Duo Access Gateway for Windows remains a practical on‑premises SAML 2.0 identity provider for organizations that must host their own SSO front end, but its roadmap, support status, and an imminent certificate authority (CA) bundle change require immediate planning and careful operational work for Windows administrators who still run it in production.
Duo Access Gateway (DAG) is an on‑premises SAML IdP that adds Duo two‑factor authentication (2FA), inline self‑service enrollment, and the Duo prompt to cloud services such as Google Workspace, Salesforce, and many other SAML‑aware applications. It integrates with on‑premises directories (Active Directory, OpenLDAP), cloud identity sources (Google, Microsoft Entra), and can import custom SAML metadata for almost any SAML 2.0 service provider. The DAG Windows installer deploys into IIS on a server in a perimeter (DMZ) network and depends on specific platform components such as a non‑thread‑safe PHP 8.1 runtime and the Visual C++ redistributable.
Two strategic items framed in Duo’s documentation will materially affect DAG deployments:
But the strategic risks are non‑trivial:
Source: Duo Security Duo Access Gateway for Windows | Duo Security
Duo Access Gateway (DAG) is an on‑premises SAML IdP that adds Duo two‑factor authentication (2FA), inline self‑service enrollment, and the Duo prompt to cloud services such as Google Workspace, Salesforce, and many other SAML‑aware applications. It integrates with on‑premises directories (Active Directory, OpenLDAP), cloud identity sources (Google, Microsoft Entra), and can import custom SAML metadata for almost any SAML 2.0 service provider. The DAG Windows installer deploys into IIS on a server in a perimeter (DMZ) network and depends on specific platform components such as a non‑thread‑safe PHP 8.1 runtime and the Visual C++ redistributable. Two strategic items framed in Duo’s documentation will materially affect DAG deployments:
- Duo Access Gateway reached a practical Last Day of Support for Duo commercial plan customers (Essentials, Advantage, Premier) on October 26, 2023; Duo encourages migration to Duo Single Sign‑On (cloud SSO) and will not add Universal Prompt support to DAG for those customers.
- Duo announced a certificate authority (CA) pinning bundle replacement; the existing pinned CA bundle will expire and Duo products that rely on certificate pinning (including some DAG builds) require a software update to continue working after February 2, 2026. Administrators must identify and update affected Duo applications before that date.
What Windows administrators need to know now
Support and product lifecycle status
- Duo Access Gateway is functionally stable and still downloadable for Windows, but for commercial customers DAG has an effective Last Day of Support that passed on October 26, 2023. Duo’s published guidance focuses on migration to Duo Single Sign‑On as the recommended path forward.
- Duo will not be back‑porting the Universal Prompt (Duo’s modern authentication UI) to DAG for commercial plan customers; that modernization is provided via Duo Single Sign‑On. Organizations that require Universal Prompt features, accessibility improvements, or continued feature updates should plan to migrate.
Certificate authority bundle replacement — the urgent calendar item
- Duo has announced an action window: the existing CA pinning bundle will expire and Duo products that use certificate pinning will require updates to continue operating after February 2, 2026. This is not a local certificate expiration like an SSL cert on IIS — this is Duo changing which root/intermediate CAs it will trust in the pinned bundle used by Duo code. You must ensure your DAG instance is running a release that includes the updated CA bundle before Feb 2, 2026.
- The CA bundle work is part of the broader ecosystem changes in public PKI (root program adjustments and CA rehierarchies). Microsoft’s Trusted Root Program notices and major CA vendors are also rotating and restructuring CA hierarchies in 2024–2026, which increases the odds that any pinned CA list maintained in software will need updating. Treat this as a hard deadline for any Duo product that pins CA certificates.
Security protocol baseline
- Duo disallows TLS 1.0 and TLS 1.1 since June 30, 2023; Duo services require TLS 1.2+ and modern cipher suites. DAG and the supporting Windows server must be configured to negotiate TLS 1.2 or higher for certificate validation and connectivity to Duo’s cloud APIs. Confirm IIS and OS configuration, and verify any LDAP/LDAPS transport types to your domain controllers meet modern cryptographic standards.
Deployment essentials for Duo Access Gateway on Windows
Recommended host posture and network placement
- Place the DAG host in a DMZ/perimeter network, not domain‑joined, and limit RDP/console access to a small set of administrators. Duo’s installer expects IIS on C: and deploys to C:\Inetpub\wwwroot\dag. Minimum sizing from Duo: 2× 2 GHz processors, 4 GB RAM, and 60 GB disk. Confirm patch management, AV guidance, and host hardening against current Microsoft best practices.
- Required ports: HTTPS outbound/inbound on TCP 443 for Duo communications; LDAP/LDAPS ports to your directory controllers (389/636) if using on‑prem directory authentication. Avoid firewall rules that only allow Duo traffic by rigid IP lists — Duo advises DNS‑based allowances or consult Duo KB for IP allowlisting guidance because backend IPs may change.
IIS and prerequisite software
- Install IIS with Web‑CGI and ASP.NET 4.5 features, plus the .NET prerequisites. The Duo installer expects the PHP package (non‑thread‑safe) to be present — Duo recommends PHP 8.1.31 (minimum supported 8.1.11; DAG 1.5.13+ requires PHP 8.1). Ensure the Windows 10 Universal C Runtime is installed because the Visual C++ redistributable depends on it.
- Obtain a public SSL certificate (not from an internal enterprise CA unless you manage distribution of that CA to all clients). Import the full certificate chain into the machine store and bind it to the default website on port 443. Duo explicitly warns external clients will see trust errors for internal CA certificates unless the full chain is trusted.
Authentication sources supported
- DAG supports these primary authentication sources on Windows deployments:
- Active Directory (LDAP/LDAPS/STARTTLS)
- OpenLDAP
- SAML IdPs (as primary)
- Google OpenID Connect
- Microsoft Entra (Azure) OpenID Connect
Configure the source carefully and test the LDAP bind and user attribute mappings — DAG maps common attributes such as mail, sAMAccountName, givenName, and sn by default, and many SAML SPs expect specific attributes in the assertion.
Logging, backups and HA
- DAG logs to C:\inetpub\wwwroot\dag\log\dag.log and keeps configuration JSONs and certificates under the dag\config and dag\cert directories. Back up the config.json, custom-apps.json (if present), authentication source JSONs, certificate PEM/CRT files, metadata JSON files, and launcher images. DAG supports a standby standby server workflow: deploy a second server with identical hostname/CNAME and copy the configuration files to the standby. A load balancer in front of two identical DAG servers is supported for active/active or active/passive setups.
The CA bundle replacement: what to do and why it matters
Why Duo is replacing the pinned CA bundle
Duo uses a pinned CA bundle in some of its on‑prem and client products to validate TLS and to provide an additional layer of trust control. When root/intermediate CA hierarchies change — either because a CA reissues roots, reorganizes hierarchies, or is removed from root programs — any software that performs certificate pinning must be updated to include the new trusted CAs. Duo’s announcement sets a fixed cut‑over window: after February 2, 2026, older pinned bundles will no longer be valid and affected Duo software must be updated.The operational risk if you do nothing
- Unpatched DAG instances that rely on the older pinned bundle may fail to validate Duo cloud endpoints or fail to fetch updated content from Duo services, resulting in failed 2FA prompts, launcher failures, or authentication flow interruptions.
- Because DAG can act as the IdP for many cloud applications, the outage surface is large: users may be unable to perform SAML logins to many services.
- If your DAG installation uses certificate pinning internally (for LDAP over TLS), ensure those certificates are rotated and validated against the new CA bundle where relevant.
Action plan and timeline (recommended)
- Inventory: Immediately identify all Duo products in your estate — DAG instances, AD FS adapters, Duo Desktop/clients, Duo Network Gateway, Duo Authentication Proxy, etc. Use Duo release notes to map which versions include the new CA bundle.
- Check Duo product versions: Determine the minimum versions that add support for the new Duo CA authorities. Duo release notes for Network Gateway, AD FS, Desktop, and other products frequently list “Adds support for new Duo certificate authorities” in changelogs. Upgrade those products to the minimum or later releases well before Feb 2, 2026.
- Test upgrades in a staging environment: Validate that upgraded DAG builds can complete SAML flows and that the DAG server can contact Duo cloud APIs over TLS using the new pinned CA bundle. Also simulate Duo unreachability scenarios to validate fail‑mode behavior.
- Schedule production upgrades: Plan maintenance windows to update DAG servers and any dependent clients. Maintain a rollback plan and backups of all DAG JSON and cert files.
- If upgrading DAG is not feasible: Consider migrating specific applications to Duo Single Sign‑On (cloud SSO) which Duo recommends as a future‑proof alternative; Duo SSO is where Duo is investing in Universal Prompt support and active feature development. Migration tooling exists to copy DAG application settings into Duo SSO applications.
Migration versus continued on‑prem operation: pros and cons
Option A — Upgrade and continue running DAG on Windows
Benefits:- Keeps IdP and SSO operations under local control: favored when regulatory or network topology demands an on‑prem IdP.
- Enables existing SAML application configurations to remain unchanged on the service provider side (for many apps).
- Can support legacy application scenarios where SAML metadata must be under local control.
- DAG is no longer the Duo feature focus for commercial customers; expect only security/critical fixes, not new features like Universal Prompt.
- Ongoing operational overhead: patching IIS, PHP runtime, Windows Server, and responding to Duo CA bundle updates or other PKI changes.
- If you miss the Feb 2, 2026 update window (or fail to apply required updates), you risk authentication outages.
- Organizations that must keep SAML IdP on‑prem for compliance or isolation, and that have the operational discipline to maintain DAG with patched versions and to perform CA bundle updates.
Option B — Migrate to Duo Single Sign‑On (cloud-hosted)
Benefits:- Duo Single Sign‑On (Duo SSO) is Duo’s actively developed cloud SAML/ OIDC IdP and supports the Universal Prompt, inline enrollment, Duo Central (app portal), immediate policy updates, and reduces on‑prem maintenance. Migration tooling is available to convert DAG app settings to Duo SSO entries.
- Eliminates need for a Windows DMZ host running IIS/PHP, reducing host management overhead and surface area for OS-level vulnerabilities.
- Cloud IdP may introduce network dependency or policy constraints depending on organizational policy or regulatory restrictions.
- Some DAG configurations or custom metadata edits may not migrate perfectly and will need manual verification.
- For applications with special integration needs or non‑migratable apps, you may still need a hybrid approach.
- Organizations seeking to reduce on‑prem operational burden, adopt Universal Prompt, and receive ongoing feature and security updates directly from Duo.
Operational checklist for administrators (concise)
- Inventory all DAG servers and current DAG version numbers.
- Verify which Duo products in your environment use certificate pinning and consult Duo release notes for the minimum versions that include the new CA bundle.
- For each DAG host:
- Confirm Windows Server OS is supported (Windows Server 2016, 2019, or 2022 per Duo docs) and patched.
- Ensure IIS features and PHP 8.1 (non‑thread‑safe) are installed (DAG recommends 8.1.31).
- Confirm TLS policies on the host disable TLS 1.0/1.1 and prefer TLS 1.2+/1.3.
- Verify the SSL certificate chain is installed and resolves externally without warnings.
- Back up DAG configuration files and certs to a secure location.
- Test a staged upgrade to the DAG build that includes the new CA bundle (or, if migration is chosen, run the DAG→Duo SSO migration tool for a test application).
- If you use LDAPS/STARTTLS, ensure domain controller cert chains are SHA‑256+ and 2048+ RSA (or equivalent ECDSA) to meet modern cipher/key strength expectations. Duo’s proxies and integrations require modern certs for secure LDAP.
- Schedule production upgrades with rollback and communications to affected application owners and support teams before Feb 2, 2026.
Troubleshooting and gotchas
- DAG admin console access is locked to the DAG host IPs by default. If you need remote admin access from a different management host, provide the additional IPs during install or update the allowed IP list in configuration — plan for secure management and RDP hardening.
- LDAP binding issues: If DAG reports “Bind Failed,” re‑verify the Search username/password, the Search base DN(s), the Search attributes mapping, and the transport mode (CLEAR vs LDAPS vs STARTTLS). If using secure LDAP, ensure the CA chain is pasted into the DAG AD Certificate field in PEM format and that the server name used matches the certificate CN/SAN.
- Universal Prompt mismatch: DAG will continue to show the legacy Duo prompt in many cases and will not be updated to Universal Prompt for Duo commercial plan customers. Where modern prompt behavior or passkey support is required, migrate apps to Duo SSO.
- Fail mode behavior: DAG supports “safe” or “secure” fail modes. Understand the difference — “safe” may allow authenticated users through if the DAG cannot reach Duo’s cloud for 2FA, whereas “secure” blocks access if Duo cannot be contacted. Choose the mode that matches your availability vs risk tolerance. Test offline scenarios during maintenance windows.
Final assessment — strengths and risks
Duo Access Gateway’s strengths on Windows are clear: it provides a straightforward SAML IdP that works with existing AD and other directory sources, offers inline user enrollment, and integrates Duo 2FA into SAML flows without rearchitecting service providers. DAG is a solid fit where on‑premises control is required and where teams are comfortable maintaining IIS, PHP, and Windows Server stacks.But the strategic risks are non‑trivial:
- Duo’s product focus has shifted to Duo Single Sign‑On (cloud SSO) and the Universal Prompt; DAG will not receive feature parity updates like the Universal Prompt for commercial customers. For long‑term innovation and feature support, Duo SSO is the path Duo expects customers to take.
- The announced CA pinning bundle change with a fixed deadline (February 2, 2026) creates an inflexible upgrade requirement. Administrators who defer planning risk authentication outages across all SAML apps federated through DAG.
- DAG requires continued OS/PHP/IIS maintenance; organizations must weigh the cost of that operational burden against the benefits of keeping the IdP on‑prem.
Conclusion and recommended next steps (concise)
- Immediately inventory all DAG installations and Duo products in your environment and map versions against Duo release notes to see which releases add the new CA authorities.
- If you must continue running DAG, schedule staged upgrades and end‑to‑end testing well ahead of February 2, 2026. Ensure backups and an HA/standby server or load balancer plan are in place.
- Evaluate a migration plan to Duo Single Sign‑On for longer‑term support, Universal Prompt access, and reduced on‑premise maintenance; use Duo’s DAG→Duo SSO migration tools to test and validate apps.
- Harden IIS and Windows, enforce TLS 1.2+/modern ciphers, validate LDAP certificate chains, and document rollback plans for any planned upgrades.
Source: Duo Security Duo Access Gateway for Windows | Duo Security