Background
For MSP Partners that have Duo Authentication installed as a 2 Factor Authentication method on their Customer's Systems. Integrating with Quickpass Just in Time Accounts (JIT) will take some additional configuration to ensure that the JIT Account created will be authorized to work with Duo Authentication.
Example Video of the Process
Prerequisites
- Quickpass Tenant includes QGuard (Administrator and Service Account management)
- Login role Primary or Super has enabled JIT for their team via this KB
https://support.getquickpass.com/hc/en-us/articles/14473398505367-How-to-create-and-use-Just-In-Time-Privileged-accounts - Duo Authentication for Windows installed on the system in question
- Duo Users (technicians) are configured for Push/2 Factor Authentication
- Due to an 8 Alias limitation for Duo, Quickpass recommends using the SAME JIT account name for all Customers that a JIT account will be used with.
Setup of Duo Authentication
Preparation - Quickpass Desktop App
- In the Quickpass Desktop Application open the JIT account creation section.
- Click the "Create JIT Account" button.
- A window will open to select the initial configuration options for that customer.
- Check the Default JIT Username box - this is the value that will be used within Duo.
- The Username value can be changed by the technician, however whatever name is chosen should be consistent with all other Customer JIT accounts.
- The Username value can be changed by the technician, however whatever name is chosen should be consistent with all other Customer JIT accounts.
- Complete the creation of the JIT account following the process in the KB
https://support.getquickpass.com/hc/en-us/articles/14473398505367-How-to-create-and-use-Just-In-Time-Privileged-accounts
Preparation - Duo Users
- Login to the Duo Admin Dashboard
- Select the Users section to find the Technician(s) that will be using JIT
- Select the User from the list.
- Look for the Username Aliases section and click the "+ Add a username Alias" link
- Add the JIT account name that was selected from the Preparation - Quickpass Desktop App phase (4.1) above.
- NOTE: that this section only allows up to 8 Aliases. This is why it is important to use the same JIT account name across all of your customers.
- NOTE: that this section only allows up to 8 Aliases. This is why it is important to use the same JIT account name across all of your customers.
- Do not include the Active Directory Domain or UPN extension.
- Click Save Changes.
- Add the JIT account name that was selected from the Preparation - Quickpass Desktop App phase (4.1) above.
Testing
- On a system that is setup with Duo Authentication for Windows (Domain Controller or Server/Workstation joined to traditional Active Directory) login with the JIT Credentials (either via the Autofill option on the Desktop App for ScreenConnect/ConnectWise Control, or by Copy/Paste with another remote control utility).
Desktop App w/Screenconnect Copy/Paste - After the initial login credentials are populated the Duo Authentication prompt (or if automatically Push) should appear.
- On the Mobile Device (or via the predetermined Duo Authentication options) accept the Push or enter the MFA code supplied.
- The account should then complete the login process.
Comments
0 comments
Please sign in to leave a comment.