Skip navigation

Thycotic Secret Server

Last Updated: August 6th, 2019


Thycotic has partnered with Duo Security to add two-factor authentication via Duo Push, phone call, or passcode to Secret Server.

Duo and Secret Server

Duo Security’s authentication platform secures access to the Thycotic Secret Server web console.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

First Steps

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate Thycotic Secret Server in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Configure Duo Security in Secret Server

Refer to the article Configuring Duo for Two Factor on the Thycotic site, or to the "Duo Security Authentication" section of the Secret Server Admin Guide. Follow the directions to configure Duo 2FA for Secret Server logins.

Users of IBM Security Secret Server should refer to the "Duo Security Authentication" instructions in the Secret Server User Guide.


Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

Secret Server Network Diagram

  1. Secret Server connection initiated
  2. Primary authentication
  3. Secret Server connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Secret Server receives authentication response
  6. Secret Server session logged in