In this guide we will configure Duo Push along with username and password validation through Active Directory to implement a two factor authentication for our sample application. In this example, the authentication used with the application server is Kerberos Constrained Delegation (KCD).

Once configured the user flow for accessing the application will look like this:

The flow is outlined below:

  1. The user provides their username and password.
  2. The LoadMaster queries the Duo RADIUS proxy for the user.
  3. A connection to Duo Security is established.
  4. An authentication request is sent to the user's Duo app.
  5. The user validates the request on the app.
  6. The LoadMaster performs pre-authentication using the supplied username and password with the Local Domain Controller.
  7. Authentication is successful.
  8. The resource is accessed through Kerberos Constrained Delegation.