So you want to manage Duo Admin Console credentials using CyberArk?

By: Sean Izor – MIS, CDE, CPE, OCP, VSP, VSA; Senior IAM/PAM Consultant – SecureITsource

A client recently tasked me with configuring CyberArk to manage Duo Admin Console credentials and configuring Privileged Session Management (PSM) connectivity to the console. Suffice it to say, the process was not as straightforward as I would have hoped, to the degree that I’m sharing my experience in the hopes to alleviate some frustration should you given the same task. The CyberArk support forums have many references for configuring Duo as the multi-factor authentication (MFA) for granting access to CyberArk, but relatively little information regarding vaulting and managing Duo Admin Console credentials. 

Your first stop should be the CyberArk Marketplace (https://marketplace.cyberark.com), where a search for ‘Duo’ will return several plugins. Fortunately, these plugins are certified by CyberArk, which means you have the option to request support should you still have problems after following my suggestions. Download the Cyberark Duo-PSM and CyberArk Duo Admin Console CPM plugins. You will need to manually import the platform and copy the CyberArk.Extensions.Plugin.Duo.dll file to the \PasswordManager\Bin folder on your CPM server(s). You will also need to vault a Duo Admin Console account and associate it with the newly imported Duo platform.

CyberArk rotates Duo Admin Console credentials via the REST API. This means CyberArk will need to be configured as an ‘application’ within the Duo Console. Each application defined in Duo has an integration key (IKEY), secret key (SKEY), and API address. You will need these three pieces of information to configure your platform in CyberArk. If you are not a Duo Administrator, you will need to coordinate with a Duo Administrator to get this information.

This is where things start to get tricky. The CyberArk Marketplace does not provide much documentation on how to install and configure the plugins. A glance at the Duo platform reveals the IKEY is used as a Logon Account and the SKEY is used as a Reconcile Account, but it’s unclear how these are configured. I got clarification after some back and forth with CyberArk support. Create the IKEY and SKEY accounts in CyberArk using the following tips:

• The ‘username’ field should be the Application Name from Duo
• The ‘password’ field should be the IKEY (or SKEY) from Duo
• The ‘address’ field should be the API address from Duo

It’s up to you which safe you want to store these IKEY and SKEY accounts in, just make sure you assign the same CPM to this safe and the safe storing your Duo Admin Console accounts. For simplicity, I also recommend editing the default ‘name’ of the account object to something easier to reference, such as Duo-IKEY. This will save you some headache on the next step. 

Once the IKEY and SKEY accounts are vaulted, you must associate them either at the account level or the platform level (recommended).  As a reminder, the IKEY is associated as the Logon Account and the SKEY is associated as the Reconcile Account.

So you’ve done the legwork and you flag the account for password rotation, only to receive the dreaded “Cannot find Duo admin with email like account username”. This issue took some additional digging on my part, including a 1:1 WebEx with the CyberArk resource who actually wrote the plugin. Remember the CyberArk application we created in Duo to allow communication via REST API?  Well, we need to ensure that application has the following permissions within Duo: 

• Grant Administrators
• Grant read resource
• Grant write resource

In my particular case, the application was lacking ‘Grant read resource’, so it wasn’t allowed to read the list of admins. We granted the permissions, but still received the “Cannot find Duo admin with email like account username” error. 

This one was even more difficult to track down. Fortunately our CyberArk resource provided an updated dll specifically for troubleshooting. This dll provided additional information in the logs, specifically, the list of admin email addresses it pulled. We noticed the verbiage said “Returning 100 administrators”, which sounded like a cap. Sure enough, we confirmed that the Duo plugin ‘out of the box’ only returns the first 100 administrators found in Duo. As it turned out, the account we were testing with was actually the 102nd administrator, thus, it wasn’t being returned by the REST call. Our CyberArk plugin guru did some research and found Duo supports returning a maximum of 500 admin email accounts, so we received yet another updated dll that supported the max returns, and we were finally able to rotate the password successfully. I made the recommendation to provide this updated dll on the marketplace, but at the time of this writing the marketplace is still using v1.0 of the dll.

I hope this information proves useful to my fellow CyberArk engineers who may be struggling with this implementation.

SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of consultants help our clients to reach their IAM goals by providing strategy, design, and engineering expertise. www.secureitsource.com