[cas-user] Re: CAS 5.2.2 with MFA using Google Authenticator / GAuth

[Jeremy Van Rooyen]

Hi Mickaël,

On Thursday, 21 February 2019 14:01:17 UTC+2, Mickaël wrote:
>
> Hi Jeremy,
>
> It is a great news about the scratch codes.
>
> I'm not sure to understand your question about qrcode. To register a 
> device, it is possible and required when a service is registered on your 
> CAS with "Google Authentication" as MFA.
>

Do you mean that the service "Google Authentication" as MFA must be 
registered under the services configuration in json format?

 

> So, at the first login without a registered device, user will be ask to 
> scan the qrcode on the screen and save (or print) the scratch codes. After 
> clilk on the next button, user should enter is token in the field to finish 
> the registration and be redirected to the service.
>

This is what happens exactly the way you explain it here. So when I scan 
the qrcode with my phone it does not take the codes generated on the Google 
Authenticator app. It however does take the on screen codes.

I hope this clears up my question?

>
> Does it answer to your question Jeremy ?
>
> My own question about this system, how to unregistered a device in case of 
> change of device or loss ? I don't know URL to do that...
>
> Sincerely,
>
> Mickaël
>
> Le jeudi 21 février 2019 11:32:54 UTC+1, Jeremy Van Rooyen a écrit :
>>
>> Hi Mickaël,
>>
>> Thanks for your reply.
>>
>> So after playing around a bit more it seems like the on screen scratch 
>> codes is being stored in the mongodb and using that it allows me to 
>> authenticate perfectly.
>>
>> The next question is how would one register via the qrcode using the 
>> Google Authenticator app on phone? Or am I not understanding something?
>>
>> Kind Regards
>> Jeremy
>>
>> On Tuesday, 19 February 2019 10:30:29 UTC+2, Mickaël wrote:
>>>
>>> Hello,
>>>
>>> Are you sure there is anything register in your Mongo database ? Scratch 
>>> codes and token are store in DB for each user in 2 different tables.
>>>
>>> It is strange to see that, normally "WHO" is the user, not the token :
>>> *WHO: 253227*
>>> *WHAT: Supplied credentials: [[token=253227]]*
>>>
>>> For information, I am using gauth with MariaDB without any issue.
>>>
>>> Mickaël
>>>
>>> Le jeudi 15 février 2018 09:53:52 UTC+1, Janina Byky a écrit :
>>>>
>>>> Hello,
>>>>
>>>> I'm trying to setup CAS 5.2.2 with Google Authenticator as second auth 
>>>> factor for specified services. CAS is running over LDAP (AD) and GAuth 
>>>> based on mongo. So far everything was great, build succeed, GAuth qrcode 
>>>> appears, user registers and now it's time for TOKEN form. I'm typing all 
>>>> scratch codes and those generated by Google Authenticator, but every 
>>>> single 
>>>> attempt is unsuccessful. Also there's no collection created to store 
>>>> tokens 
>>>> in mongo. Only GAuthRepository is created with proper values of registered 
>>>> users.
>>>>
>>>> *cas.properties*
>>>>
>>>> cas.authn.accept.users=
>>>>
>>>> cas.authn.ldap[0].order=0
>>>> cas.authn.ldap[0].type=AUTHENTICATED
>>>> cas.authn.ldap[0].ldapUrl={CUT}
>>>> cas.authn.ldap[0].connectionStrategy=DEFAULT
>>>> cas.authn.ldap[0].useSsl=true
>>>> cas.authn.ldap[0].connectTimeout=15000
>>>> cas.authn.ldap[0].subtreeSearch=true
>>>> cas.authn.ldap[0].baseDn={CUT}
>>>>
>>>> cas.authn.ldap[0].userFilter=(|(sAMAccountName={user})(userPrincipalName={user}))
>>>> cas.authn.ldap[0].bindDn={CUT}
>>>> cas.authn.ldap[0].bindCredential={CUT}
>>>> cas.authn.ldap[0].enhanceWithEntryResolver=true
>>>> cas.authn.ldap[0].principalAttributeId=sAMAccountName
>>>> cas.authn.ldap[0].principalAttributePassword=
>>>> cas.authn.ldap[0].usePasswordPolicy=true
>>>>
>>>> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,sAMAccountName,memberOf
>>>> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
>>>> cas.authn.ldap[0].poolPassivator=NONE
>>>> cas.authn.ldap[0].minPoolSize=2
>>>> cas.authn.ldap[0].maxPoolSize=15
>>>>
>>>>
>>>> cas.authn.mfa.globalProviderId=mfa-gauth
>>>> cas.authn.mfa.globalFailureMode=CLOSED
>>>>
>>>> cas.authn.mfa.gauth.issuer=TEST
>>>> cas.authn.mfa.gauth.codeDigits=6
>>>> cas.authn.mfa.gauth.timeStepSize=60
>>>> cas.authn.mfa.gauth.windowSize=3
>>>> cas.authn.mfa.gauth.label=TEST
>>>> cas.authn.mfa.gauth.rank=0
>>>>
>>>> cas.authn.mfa.gauth.cleaner.enabled=true
>>>> cas.authn.mfa.gauth.cleaner.schedule.startDelay=20000
>>>> cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=60000
>>>>
>>>> cas.authn.mfa.gauth.bypass.type=DEFAULT
>>>>
>>>> cas.authn.mfa.gauth.mongo.clientUri=${mongo.uri}
>>>> cas.authn.mfa.gauth.mongo.dropCollection=false
>>>> cas.authn.mfa.gauth.mongo.collection=GAuthRepository
>>>>
>>>> cas.authn.mfa.gauth.mongo.tokenCollection=GoogleAuthenticatorMongoDbTokenRepository
>>>>
>>>>
>>>>
>>>> *pom.xml*
>>>>
>>>>         <dependency>
>>>>             <groupId>org.apereo.cas</groupId>
>>>>             <artifactId>cas-server-webapp${app.server}</artifactId>
>>>>             <version>${cas.version}</version>
>>>>             <type>war</type>
>>>>             <scope>runtime</scope>
>>>>         </dependency>
>>>>         <dependency>
>>>>             <groupId>org.apereo.cas</groupId>
>>>>             <artifactId>cas-server-support-ldap</artifactId>
>>>>             <version>${cas.version}</version>
>>>>         </dependency>
>>>>         <dependency>
>>>>             <groupId>org.apereo.cas</groupId>
>>>>             <artifactId>cas-server-support-saml</artifactId>
>>>>             <version>${cas.version}</version>
>>>>         </dependency>
>>>>         <dependency>
>>>>             <groupId>org.apereo.cas</groupId>
>>>>             <artifactId>cas-server-support-gauth</artifactId>
>>>>             <version>${cas.version}</version>
>>>>         </dependency>
>>>>         <dependency>
>>>>             <groupId>org.apereo.cas</groupId>
>>>>             <artifactId>cas-server-support-gauth-mongo</artifactId>
>>>>             <version>${cas.version}</version>
>>>>         </dependency>
>>>>
>>>>
>>>> *catalina.log*
>>>>
>>>> 2018-02-15 09:31:13,952 DEBUG 
>>>> [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver]
>>>>  
>>>> - <Authentication handlers used for this transaction are 
>>>> [GoogleAuthenticatorAuthenticationHandler,LdapAuthenticationHandler,HttpBasedServiceCredentialsAuthenticationHandler]>
>>>> 2018-02-15 09:31:13,953 DEBUG 
>>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - 
>>>> <Received OTP [*253227*]>
>>>> 2018-02-15 09:31:13,954 DEBUG 
>>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - 
>>>> <Received principal id *[j.byky*]>
>>>> 2018-02-15 09:31:13,970 DEBUG 
>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>>>> <[GoogleAuthenticatorAuthenticationHandler] exception details: [Failed to 
>>>> authenticate code *253227*].>
>>>> 2018-02-15 09:31:13,971 DEBUG 
>>>> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
>>>>  
>>>> - <Credential is not one of username/password and is not accepted by 
>>>> handler [LdapAuthenticationHandler]>
>>>> 2018-02-15 09:31:13,972 ERROR 
>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>>>> <*Authentication 
>>>> has failed. Credentials may be incorrect or CAS cannot find authentication 
>>>> handler that supports [[token=253227]] of type 
>>>> [GoogleAuthenticatorTokenCredential]*.>
>>>> 2018-02-15 09:31:13,976 INFO 
>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
>>>> trail record BEGIN
>>>> =============================================================
>>>> *WHO: 253227*
>>>> *WHAT: Supplied credentials: [[token=253227]]*
>>>> ACTION: AUTHENTICATION_SUCCESS
>>>> APPLICATION: CAS
>>>> WHEN: Thu Feb 15 09:31:13 CET 2018
>>>> CLIENT IP ADDRESS: 10.100.100.20
>>>> SERVER IP ADDRESS: 10.40.0.2
>>>> =============================================================
>>>>
>>>> >
>>>> 2018-02-15 09:31:13,978 ERROR 
>>>> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 
>>>> <1 errors, 0 successes>
>>>> org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 
>>>> successes
>>>> at 
>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400)
>>>>  
>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>>> at 
>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380)
>>>>  
>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>>> at 
>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220)
>>>>  
>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>>> at 
>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke(<generated>)
>>>>  
>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>>> at 
>>>> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) 
>>>> ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738)
>>>>  
>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
>>>>  
>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:85)
>>>>  
>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:134)
>>>>  
>>>> ~[inspektr-audit-1.8.0.GA.jar:1.8.0.GA]
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
>>>> ~[?:1.8.0_162]
>>>> at 
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>>>  
>>>> ~[?:1.8.0_162]
>>>> at 
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>  
>>>> ~[?:1.8.0_162]
>>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162]
>>>> ...
>>>>
>>>> 2018-02-15 09:31:13,982 INFO 
>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
>>>> trail record BEGIN
>>>> =============================================================
>>>> WHO: *253227*
>>>> WHAT: [event=error,timestamp=Thu Feb 15 09:31:13 CET 
>>>> 2018,source=OneTimeTokenAuthenticationWebflowEventResolver]
>>>> ACTION: AUTHENTICATION_EVENT_TRIGGERED
>>>> APPLICATION: CAS
>>>> WHEN: Thu Feb 15 09:31:13 CET 2018
>>>> CLIENT IP ADDRESS: 10.100.100.20
>>>> SERVER IP ADDRESS: 10.40.0.2
>>>> =============================================================
>>>>
>>>>
>>>>
>>>> Can anybody tell me what I'm missing?
>>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f5e936-6e6e-422c-9fb1-5140e5408eda%40apereo.org.