Upgrade Your Security: Migrating Duo Authentication from AD FS 2.1 on Windows Server 2012

Duo Authentication for Microsoft AD FS 2.1 on Windows 2012 is now a relic of the past—a chapter that administrators need to close in favor of modern, secure solutions. As Microsoft ended support for Windows Server 2012 and 2012 R2 on October 10, 2023, Duo’s support for its AD FS 2.1 integration on these legacy systems ceased on the very same date. If your organization is still clinging to Windows Server 2012 for AD FS, it’s time to ask: Isn't it time for an upgrade?

A Brief Overview of Duo’s AD FS Integration​

For those who appreciate a quick refresher, Duo’s integration with Microsoft AD FS 2.1 was designed to add an extra layer of security—two-factor authentication—to browser-based federated logins. Featuring inline self-service enrollment and the recognizable Duo Prompt, it supported relying parties using protocols like Microsoft’s WS-Federation and SAML 2.0. In practical terms, if you were using Office 365, Google G Suite, or another federated service, Duo helped secure logins by ensuring that after passing the primary authentication, users would face an additional authentication challenge.

The Implications of End-of-Support​

The end of support for Windows Server 2012 and 2012 R2 by Microsoft on October 10, 2023 automatically means that Duo’s support for AD FS 2.1 on these platforms has also ended. This isn’t just a minor update—it’s a stark reminder that staying with unsupported infrastructure means missing out on critical security updates, new features, and compliance assurances.
Key points to note:

• The security of your infrastructure is directly linked to the support lifecycle of both your operating system and your authentication mechanisms.
• Continuing to deploy legacy Duo integrations on outdated Windows servers exposes your organization to significant security vulnerabilities.
• Duo’s traditional iframe-based prompt reached its end of life on March 30, 2024, and no further updates will extend its functionality.

Migration: Charting a Path to a Secure Future​

For administrators still using AD FS 2.1 on Windows Server 2012, migration is not merely advisable—it’s essential. Here’s what you need to know and do:

Upgrade to Supported Windows Server Versions​

• Move to Windows Server 2016 or Later: Microsoft has ensured that newer versions of Windows Server come with support for advanced AD FS capabilities. By migrating your AD FS environment to Windows Server 2016 or later, you unlock the ability to use Duo for AD FS v2.x.
• Switch to the AD FS MFA Adapter: For Windows Server 2016 onwards, use the AD FS MFA adapter rather than the legacy AD FS 2.1 integration. This adapter supports enhanced security features and is designed to work seamlessly with modern authentication prompts.

Transitioning from Traditional to Universal Prompt​

• Duo Universal Prompt: The new Universal Prompt isn’t just about aesthetics—it offers a streamlined, accessible, and secure login experience. However, note that the traditional Duo Prompt used by AD FS 2.1 does not support the Universal Prompt.
• Upgrade Requirements: To benefit from the Universal Prompt, you must deploy Duo’s MFA plugin for AD FS on Windows Server 2016 or later (version 2.0.0 or newer). This means the same Duo AD FS application in your Duo Admin Panel might now be used across different AD FS versions, even though the prompt status will correctly reflect compatibility only for the modern deployments.

Deployment Essentials: Setting Up Duo on Your AD FS Server​

If you’re ready to move forward and install Duo on a supported environment, consider these critical deployment steps:

Pre-Deployment Checklist​

• Familiarize Yourself with Duo Administration: Before embarking on installation, review the Duo administration concepts and features. Gain insights into enrollment methods, policy settings, and application options.
• Verify Federated Logins: Ensure that federated logins to your relying parties (e.g., Office 365, Google G Suite) are operational.
• Sign Up for a Duo Account: Log into the Duo Admin Panel and navigate to Applications → Protect an Application. Select the 2FA-only entry for Microsoft ADFS to obtain your Client ID, Client secret, and API hostname.
• Prepare Your Windows Environment: Ensure ASP.NET 3.5 support is installed on IIS. You can install this feature via the Server Manager console or PowerShell commands:
  • Import-Module ServerManager
  • Add-WindowsFeature Web-Asp-NetConnectivity

Installation Process​

• Run the Installer: Launch the Duo Security installer MSI with administrative privileges (“Run as Administrator”). Accept the license agreement, then input your integration credentials.
• Session Key Considerations:
  • For single-server deployments, you have the option to auto-generate a new key.
  • For AD FS farms operating behind a load-balancer, manually generate a random session key (at least 40 characters long) and ensure it’s used consistently across all servers. Sample PowerShell commands are available to create such a key.
• Automatic IIS Restart: The Duo installer will automatically stop and restart IIS services once installation is complete.

Testing and Validation​

After installation, validate your setup by signing in through an AD FS-reliant web service. For example, logging into Sign in to your account should trigger the Duo authentication prompt after the primary login phase. Before rolling out to all users:

• Set Your New User Policy: While testing, allow access to all users; once validated, transition to requiring enrollment.
• Configure Allowed Hostnames: Especially if you plan to enable WebAuthn authentication methods like security keys, pre-configure allowed hostnames for the Duo application.

Security and Compliance Reminder​

Security remains at the forefront of all these updates. The Duo application’s integrity is tied closely to the confidentiality of its secret (or secret key). Treat it with the same caution as any sensitive credential. Furthermore, make sure your firewall configurations allow outbound SSL traffic (TCP port 443) to Duo’s services, avoiding rigid IP-based rules that might hamper future updates or high availability.
Also, a word of caution: As of June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections. If your deployment still uses older TLS versions or insecure cipher suites, your environment might face connectivity issues with Duo’s cloud services.

Troubleshooting and Support​

For administrators who run into snags or need additional guidance:

• Review the AD FS FAQ and Duo Knowledge Base Articles: These resources cover a wide range of common deployment issues and offer step-by-step troubleshooting tips.
• Engage with the Community: Many enterprises have already navigated this migration. Peer discussions in forums can provide additional insights or workarounds.

Final Thoughts​

The deprecation of Duo’s integration for AD FS 2.1 on Windows Server 2012 underscores a broader trend in IT security: the need to continuously evolve your infrastructure to meet modern security standards. Clinging to outdated systems not only jeopardizes security but also limits your ability to leverage the latest innovations in authentication and multi-factor protection.
Administrators, now is the time to consider your upgrade paths. Moving to a supported AD FS platform and embracing Duo’s universal, modern authentication approach will ensure that your organization remains secure, compliant, and future-ready. After all, in the fast-paced world of Windows server management, isn’t it better to be ahead of the curve than scrambling to catch up?
Stay secure, stay updated, and keep those authentication processes as modern as your favorite Windows tools!

---

Source: Duo Security Duo Authentication for Microsoft AD FS 2.1 on Windows 2012 (Deprecated)