Where an organisation has Duo Two Factor authentication services with Active Directory which is synchronising user accounts with Azure AD (for Microsoft 365 or Azure), some users may see a Duo error Cannot create NameID with source attribute mS-DS-ConsistencyGuid does not exist during sign-in.
This occurs for Active Directory user accounts that have elevated protection, usually the result of once or currently being a member of a privileged security group or organisational unit.
Follow the steps below to confirm and correct the issue for the user account that is affected.
Confirm the mS-DS-ConsistencyGuid attribute value exists for the user account in Active Directory
Note: This task needs to be performed by a Domain Administrator of the Active Directory
service within your organisation - or Real World Technology Solutions support team members
if your Active Directory service is co-managed.
- On a domain controller or a domain-joined member server with Active Directory management tools installed, open Active Directory Users and Computers.
- If note already enabled, click the View menu, and make sure Advanced Features is check marked.
- Locate and right-click the user object that experiences the Duo error, then click Properties.
- In the object properties window, click the Attribute Editor tab, then locate the mS-DS-ConsistencyGuid object property.
If the value is blank or not set, the object Advanced Security Settings for the account will need to be restored.
- Click the Security tab. then click Advanced.
- In the Advanced Security Settings window, click Restore defaults.
- Click OK to all open option dialog boxes and close the object properties window.
Run an Azure AD Connect synchronisation
Note: This task needs to be performed by a Domain Administrator or user with rights to
run Azure AD Connect service within your organisation - or Real World Technology Solutions
support team members if your Azure AD Connect service is co-managed.
- On a domain controller or a domain-joined member server which has Azure AD Connect installed, open PowerShell.
- Enter the below command:
Start-ADSyncSyncCycle -PolicyType Delta
After a few minutes, the Active Directory user object you checked in the step "Confirm the mS-DS-ConsistencyGuid attribute value exists for the user account in Active Directory" should populate with a value in the mS-DS-ConsistencyGuid property.
Run a Duo synchronisation of Active Directory
If the user account has been enrolled in Duo for two factor authentication automatically, perform a Dup synchronisation of Active Directory to update the authentication device.
Note: This task needs to be performed by an account with administrative access to the
Duo service within your organisation - or Real World Technology Solutions support team
members if your Duo service is co-managed.
- In a web browser, navigate to https://admin.duosecurity.com/ and sign in with an account with administrative access to the Duo service.
- In the left list of Duo service section, expand Users then click Directory Sync.
- Click your Active Directory, the AD Sync connector that has been provisioned.
- Click Sync Now.
After several minutes, have the user test signing into a service that had previous experienced the Duo error.