Multiple Deployments: Policy issue affecting login behavior for multiple specific applications
Incident Report for Duo
Postmortem

Summary

On April 11, 2022, at 15:59 EST, Duo's Engineering Team was alerted by Duo Customer Care that users were receiving an “Access denied” or similar message when attempting to login to Duo protected applications. After investigation, the root cause was identified as a recent code change which in some cases incorrectly denied access to unenrolled users.

The issue was resolved with a code fix on the same day.

Deployments Impacted

  • DUO33, DUO58, DUO64, DUO55, DUO38, DUO66, DUO68, DUO67

Timeline of Events EST

2022-04-11 15:59 Duo Site Reliability Engineering (SRE) is informed by Duo Customer Support (CS) that users are not able to authenticate against Duo protected applications

2022-04-11 16:15 Duo Engineering assesses the issue, identifying the root cause.

2022-04-11 16:32 Status page updated to Identified.

2022-04-11 17:35 Duo Engineering begins deploying a code fix to all deployments

2022-04-11 20:27 Deploying the fix is complete.

2022-04-11 20:27 Status page updated to Monitoring.

2022-04-11 21:34 Status page updated to Resolved.

Details

Duo Engineering recently made a code change affecting enrollment behavior for the following Duo protected applications: Windows Logon, RD Gateway, macOS Logon, and Epic Applications

The change did not have the intended effect and denied access for users when all the following conditions were true:

  • The New User Policy or Authorized Networks Policy was set to Allow Access
  • The user had not yet completed the enrollment process
  • The user was authenticating against Windows Logon, RD Gateway, macOS Logon, or Epic Applications

Fourteen customers across eight deployments were impacted.

Duo Engineering is creating a deeper suite of unit tests based on configured policy and expected outcomes to prevent similar issues in the future.

Note: You can find your Duo deployment’s ID and sign up for updates via the StatusPage by following the instructions in this knowledge base article.

Posted Apr 20, 2022 - 17:17 EDT

Resolved
The policy issue is now confirmed to be fully resolved.
A root-cause analysis (RCA) will be provided as soon as it is available.
Posted Apr 11, 2022 - 21:36 EDT
Monitoring
Duo's Engineering Team has successfully deployed a fix to the impacted deployments for the Policy issue. We are monitoring to ensure no future instances occur.
Posted Apr 11, 2022 - 20:29 EDT
Identified
We have identified an issue that is causing authentications to fail for some users who are not enrolled being denied access when attempting to log into the Windows Logon, RD Gateway, macOS Logon, and Epic Applications when the New User Policy or the Authorized Networks Policy is set to "Allow Access".

We are working to correct this issue as soon as possible
Posted Apr 11, 2022 - 16:31 EDT
This incident affected: DUO33 (Core Authentication Service), DUO38 (Core Authentication Service), DUO55 (Core Authentication Service), DUO58 (Core Authentication Service), DUO64 (Core Authentication Service), DUO66 (Core Authentication Service), DUO67 (Core Authentication Service), and DUO68 (Core Authentication Service).