Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Documentation

Duo Authentication for Microsoft AD FS 2.0 on Windows 2008 R2 and 3.1 on Windows 2012

Last Updated: April 30th, 2019

Duo integrates with Microsoft AD FS 2.0 and 2.1 to add two-factor authentication to services using browser-based federated logins, complete with inline self-service enrollment and Duo Prompt.

Duo's AD FS application is part of the Duo Beyond, Duo Access, and Duo MFA plans.

The Duo AD FS 2.x module supports relying parties that use Microsoft's WS-Federation protocol, like Office 365, as well as SAML 2.0 federated logons for cloud apps like Google Apps and salesforce.com. The login assertion must contain a SAML 2.0 NameId or a WS-Federation (AD FS 1.1 compatible) UserPrincipalName, WindowsAccountName, or EmailAddress. Relying parties that require encrypted assertions are not supported.

The Duo AD FS 2.x IIS module supports AD FS 2.0 on Windows Server 2008 R2 and AD FS 2.1 on Windows Server 2012. AD FS 1.0 is not supported. To protect AD FS on Windows Server 2012 R2 or later use the AD FS 3+ MFA adapter.

First Steps

Before installing the Duo AD FS integration, verify that federated logins to your relying parties are working.

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate Microsoft ADFS in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)

    Treat your secret key like a password

    The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

  4. Download the Duo AD FS Installer Package for AD FS 2.x. View checksums for Duo downloads here.

  5. Make sure you have installed ASP.NET 3.5 support for IIS. You can do this from the Server Manager console, or by running the following PowerShell commands:

    Import-Module ServerManager
    Add-WindowsFeature Web-Asp-Net
    

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

Deployment Overview

This integration adds a two-factor authentication prompt to web-based logins through an AD FS 2.x Identity Provider and/or Proxy. After completing primary authentication to the AD FS server (by any standard means such as Windows Integrated, Forms-Based, and HTTP Basic), your users will be required to complete a Duo authentication challenge before getting redirected back to the relying party.

You should install the Duo integration on any AD FS 2.x server on which you want to enforce two-factor authentication. For example, if you want to always require two-factor authentication for all of your users, you should install the Duo integration on all of your AD FS Identity Providers and Proxies:

AD FS Install

However, if you only want to enforce two-factor authentication for external users, and you have configured your network such that external users communicate with an AD FS proxy, while internal users communicate with the Identity Provider, you might install the Duo integration only on your proxy:

AD FS Install External

In an AD FS farm deployment the Duo integration should be installed on all AD FS servers in the farm.

Deployment Tip

Try setting your application's "New user policy" to "Allow Access" while testing. Users that Duo knows about will be prompted to authenticate with Duo, while all other users will be transparently let through.

Users that have a phone (or hardware token) associated with them will see the authentication prompt. All other users will be able to add their phone through Duo's self-service enrollment (see Test Your Setup).

Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.

Run the Installer

  1. Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.

  2. Enter your integration key, secret key, and API hostname from the Duo Security ADFS application page when prompted.

    Enter Duo Information

    If the Bypass Duo authentication when offline option is unchecked, then users will not be able to log in to protected federated resources when Duo Security cloud services are unreachable.

  3. If you only have one AD FS server running, select the option to automatically generate a new key. However, if you are running multiple AD FS servers in a farm (e.g. behind a load-balancer), then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.

    Create Session Key

    For example, you could use the following PowerShell commands to generate a suitable session key:

    $bytes = new-object "System.Byte[]" 30
    (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
    [Convert]::ToBase64String($bytes)
    
  4. Complete the Duo installation. The Duo installer stops and then restarts IIS services on your AD FS servers automatically.

Test Your Setup

To test your setup, use a web browser to log into a relying party for your AD FS deployment. As an example, you might log into https://portal.microsoftonline.com to access Office 365. Duo's enrollment or login prompt appears after you complete primary authentication to your AD FS server:

AD FS Prompt

Visit our guides to protecting popular cloud applications like Google Apps and Office 365 with Duo's powerful two-factor authentication for AD FS.

Troubleshooting

Need some help? Take a look at the AD FS Frequently Asked Questions (FAQ) page or try searching our AD FS Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

  1. AD FS connection initiated
  2. Primary authentication to AD
  3. AD FS connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. AD FS receives authentication response
  6. AD FS session logged in