Postmortem
Summary
On May 19, 2025, around 19:00 ET, Duo received reports of users who were unable to reset their Active Directory (AD) passwords through Duo SSO. This impacted all users who were attempting to reset an expired AD password. Functionality was restored to all deployments at 20:46 ET.
Timeline of Events
12:53 ET: A planned update to SSO services is rolled out.
19:05 ET: Duo engineering is alerted of multiple customers who are unable to reset expired passwords for AD
19:26 ET: Duo begins deploying a fix for the expired password reset issue
19:57 ET: Duo receives confirmation that some customers are seeing restored service, fix continues to be rolled out for additional deployments
20:46 ET: Fix is rolled out to all deployments and service is restored
Details
An update was released that introduced a code change to our logic for determining whether or not to direct users to reset their expired AD password. This code change contained a bug which resulted in authentications being mistaken as invalid instead of requiring a password change.
During the duration of this issue, 526 customers were identified as having one or more users who were blocked from resetting their password.
In addition to fixing the bug that caused this issue:
Engineering is planning to increase our observability on this specific type of issue to improve our response time in the future.
Engineering is planning to improve our automated testing for this password reset flow.
Posted May 21, 2025 - 11:59 EDT
Resolved
We can confirm that the issue with the Password reset for Duo SSO logins using Active Directory has been resolved.
Please check back here or subscribe for updates on the RCA as soon as it becomes available.
Posted May 19, 2025 - 21:04 EDT
Monitoring
We have implemented a fix and we are monitoring the results.
Posted May 19, 2025 - 20:12 EDT
Identified
We have identified the issue and a fix is being deployed.
Posted May 19, 2025 - 19:46 EDT
Investigating
We are currently investigating an issue causing password reset failures for Duo SSO logins using Active Directory as an authentication source.
Posted May 19, 2025 - 19:20 EDT
This incident affected: DUO1 (SSO), DUO2 (SSO), DUO3 (SSO), DUO4 (SSO), DUO6 (SSO), DUO7 (SSO), DUO8 (SSO), DUO9 (SSO), DUO10 (SSO), DUO11 (SSO), DUO12 (SSO), DUO13 (SSO), DUO14 (SSO), DUO15 (SSO), DUO16 (SSO), DUO17 (SSO), DUO18 (SSO), DUO19 (SSO), DUO20 (SSO), DUO21 (SSO), DUO22 (SSO), DUO23 (SSO), DUO25 (SSO), DUO27 (SSO), DUO28 (SSO), DUO29 (SSO), DUO30 (SSO), DUO31 (SSO), DUO32 (SSO), DUO33 (SSO), DUO34 (SSO), DUO36 (SSO), DUO37 (SSO), DUO38 (SSO), DUO39 (SSO), DUO40 (SSO), DUO41 (SSO), DUO42 (SSO), DUO44 (SSO), DUO47 (SSO), DUO48 (SSO), DUO49 (SSO), DUO50 (SSO), DUO52 (SSO), DUO53 (SSO), DUO54 (SSO), DUO55 (SSO), DUO56 (SSO), DUO57 (SSO), DUO58 (SSO), DUO60 (SSO), DUO62 (SSO), DUO63 (SSO), DUO64 (SSO), DUO65 (SSO), DUO66 (SSO), DUO67 (SSO), DUO68 (SSO), DUO69 (SSO), DUO70 (SSO), DUO71 (SSO), DUO72 (SSO), DUO73 (SSO), DUO74 (SSO), DUO75 (SSO), DUO76 (SSO), DUO77 (SSO), DUO78 (SSO), DUO79 (SSO), DUO80 (SSO), DUO81 (SSO), and DUO35 (SSO).