Duo Legacy AD Protection - FAQ
Last updated:
General
What protocols does Duo Legacy AD Protection support?
Duo Legacy AD Protection supports Kerberos and NTLM authentications only. The filter may not intercept LDAP simple binds unless the system routes them through NTLM or GSSAPI.
Is DuoSubAuthFilter installation required on endpoints or application servers?
No, only domain controllers require installation of the DuoSubAuthFilter DLL.
What load does DuoSubAuthFilter introduce on the domain controller?
Based on performance testing, the Duo Legacy AD Protection solution introduced a noticeable workload only under extremely high simulated authentication loads (for example, 1,000 user authentications within three minutes), which are unlikely in most real-world environments. For small and medium-sized deployments, we do not expect a significant impact on domain controller performance. We recommend validating the solution in your environment and observing the load under your specific usage patterns.
Can I customize which protocols or services trigger MFA?
You can choose to filter Kerberos, NTLM, or both. You cannot filter by individual service, application, or at the protocol policy level.
Does Duo Legacy AD Protection support nested AD groups?
Yes, you may use nested Active Directory groups for enforcement and bypass logic.
What is the user experience for non-Windows clients?
Duo Legacy AD Protection is client OS-agnostic. Any client using Kerberos or NTLM to authenticate to a protected domain controller will trigger Duo MFA. Users will not see an on-screen Duo prompt from the application. They will only receive the Duo MFA request as a push notification on their mobile device or phone call.
Installation and Configuration
Can I silently install the DuoSubAuthFilter from a command line or PowerShell?
Enter the following command into PowerShell or a Command Prompt to silently install the DuoSubAuthFilter with default options (note that the MSI filename changes to reflect the version):
msiexec.exe /i duo-subauthfilter-n.n.n.msi DUO_IKEY="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" /qn
The parameter names passed to the installer (DUO_IKEY, DUO_SKEY, DUO_HOST, etc.) are case-sensitive!
You can also choose to change the default settings. For example, to set fail mode to fail closed add FAILOPEN="#0" to the command, or to install with MFA enforcement enabled add DUO_ENABLEDUO=#1.
Can I silently uninstall the DuoSubAuthFilter from a command line or PowerShell?
To silently remove Duo for Windows Logon from your environment, run the following command from PowerShell or an elevated command prompt, specifying the MSI file for the version of the DuoSubAuthFilter currently installed (note that the MSI filename changes to reflect the version):
msiexec.exe /x duo-subauthfilter-n.n.n.msi /qb
How do I deploy the DuoSubAuthFilter across multiple domain controllers?
Install the filter on each domain controller for full coverage. Partial deployment may result in inconsistent enforcement. Use the PowerShell support script located at C:\Program Files\Duo Security\DuoSubAuthFilter\Tools\Get-Auth0OnDCs.ps1 to verify that deployment across all controllers is consistent.
You can use Group Policy Objects (GPO), System Center, or your preferred deployment tool to automate rollout. See Deploy Duo Legacy AD Protection to DCs Using Active Directory for detailed instructions.
How do I configure the DuoEnforce and DuoBypass groups?
The enforcement and bypass groups are standard Active Directory security groups. Set the names of these groups in the registry on your domain controller at:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoSubAuthFilterUse the values DuoEnforceGroupName and DuoBypassGroupName (both REG_SZ). You manage the actual groups in AD; you do not use the Duo Admin Panel for this setting. The group names in the registry must match the AD group names exactly.
Can I specify more than one DuoEnforce or DuoBypass group?
No, the DuoEnforceGroupName and DuoBypassGroupName values must be a single AD group name. You may nest multiple groups within the AD group you specify for MFA enforcement or bypass.
How do I change group names after initial configuration?
Update the DuoEnforceGroupName and DuoBypassGroupName values in the registry. You must restart your domain controller(s) for the filter to pick up changes.
What happens if I leave the DuoEnforce group empty?
An empty DuoEnforce group (or one that you have not configured) means that the filter enforces MFA for everybody by default. Use the DuoBypass group to make exceptions for specific users or computers when the DuoEnforce group is empty.
How often does DuoEnforce and DuoBypass group membership information update?
The DuoSubAuthFilter polls the named DuoEnforce and DuoBypass groups for direct changes every 60 seconds by default. If it detects changes to those named groups it reloads the group cache information from AD for both the named groups and any nested groups. Otherwise, it reloads its enforce and bypass cache from AD every 60 minutes.
To adjust the polling and cache refresh intervals, use the Registry Editor (regedit.exe) with administrator privileges to create the following registry values
Location: HKLM\SOFTWARE\Policies\Duo Security\DuoSubAuthFilter
| Registry Value | Type | Description |
|---|---|---|
ADCachePollingInterval
|
DWORD | Adjust how often the DuoSubAuthFilter checks the AD enforce and bypass groups for changes, with a minimum value of 60 seconds. Defaults to 60 seconds if not explicitly set. |
ADCacheAutoRefreshInterval
|
DWORD | Adjust how often the DuoSubAuthFilter reloads the enforce and bypass caches from AD, with a minimum value of 600 seconds (10 minutes). Defaults to 3600 seconds (60 minutes) if not explicitly set. |
If you manage Duo settings with Windows Group Policy, those settings override any changes made via regedit. Update the "Client: AD Cache Polling Interval" and "Client: AD Cache Auto-Refresh Interval" settings in the GPO instead.
How do I update the DuoSubAuthFilter DLL?
The DLL does not update automatically. When Duo releases a new version, you must install it manually on each domain controller or deploy the upgrade using automated tools such as Group Policy Objects (GPO) or System Center. You must restart the system after an update installation for the new DuoSubAuthFilter DLL to become active.
Where can I find the list of supported registry keys?
You can find the complete list of supported registry keys, their types, and descriptions in the LegacyADAuths_Group_Policy_Settings.xlsx spreadsheet included with the installer package. See also Registry Configuration in the main documentation.
How do I configure log file rotation?
Duo Legacy AD Protection enables log file rotation by default.
To configure the log file rotation file maximum size and count, use the Registry Editor (regedit.exe) with administrator privileges to create the following registry values:
Location: HKLM\SOFTWARE\Policies\Duo Security\DuoSubAuthFilter
| Registry Value | Type | Description |
|---|---|---|
LogFileMaxSizeMB
|
DWORD | Set the maximum log file size in megabytes (MB). Minimum: 1. Maximum: 4096. |
LogFileMaxCount
|
DWORD | Set the number of log files to maintain on disk. Minimum: 1. Maximum: 100. |
Both registry keys must exist with a value greater than 0 to enable log rotation. For example, if LogFileMaxSizeMB=5 but LogFileMaxCount does not exist, then DuoTsg.log will overwrite upon reaching 5 MB.
Log files may be slightly larger than the defined size to ensure the system does not split an in-process authentication across log files. Backup logs will increment using the progression DuoSubAuthRequest.log → DuoSubAuthRequest.2.log → DuoSubAuthRequest.3.log → and so on.
If you manage Duo settings with Windows Group Policy, those settings override any changes made via regedit. Update the "Client: Log File Max Size MB" and "Client: Log File Max Count" settings in the GPO instead.
Connectivity and Availability
How can I configure the fail mode?
By default, Duo Legacy AD Protection fails open (allows login without MFA). You can set the fail mode to fail closed during installation by deselecting the "Bypass Duo authentication when offline" box. This denies all login attempts if the system cannot contact the Duo service. We do not recommend fail closed configurations due to the risk of lockout. Users will not see any indication that the Duo filter has failed closed when logging into the legacy applications.
To change the fail mode after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:
Location: HKLM\SOFTWARE\Policies\Duo Security\DuoSubAuthFilter:
| Registry Value | Type | Description |
|---|---|---|
FailOpen
|
DWORD | Set to 1 to allow "fail open" for all users or 0 to restrict to "fail closed". Default: Fail open. |
If you manage Duo settings with Windows Group Policy, those settings override any changes made via regedit. Update the "Duo Service: Fail Open if Unable to Contact Duo" setting in the GPO instead.
Is it possible to use a web proxy for Duo Legacy AD Protection traffic?
Yes. Communication with Duo cloud uses the system-wide WinHTTP proxy by default.
If you do not want to use a system-wide proxy you may proxy only Duo authentication traffic. Set this during installation by checking the "Configure manual proxy for Duo traffic" box and entering your proxy host and port information.
To change the HTTP proxy settings for the Duo application after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:
Location: HKLM\SOFTWARE\Policies\Duo Security\DuoSubAuthFilter:
| Registry Value | Type | Description |
|---|---|---|
HttpProxyHost
|
String | Hostname or IP address of an HTTP proxy. If set, the filter uses this proxy to communicate with Duo Security's service. Must support the CONNECT protocol. Default: do not use a proxy. |
HttpProxyPort
|
DWORD |
Port to connect to on HttpProxyHost. Enter port number as decimal. Default: '80'.
|
If you manage Duo settings with Windows Group Policy, those settings override any changes made via regedit. Update the "Duo Service: HTTP Proxy Hostname" and "Duo Service: HTTP Proxy Port" settings in the GPO instead.
If you do not already have an HTTP proxy deployed on your network you can use the Duo Authentication Proxy application to act as an HTTP proxy for Duo Legacy AD Protection connections. Install the Authentication Proxy on a server in your network that has direct internet access, add the HTTP proxy settings to the Authentication Proxy configuration, and then update the DuoSubAuthFilter HttpProxy settings to point to that Authentication Proxy. See the HTTP Proxy instructions in the Authentication Proxy Reference for more information.
How do I disable certificate pinning?
Duo Legacy AD Protection enables certificate pinning by default as an additional security measure protecting communications between the client application and Duo's cloud service.
To disable certificate pinning, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:
Location: HKLM\SOFTWARE\Policies\Duo Security\DuoSubAuthFilter
| Registry Value | Type | Description |
|---|---|---|
EnableCertPinning
|
DWORD | Set to 0 to enable certificate pinning. Enabled if the registry value does not exist or is 1. |
If you manage Duo settings with Windows Group Policy, those settings override any changes made via regedit. Update the "Client: Enable Certificate Pinning" setting in the GPO instead.
Authentication Behavior
How do I suppress multiple MFA prompts for the same user session?
The filter includes logic to suppress rapid, repeated prompts using a 30-second suppression timer. Additionally, Windows and Kerberos may reuse session tickets, reducing repeat prompts for the same user session.
To adjust the suppression period or disable duplicate Duo Push suppression, use the Registry Editor (regedit.exe) with administrator privileges and create or update the following registry value:
Location: HKLM\SOFTWARE\Policies\Duo Security\DuoSubAuthFilter
| Registry Value | Type | Description |
|---|---|---|
SuppressDuplicatePushDuration
|
DWORD | Specify the duplicate push suppression duration, up to a maximum value of 60 seconds. Defaults to 30 seconds if not explicitly set. Set to 0 to disable duplicate push suppression. |
If you manage Duo settings with Windows Group Policy, those settings override any changes made via regedit. Update the "Client: Suppress Duplicate Push Duration" setting in the GPO instead.
How does session reuse and token-based suppression work?
The subauthentication filter generally triggers MFA on every authentication attempt. However, Windows and Kerberos may reuse session tickets, reducing repeat prompts for the same user session. If an application reuses the Kerberos ticket or session, no new prompt occurs. Closing and reopening sessions may cause a new prompt.
Troubleshooting
Why does the filter's polling not pick up changes to nested group members?
The DuoSubAuthFilter caches AD group member information, updated every 60 minutes by default. While it polls the named DuoEnforce and DuoBypass groups every 60 seconds by default, this does not cause it to pick up membership changes made only to AD groups nested within the specified DuoEnforce or DuoBypass groups.
You can force a refresh of nested group information at the next polling update by also making a change to the named DuoEnforce or DuoBypass group, such as modifying the group's "Notes" attribute value.
Why might the installer fail to run or fail to register the filter?
- Ensure you have administrator privileges on the target machine.
- Check for antivirus or endpoint protection software blocking DLL registration. Add the DLL to an allowed list as needed.
Why might MFA not trigger as expected?
- Confirm users and endpoints are in the correct AD groups.
- In log-only mode, the filter does not enforce MFA. Check logs for expected behavior.
- Review registry configuration and ensure you enabled enforcement (
EnableDuo=1). - Check the request log to see the verdict and understand why MFA did not trigger.
- Remember that an empty DuoEnforce group does NOT mean "nobody gets MFA." An empty or unconfigured DuoEnforce group means the filter enforces MFA for everybody by default.
How do I resolve proxy or connectivity issues?
- Duo Legacy AD Protection respects the system (WinHTTP) proxy settings by default, or the Duo proxy if configured.
- Ensure domain controllers can reach Duo cloud endpoints via the configured proxy.
- If your environment is air-gapped, you may need to allow specific outbound connections for Duo.