ZalanVM
Contributor
Contributor

MFA (DUO) integration with ADFS - vSphere

Hi!

I've been following the fantastic video from Bill (https://blogs.vmware.com/customer-experience-and-success/2022/06/tam-lab-enabling-mfa-in-vsphere-7.h...to create a new lab with the same setup (ADFS with DUO).

Setup:

vSphere 7.0.3.00700

Windows Server 2019 with ADFS

I setup everything and the integration between ADFS and vSphere works correctly. I can authenticate with ADFS in vSphere.

As soon as I change the Access Policy to require MFA (DUO), I receive the popup in my device, but when I accept the login I get the following error in the ADFS page:

  • Error details: MSIS7065: There are no registered protocol handlers on path /adfs/oauth2/authorize/ to process the incoming request.

One thing I've noticed is that the videos from Bill are from June 2022, but as of now, DUO no longer embeds the iframe in the ADFS page, it always redirects the browser to api-xxxxxxxxx.duosecurity.com. I'm not sure if this might be the issue, just pointing out.

Is there anyone that has DUO currently working with vSphere through ADFS?

7 Replies
vmwareusermatth
Contributor
Contributor

I joined vmware communities to respond to this. I encountered the same problem: I followed the official VMWare setup guide for AD FS, then enabled like Bill did, and it doesn't work for me.

Latest Duo AD FS plugin on AD FS 2016. I also tried "login with MFA" on another site I use now without Duo, and confirmed Duo works fine for that, but when used with vCenter VMWare VCF it breaks. Remove MFA option, AD FS works fine for vCenter.

0 Kudos
hermanc01
Enthusiast
Enthusiast

We're running into this same issue as well.  Ever since we upgraded the Duo for ADFS application to version 2.0.0 this started happening.  It was working just fine on version 1.1.0.13 before we upgraded.

I have an open case with Duo and will let you know if I find out anything.

Tags (1)
achernin
Contributor
Contributor

I also have this issue and spent hours trying to resolve until I found this post and realized I'm not alone!

For now I'm using Duo Authentication Proxy as LDAP server for vCenter. It protects browser access to vCenter with 2FA but doesn't work for PowerCLI. Will be checking this post to see if Duo support responded to the ticket from hermanc01!

vmwareusermatth
Contributor
Contributor

sent a full debug to vmware support and ran their python token validation script, offered a fiddler log, vmware said everything seemed ok from their side and sent me to duo

0 Kudos
vmwareusermatth
Contributor
Contributor

I have a saying "no is an answer too"... I appreciate the candor and not just being led on. Note no mention of the AD FS duo app which is specially what I asked them about on the phone, but "no recommended or supported VMWare VCenter/VSphere application protection with Duo" is pretty clear). Full text:

 

Hi Matthew,

Thanks for contacting Duo Technical Support.
I understand you wish to protect VMware Vsphere and Vcenter with Duo.

There is currently no recommended or supported VMWare VCenter/VSphere application protection with Duo.

We had previously published documentation for protecting VMWare vCenter and VSphere logins using ldap_server_auto in the Duo Authentication Proxy. We removed this documentation from the site on 10.6.2015 for security reasons.

This was removed because it was determined to be very easy to bypass Duo authentication. There is a plugin you can install that uses SSPI authentication to log in to vCenter/vSphere using your Windows session credentials. Checking the box to use this plugin bypasses Duo's LDAP authentication.

While this feature is not something that's currently available, I've associated your account with the existing feature request for this.

Feature requests are prioritized in accordance with a number of factors, such as security enhancement, bug fixes, customer demand, and alignment with our product roadmap. While an exact ETA will not be available due to these priorities changing periodically, rest assured that your feedback is important to us, and we are continually working to improve and enrich the product.

The best way to be updated on the delivery of any feature is to subscribe to our Release Notes in the Community! Here’s how to do that:
https://community.duo.com/t/how-to-subscribe-to-release-notes/5531

Thanks for your input and for helping make Duo better!

Should you have any concerns or questions, please feel free to reply to this email.

Best Regards,
Hiroaki
Want to know what we're up to? Subscribe to our Release Notes in the Duo Community!
Duo Security Support Team - Support Page https://duo.com/support

--

I asked vmware to escalate my request if possible to request vmware work on duo integration (e.g. a duo app)

0 Kudos
trock11
Contributor
Contributor

I was experiencing the same issue as everyone else and have a resolution to the issue. There is a known documented issue between vSphere v7 (possibly other versions), and the DUO MFA Adapter 2.X version. Due Authentication for Microsoft AD FS v2.0.0 does not support ODIC. I followed the vMware guides, and the instructional set from https://blogs.vmware.com/customer-experience-and-success/2022/06/tam-lab-enabling-mfa-in-vsphere-7.h... and ended up with a general error splash page and event ID 346 on my ADFS server. You have to downgrade/uninstall the DUO MFA Adapter 2.0 on your ADFS, and install the previous version 1.2.0.17.

It's not easy to find the download, so here it is for easy reference: https://dl.duosecurity.com/duo-adfs3-1.2.0.17.msi

After installing this version, everything started working as expected.

Hopefully this helps someone.

 

-T

0 Kudos
hermanc01
Enthusiast
Enthusiast

I've received the following response from Duo that acknowledges this as well.


Due to different customer feedback, it was concluded this is a known issue that Duo Authentication for Microsoft AD FS v2.0.0 does not support OIDC.

If you are using OIDC integrations in ADFS, you will not be able to use Duo for AD FS v2.0.0 and will need to remove it, or downgrade Duo for AD FS back to version 1.2.0.17, or wait for a future update as OIDC-based integrations are not supported in this version.

Support OIDC with the current version, while this feature is not currently available, I've found a feature request on your behalf with our Product team to consider it during our next prioritization phase.

Feature requests are prioritized under several factors, such as security enhancement, bug fixes, customer demand, and alignment with our product roadmap. An exact ETA will not be available due to these priorities changing periodically.


 

 

0 Kudos