source or can it?
babbo84, Yes it should be able to work flowing through the Duo Proxy. Make sure you don't have anything filtering traffic to the LDAP ports of the Duo Proxy. Also, you can check the Duo Proxy logs to make sure there is not another underlying error happening on the Duo. However, this error sounds like a connectivity issues possibly.
Do you know any method to disable the "Use Windows session authentication" option? The problem here is, when you have installed the Enhanced Authentication Plugin and use Windows Session Authentication to log in, it totally ignores the second factor and you have access to the vCenter. So, a possible answer would be "Don't install the plugin" - But in this case we need to know that a attacker would just use exactly this plugin to get access.
my domain users stopped authenticating after I added that proxy same way you did on VCSA, when I try to login now with domain user it says "Invalid credentials" --so how this method will pass the requests to AD to check on username/password ? I am not sure if I miss anything ? but I was able to add the identity source same way you did in the video, and matched your DUO cfg file
Mina, make sure you have the corresponding users configured in Duo that you are passing from Active Directory. Also, check the Duo Proxy log and it should pinpoint the issue you are experiencing with authentication. It is located here: /opt/duoauthproxy/log. I hope this helps to point you in the right direction. I realized I neglected to highlight the need to have matching users configured in Duo to match the Active Directory
Thank you so much for making this! Just implemented it and it works flawlessly. If you want to only allow a specific security group in AD access to this server, which causes all other AD logins to fail, make sure you specify the "security_group_dn" field under the ad_client config. One thing that tripped me up was that when I used a specific OU for the search_dn that points to where my admin accounts are, it caused vSphere to fail the AD authentication because my service account was in a different OU. If you want to keep it locked down but still allow it to work with multiple OUs, make your search_dn more broad (I just used the base domain DN) and then specify your security_group_dn.
I absolutely agree with @Joshua Desjardine. This!!! There's so little documentation on it and this has been a major help! We've hit the apex of instructional guides right here, a masterpiece that made this otherwise garbled mess of a process understandable. Thank you very much, you rock!
A quick tip for others that tripped me up:
- While editing the vSphere config, it consistently kept timing out after inputting the primary server URL I knew it was supposed to point to (the DUO Proxy) and figured something was wrong. Turned out to be a simple oversight, as you may receive an additional DUO push when attempting to save the correct configuration.
InSilentNova, so glad the tutorial helped! Part of the motivation to get this video out is the lack of decent walkthroughs on how to set this up with Duo. ADFS is just absolute overkill just to have two-factor auth which you can accomplish this way. Thanks for the notes on the vSphere config as well. Thanks for the comment and take care.
Thank you for sharing this info. I am a DUO admin, and the VMware Team will really appreciate this once we roll it out at our hospital. Appreciate!
sglant, thank you for the comment and I'm glad this was helpful!
Nice! Thanks for finding a simpler way to implement MFA for vCenter.
Thanks John!
Perfect timing! This was uploaded 5 days ago and I found it today - Very useful Thank you very much.
Thank you Dude Lee! Glad you liked the video! Hope you come back for what I have in store in future vids :)
haha... Your video is going to get me a pay raise. Thanks.
now that was on point. Thank you for video and sharing!
Thank you!
I couldn't get this to work. looked at the logs and found i had my LDAP user not being found. In the LDAP setup, you need to enter the DN of theLDP user for exempt OU after you set "exempt_primary_bind" to false. So, if you have no working MFA, but can authenticate with the new ldap from vcenter, make sure to set "exempt_primary_bind" to false. then, you must make certain your ldaps user is exempted from needing to use duo mfa with "exempt_ou_1=" and set your LDAP user's dn.
Thanks for the video. Didn't work for me, not sure why. The LDAP lookup works, my account is authenticated, but no DUO Push. As an FYI, you can use the authentication proxy server to setup 2FA for pretty much any application that will support LDAP or Radius authentication - I have setup 2FA on quite a few apps - but could not get it working with Vcenter :(
Very late to this game. I got everything setup and it works, only after I hit "approve" on my app, my browser just spins and then the Duo app pops up again (I approve) and again (I approve) and again (etc.). Any suggestions? My logs are not helping at all.
I tried implementing this, but the credentials passed to the duo proxy seem to be only the credentials used to set up the identity source and not the credentials of the user logging in. Did I set something up wrong?
Great video! Thanks for making it. Is there any way to configure the connectivity between vCenter and the duo authentication proxy as LDAPS when you are adding it as a IDP?
Prishail, thank you for your comment! Yes, Duo allows LDAPS...you will just use the port 636 instead of 389.
@@VirtualizationHowtothanks! When adding the identity source on vCenter and you point it to the duo auth proxy via ldaps, which SSL certificate would you need to upload? Would it be the SSL certificate for the duo proxy or would it be the CA root certificate?
THX fot the Video! Sorry, but you should have mentioned that: Guide to Duo Access Gateway end of life 2023. I work in the critical infrastructure sector and for us a pure cloud solution is an absolute no-go. Are there any alternatives?
Excellent Video. I have configured my proxy using windows. No errors reported when validating. However, when I log into vSphere, it logs me straight in with no Push from Duo. I changed the port to 636 and as expected my credentials came back as invalid so the Duo Proxy is working. I just cannot get the Duo Push to my phone hence logging me straight in. Any help on this please. Thanks!
Check your Duo proxy log and see what it is telling you at a low level.
I have this working now. Had to adjust the Duo policy in the portal. Thanks!
@@asifiqbal-jg3hb Hi Asif, I have exactly the same situation as you had!
What did you adjust in the policy to get the app to prompt you?
@@Neios9 Make sure in your Duo Portal for the application you have ticked the box that asks for MFA to be enabled. I had missed this and this was logging me straight in with no Duo prompt to my phone.
@@asifiqbal-jg3hb please help me not find the section on portal . i have the same problem
I want to try this, but I have a current AD identity in vcenter for SSO.. It uses integrated windows authentication. It does not allow a second AD identity. Is it OK to delete the current identity source to try this? I assume I can still get into vcenter by using the vsphere.local system domain?
Yes, you can delete the identity source - as you indicated, log in with a vsphere.local account.
Trying to use the Windows version of the Duo proxy but when adding identify source in VCenter, keep getting message saying "Check the newtork settings and make sure you have network access to the identity source". How does this work if we already have AD as our identifty source or can it?
babbo84,
Yes it should be able to work flowing through the Duo Proxy. Make sure you don't have anything filtering traffic to the LDAP ports of the Duo Proxy. Also, you can check the Duo Proxy logs to make sure there is not another underlying error happening on the Duo. However, this error sounds like a connectivity issues possibly.
@@VirtualizationHowto Hi, I got the same issue, do you have more references on how to check what could be happening?
Do you know any method to disable the "Use Windows session authentication" option?
The problem here is, when you have installed the Enhanced Authentication Plugin and use Windows Session Authentication to log in, it totally ignores the second factor and you have access to the vCenter. So, a possible answer would be "Don't install the plugin" - But in this case we need to know that a attacker would just use exactly this plugin to get access.
did you join your vcenter to your domain? If you did, it will cause this type of behavior
Excellent video
my domain users stopped authenticating after I added that proxy same way you did on VCSA, when I try to login now with domain user it says "Invalid credentials" --so how this method will pass the requests to AD to check on username/password ? I am not sure if I miss anything ? but I was able to add the identity source same way you did in the video, and matched your DUO cfg file
I also have LDAPoverSSL --but I kinda converted to LDAP only to test that, but nothing is working
Mina, make sure you have the corresponding users configured in Duo that you are passing from Active Directory. Also, check the Duo Proxy log and it should pinpoint the issue you are experiencing with authentication. It is located here: /opt/duoauthproxy/log. I hope this helps to point you in the right direction. I realized I neglected to highlight the need to have matching users configured in Duo to match the Active Directory
Great video thanks for sharing
Thank you!
much respect