Authentication failed with my Password/SPNEGO MFA configuration

Cantor, Scott cantor.2 at
Wed Nov 13 10:56:25 EST 2019

On 11/13/19, 10:42 AM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> Is there a way to get it to show up as an extended flow listed in the password authn config without also listing it as an 
> active flow?

That extended flows thing is deprecated without being officially planned for removal yet. If not for the bug here, the answer would to be avoid it, and not use the existing Password/SPNEGO stuff, you should script all that from the MFA flow. Buttons can trigger events, and the MFA rules can respond to events, etc. That's all doable without any of the older features. The problem is the handling of the failure right now.
> Regardless, we still do need it as part of our MFA flow as we don't want folks getting in on SPNEGO alone without Duo.
> It sounds like I hope no hope of that until this bug is addressed. Is that correct?

Until I know what's really going on I can't really even envision what would work as a fix. Perhaps some kind of dummy subflow to run just to clear the state of the system, so that could be run as a consequence of the failure event from SPNEGO. I think it might be fixable just with a script, but I have to see it first.

-- Scott

More information about the users mailing list