This document provides instructions for managing two-factor authentication using Duo for non-uniqname accounts in Active Directory (UMROOT).
The UMROOT domain of Active Directory (AD) contains many non-person accounts, defined as administrator accounts (such as domain or organizational unit administrators), accounts used by vendors, service accounts, and so on. These accounts cannot be accessed through UMICH Account Management, because they do not have a Kerberos principal, nor do they exist in the People organizational unit of the MCommunity Directory.
To create a non-uniqname account in Active Directory (AD), contact your unit’s AD support team. If you are not sure who that is, contact the ITS Service Center.
Note When creating the account, the AD support team needs to uncheck the "User must change password at next logon" option to avoid an "Authentication Failed" error when enrolling the account in Duo.
To enroll a non-uniqname account in Duo, follow these instructions.
- Go to the UMICH Duo Active Directory Enrollment page.
- Log in to the application as the non-person account using AD credentials.
Note Once logged in, the application normalizes the username presented at login. For example: “UMROOT\bjensen” becomes “bjensen.”
- Use the embedded Duo interface to enroll or change device settings.