Skip to main content
Identity-providers

Duo Security and Idemeum

Nik Pot

Duo Security and Idemeum

JIT admin access

When Duo Security agent is installed on a Windows workstation, it disables all credential providers except the native Windows password credential provider. However, there is a way to enable idemeum credential provider via the registry.

  • Navigate to the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv
  • Create the new Multi-String Value key, name the key ProvidersWhitelist and assign the following value {417C7858-EE65-42AD-9F11-5BA27FB1FF64}
  • Once this registry key is set, idemeum credential provider will be enabled, and you will be able to use JIT admin access along with DUO user 2FA.

LAPS accounts

Idemeum creates LAPS local admin and domain admin accounts on Windows workstations. In order to use LAPS accounts you need to make sure they are not using DUO 2FA. To make sure 2FA is bypassed for LAPS accounts:

  • Navigate to Duo dashboard
  • Create the user with the same account that is configured in idemeum for LAPS
  • Enable bypass for this account

If you have any questions, drop us a note in Discord chat.