We're running into a frustrating problem with our Duo MFA setup and Active Directory (AD) when remote users try to change their passwords while connected to the VPN. Here's what happens: when a user updates their password on their laptop while on the VPN, Windows asks them to log out and back in. However, after they do this, they can't log in again with the new password because it seems the VPN and AD aren't recognizing it. This leads to total lockout because the new password doesn't sync properly. In the past, we temporarily reverted the password to the old one as a workaround, which is less than ideal. I'm hoping someone has suggestions, whether it's configuration adjustments or alternatives to Duo, since I've seen this issue mentioned before but couldn't find a solid solution. Any help would be really appreciated!
3 Answers
One workaround that works for us is to have users lock their PC while connected to the VPN and then sign back in with the new password. It's been reliable for us with a similar Duo setup. You might want to try that!
Also, consider if you might be experiencing replication delays. Sometimes the Duo proxy connects to one domain controller, but the user’s workstation is connecting to another, and that can cause password changes not to sync properly.
Could you clarify where the users are resetting their passwords? If they're using 'Ctrl + Alt + Del' to change it, check your Auth Proxy and RADIUS logs. It sounds like there may be a communication issue with the domain. Also, if you're using Duo SSO via LDAPS proxies, that might not lead to similar issues. Looking into the AD logs for failed logon attempts could provide more insight too.
Yes, they reset it while on the VPN using 'Ctrl + Alt + Del'. I’m planning to check the logs soon. Thanks for your advice!
I appreciate the tip! We normally just follow the prompts to sign out and back in, but I'll definitely give locking the PC a shot next time.