Duo Authentication for Microsoft AD FS 2.1 on Windows 2012 (Deprecated)

Duo's AD FS application is part of the Duo Premier, Duo Advantage, and Duo Essentials plans.

The Duo AD FS 2.1 module worked with relying parties that use Microsoft's WS-Federation protocol, like Office 365, as well as SAML 2.0 federated logons for cloud apps like Google G Suite and salesforce.com. The login assertion must contain a SAML 2.0 NameId or a WS-Federation (AD FS 1.1 compatible) UserPrincipalName, WindowsAccountName, or EmailAddress. Relying parties that require encrypted assertions are not supported.

The Duo AD FS 2.1 IIS module supported AD FS 2.1 on Windows Server 2012 only. To protect AD FS on Windows Server 2016 or later use the AD FS MFA adapter.

First Steps

Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.

Also verify that federated logins to your relying parties are working prior to installing Duo.

1. Sign up for a Duo account.

2. Log in to the Duo Admin Panel and navigate to Applications.

3. Click Protect an Application and locate the 2FA-only entry for Microsoft ADFS in the applications list. Click Protect to the far-right to configure the application and get your Client ID, Client secret, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
   
   

   Previously, the Client ID was called the "Integration key" and the Client secret was called the "Secret key".

   Treat your secret key like a password

   The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

4. Download the Duo AD FS Installer Package for AD FS 2.1. View checksums for Duo downloads here.

5. Make sure you have installed ASP.NET 3.5 support for IIS. You can do this from the Server Manager console, or by running the following PowerShell commands:

   Import-Module ServerManager
   Add-WindowsFeature Web-Asp-Net
   

Duo Universal Prompt

The Duo Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt	Traditional Prompt

Duo's AD FS 2.x application will not offer support for the Universal Prompt experience. Duo has no plans to release an application update with Universal Prompt support for AD FS 2.x servers. Microsoft ended extended support for Windows Server 2012 on October 10, 2023. You're encouraged to migrate to AD FS on Windows 2016 or later with pluggable multifactor provider support.

Duo's MFA plugin for AD FS on Windows 2016 and later and later supports the Duo Universal Prompt as of version 2.0.0. The Universal Prompt status for a newly-created may be misleading to AD FS v2.x admins, because the same Duo AD FS application on the Duo Admin Panel can be used with both AD FS 2.x and AD FS on later Windows versions. Once your users authenticate using the Duo IIS-based AD FS application for AD FS v2.x, the Universal Prompt status shown in the Admin Panel will correctly reflect that the AD FS application is incompatible with Universal Prompt.

Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.

Deployment Overview

This integration adds a two-factor authentication prompt to web-based logins through an AD FS 2.1 Identity Provider and/or Proxy. After completing primary authentication to the AD FS server (by any standard means such as Windows Integrated, Forms-Based, and HTTP Basic), your users will be required to complete a Duo authentication challenge before getting redirected back to the relying party.

You should install the Duo integration on any AD FS 2.1 server on which you want to enforce two-factor authentication. For example, if you want to always require two-factor authentication for all of your users, you should install the Duo integration on all of your AD FS Identity Providers and Proxies:

However, if you only want to enforce two-factor authentication for external users, and you have configured your network such that external users communicate with an AD FS proxy, while internal users communicate with the Identity Provider, you might install the Duo integration only on your proxy:

In an AD FS farm deployment the Duo integration should be installed on all AD FS servers in the farm.

Deployment Tip

Set your application's New User Policy to "Allow Access" while testing. Enrolled users must complete two-factor authentication, while all other users are transparently let through.

Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.

Run the Installer

1. Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.

2. Enter your integration key (may show as the Client ID in the Admin Panel), secret key (may show as the Client secret in the Admin Panel), and API hostname from the Duo Security ADFS application page when prompted.

   

   If the Bypass Duo authentication when offline option is unchecked, then users will not be able to log in to protected federated resources when Duo Security cloud services are unreachable.

3. If you only have one AD FS server running, select the option to automatically generate a new key. However, if you are running multiple AD FS servers in a farm (e.g. behind a load-balancer), then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.

   

   For example, you could use the following PowerShell commands to generate a suitable session key:

   $bytes = new-object "System.Byte[]" 30
   (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
   [Convert]::ToBase64String($bytes)
   

4. Complete the Duo installation. The Duo installer stops and then restarts IIS services on your AD FS servers automatically.

Test Your Setup

To test your setup, use a web browser to log into a relying party for your AD FS deployment. As an example, you might log into https://portal.microsoftonline.com to access Office 365. Duo's enrollment or login prompt appears after you complete primary authentication to your AD FS server:

Visit our guides to protecting popular cloud applications like Google G Suite and Office 365 with Duo's powerful two-factor authentication for AD FS.

Troubleshooting

Need some help? Take a look at the AD FS Frequently Asked Questions (FAQ) page or try searching our AD FS Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

1. AD FS connection initiated
2. Primary authentication to AD
3. AD FS connection established to Duo Security over TCP port 443
4. Secondary authentication via Duo Security’s service
5. AD FS receives authentication response
6. AD FS session logged in