VMware Horizon Community
GooooCloudwSTG
Contributor
Contributor
‎06-11-2020 08:34 AM

Horizon UAG w DUO - Require User to reset password on next login

We have a UAG using Radius to DUO. When a users password is reset and we check the box "User must change password at next login". They can no longer access VDI protected with Duo. Assuming this is because of using Radius, does anyone know of a workaround that will either let the user log into the desktop and force them to change the password or have the connection server facilitate the password change? Right now we just get "Access Denied" and they cannot proceed.

Thank you all in advance.

Reply
0 Kudos
2 Replies
danielkrause
Enthusiast
Enthusiast
‎06-16-2020 01:19 AM

We are using a Loadbalancer as AccessGateway for Horizon and also using Duo with Radius.

So, i don't think its an Radius problem. Passwort Change is working.

Do you have Duo Proxys in your infrastructure?

What setup have you done in the setup file of the duo proxy?

I assume you are doing a AD checkup (LDAPs) and syncing the users from AD to DUO?

Do you connecting using the web access or the horizon client?

My advice is review the logs on the duo proxy, what happens, if the password change is done. Maybe it's also a timeout issue.

Reply
0 Kudos
nettech1
Expert
Expert
‎06-30-2020 11:26 AM

We are having the same problem with expired passwords.

Here is our DUO config.

Looks like we have to switch client to [duo_only_client] as mentioned in the blog post below

[radius_server_challenge]

ikey=**********

skey=*********

api_host=api-*****.duosecurity.com

client=ad_client

https://thevirtualhorizon.com/2017/03/28/configuring-duo-security-mfa-for-horizon-unified-access-gat...

Reply
0 Kudos