Apologies Mickaël, The webapp server and my smartphone's time is the same yes.
Kind Regards Jeremy On Friday, 22 February 2019 10:44:11 UTC+2, Mickaël wrote: > > Jeremy, you don't tell me if the webapp server is at the good time and > your smartphone too. > Token are time based, so if one of the device has not the good time, you > will have problems. > > Sincerely, > > Mickaël > > Le ven. 22 févr. 2019 à 08:45, Jeremy Van Rooyen <[email protected] > <javascript:>> a écrit : > >> Thanks for your feedback Mickaël, >> >> For the second part I'm presented by the qrcode and 5 scratch codes. When >> I scan the qrcode my Google Authenticator app on phone accepts it. >> >> Then I click on register and enter the token displayed by the Google >> Authenticator app and it says --> "*Credentials are rejected/invalid and >> authentication attempt has failed.*" >> >> This is what I see in the CAS log file: >> >> *DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >> <Attempting to authenticate credential >> [OneTimeTokenCredential(token=420195)]>* >> *DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >> <Attempting authentication of [420195] using >> [GoogleAuthenticatorAuthenticationHandler]>* >> *DEBUG >> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >> <Received OTP [420195]>* >> *DEBUG >> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >> <Received principal id [jeremy]. Attempting to locate account in credential >> repository...>* >> *DEBUG >> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >> <Attempting to locate OTP token [420195] in token repository for >> [jeremy]...>* >> *DEBUG >> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >> <Attempting to authorize OTP token [420195]...>* >> * WARN >> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >> <Authorization of OTP token [420195] has failed>* >> >> It sounds to me that when I use the scratch codes it is stored in the >> mongodb and can be found in the token repository (stored in db), but not >> for the tokens used on Google Authenticator app? Not sure if my >> understanding is correct? >> >> Thanks in advance >> Jeremy >> >> On Thursday, 21 February 2019 16:50:42 UTC+2, Mickaël wrote: >>> >>> Yes Jeremy, that's what I mean. >>> I'm using JPA for my service registry and the CAS manager webapp but it >>> is the same way. >>> >>> For the second part, are you invited to enter your token code displayed >>> by your Google authenticator app? >>> >>> If it doesn't work, perhaps your server is not at the good time. NTP can >>> help you to fix it. >>> >>> Sincerely, >>> >>> Mickaël >>> >>> Le jeu. 21 févr. 2019 à 13:53, Jeremy Van Rooyen <[email protected]> >>> a écrit : >>> >>>> Hi Mickaël, >>>> >>>> On Thursday, 21 February 2019 14:01:17 UTC+2, Mickaël wrote: >>>>> >>>>> Hi Jeremy, >>>>> >>>>> It is a great news about the scratch codes. >>>>> >>>>> I'm not sure to understand your question about qrcode. To register a >>>>> device, it is possible and required when a service is registered on your >>>>> CAS with "Google Authentication" as MFA. >>>>> >>>> >>>> Do you mean that the service "Google Authentication" as MFA must be >>>> registered under the services configuration in json format? >>>> >>>> >>>> >>>>> So, at the first login without a registered device, user will be ask >>>>> to scan the qrcode on the screen and save (or print) the scratch codes. >>>>> After clilk on the next button, user should enter is token in the field >>>>> to >>>>> finish the registration and be redirected to the service. >>>>> >>>> >>>> This is what happens exactly the way you explain it here. So when I >>>> scan the qrcode with my phone it does not take the codes generated on the >>>> Google Authenticator app. It however does take the on screen codes. >>>> >>>> I hope this clears up my question? >>>> >>>>> >>>>> Does it answer to your question Jeremy ? >>>>> >>>>> My own question about this system, how to unregistered a device in >>>>> case of change of device or loss ? I don't know URL to do that... >>>>> >>>>> Sincerely, >>>>> >>>>> Mickaël >>>>> >>>>> Le jeudi 21 février 2019 11:32:54 UTC+1, Jeremy Van Rooyen a écrit : >>>>>> >>>>>> Hi Mickaël, >>>>>> >>>>>> Thanks for your reply. >>>>>> >>>>>> So after playing around a bit more it seems like the on screen >>>>>> scratch codes is being stored in the mongodb and using that it allows me >>>>>> to >>>>>> authenticate perfectly. >>>>>> >>>>>> The next question is how would one register via the qrcode using the >>>>>> Google Authenticator app on phone? Or am I not understanding something? >>>>>> >>>>>> Kind Regards >>>>>> Jeremy >>>>>> >>>>>> On Tuesday, 19 February 2019 10:30:29 UTC+2, Mickaël wrote: >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> Are you sure there is anything register in your Mongo database ? >>>>>>> Scratch codes and token are store in DB for each user in 2 different >>>>>>> tables. >>>>>>> >>>>>>> It is strange to see that, normally "WHO" is the user, not the token >>>>>>> : >>>>>>> *WHO: 253227* >>>>>>> *WHAT: Supplied credentials: [[token=253227]]* >>>>>>> >>>>>>> For information, I am using gauth with MariaDB without any issue. >>>>>>> >>>>>>> Mickaël >>>>>>> >>>>>>> Le jeudi 15 février 2018 09:53:52 UTC+1, Janina Byky a écrit : >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I'm trying to setup CAS 5.2.2 with Google Authenticator as second >>>>>>>> auth factor for specified services. CAS is running over LDAP (AD) and >>>>>>>> GAuth >>>>>>>> based on mongo. So far everything was great, build succeed, GAuth >>>>>>>> qrcode >>>>>>>> appears, user registers and now it's time for TOKEN form. I'm typing >>>>>>>> all >>>>>>>> scratch codes and those generated by Google Authenticator, but every >>>>>>>> single >>>>>>>> attempt is unsuccessful. Also there's no collection created to store >>>>>>>> tokens >>>>>>>> in mongo. Only GAuthRepository is created with proper values of >>>>>>>> registered >>>>>>>> users. >>>>>>>> >>>>>>>> *cas.properties* >>>>>>>> >>>>>>>> cas.authn.accept.users= >>>>>>>> >>>>>>>> cas.authn.ldap[0].order=0 >>>>>>>> cas.authn.ldap[0].type=AUTHENTICATED >>>>>>>> cas.authn.ldap[0].ldapUrl={CUT} >>>>>>>> cas.authn.ldap[0].connectionStrategy=DEFAULT >>>>>>>> cas.authn.ldap[0].useSsl=true >>>>>>>> cas.authn.ldap[0].connectTimeout=15000 >>>>>>>> cas.authn.ldap[0].subtreeSearch=true >>>>>>>> cas.authn.ldap[0].baseDn={CUT} >>>>>>>> >>>>>>>> cas.authn.ldap[0].userFilter=(|(sAMAccountName={user})(userPrincipalName={user})) >>>>>>>> cas.authn.ldap[0].bindDn={CUT} >>>>>>>> cas.authn.ldap[0].bindCredential={CUT} >>>>>>>> cas.authn.ldap[0].enhanceWithEntryResolver=true >>>>>>>> cas.authn.ldap[0].principalAttributeId=sAMAccountName >>>>>>>> cas.authn.ldap[0].principalAttributePassword= >>>>>>>> cas.authn.ldap[0].usePasswordPolicy=true >>>>>>>> >>>>>>>> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,sAMAccountName,memberOf >>>>>>>> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true >>>>>>>> cas.authn.ldap[0].poolPassivator=NONE >>>>>>>> cas.authn.ldap[0].minPoolSize=2 >>>>>>>> cas.authn.ldap[0].maxPoolSize=15 >>>>>>>> >>>>>>>> >>>>>>>> cas.authn.mfa.globalProviderId=mfa-gauth >>>>>>>> cas.authn.mfa.globalFailureMode=CLOSED >>>>>>>> >>>>>>>> cas.authn.mfa.gauth.issuer=TEST >>>>>>>> cas.authn.mfa.gauth.codeDigits=6 >>>>>>>> cas.authn.mfa.gauth.timeStepSize=60 >>>>>>>> cas.authn.mfa.gauth.windowSize=3 >>>>>>>> cas.authn.mfa.gauth.label=TEST >>>>>>>> cas.authn.mfa.gauth.rank=0 >>>>>>>> >>>>>>>> cas.authn.mfa.gauth.cleaner.enabled=true >>>>>>>> cas.authn.mfa.gauth.cleaner.schedule.startDelay=20000 >>>>>>>> cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=60000 >>>>>>>> >>>>>>>> cas.authn.mfa.gauth.bypass.type=DEFAULT >>>>>>>> >>>>>>>> cas.authn.mfa.gauth.mongo.clientUri=${mongo.uri} >>>>>>>> cas.authn.mfa.gauth.mongo.dropCollection=false >>>>>>>> cas.authn.mfa.gauth.mongo.collection=GAuthRepository >>>>>>>> >>>>>>>> cas.authn.mfa.gauth.mongo.tokenCollection=GoogleAuthenticatorMongoDbTokenRepository >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *pom.xml* >>>>>>>> >>>>>>>> <dependency> >>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>> <artifactId>cas-server-webapp${app.server}</artifactId> >>>>>>>> <version>${cas.version}</version> >>>>>>>> <type>war</type> >>>>>>>> <scope>runtime</scope> >>>>>>>> </dependency> >>>>>>>> <dependency> >>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>> <artifactId>cas-server-support-ldap</artifactId> >>>>>>>> <version>${cas.version}</version> >>>>>>>> </dependency> >>>>>>>> <dependency> >>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>> <artifactId>cas-server-support-saml</artifactId> >>>>>>>> <version>${cas.version}</version> >>>>>>>> </dependency> >>>>>>>> <dependency> >>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>> <artifactId>cas-server-support-gauth</artifactId> >>>>>>>> <version>${cas.version}</version> >>>>>>>> </dependency> >>>>>>>> <dependency> >>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>> <artifactId>cas-server-support-gauth-mongo</artifactId> >>>>>>>> <version>${cas.version}</version> >>>>>>>> </dependency> >>>>>>>> >>>>>>>> >>>>>>>> *catalina.log* >>>>>>>> >>>>>>>> 2018-02-15 09:31:13,952 DEBUG >>>>>>>> [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] >>>>>>>> >>>>>>>> - <Authentication handlers used for this transaction are >>>>>>>> [GoogleAuthenticatorAuthenticationHandler,LdapAuthenticationHandler,HttpBasedServiceCredentialsAuthenticationHandler]> >>>>>>>> 2018-02-15 09:31:13,953 DEBUG >>>>>>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] >>>>>>>> - >>>>>>>> <Received OTP [*253227*]> >>>>>>>> 2018-02-15 09:31:13,954 DEBUG >>>>>>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] >>>>>>>> - >>>>>>>> <Received principal id *[j.byky*]> >>>>>>>> 2018-02-15 09:31:13,970 DEBUG >>>>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >>>>>>>> <[GoogleAuthenticatorAuthenticationHandler] exception details: [Failed >>>>>>>> to >>>>>>>> authenticate code *253227*].> >>>>>>>> 2018-02-15 09:31:13,971 DEBUG >>>>>>>> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] >>>>>>>> >>>>>>>> - <Credential is not one of username/password and is not accepted by >>>>>>>> handler [LdapAuthenticationHandler]> >>>>>>>> 2018-02-15 09:31:13,972 ERROR >>>>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >>>>>>>> <*Authentication >>>>>>>> has failed. Credentials may be incorrect or CAS cannot find >>>>>>>> authentication >>>>>>>> handler that supports [[token=253227]] of type >>>>>>>> [GoogleAuthenticatorTokenCredential]*.> >>>>>>>> 2018-02-15 09:31:13,976 INFO >>>>>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >>>>>>>> <Audit >>>>>>>> trail record BEGIN >>>>>>>> ============================================================= >>>>>>>> *WHO: 253227* >>>>>>>> *WHAT: Supplied credentials: [[token=253227]]* >>>>>>>> ACTION: AUTHENTICATION_SUCCESS >>>>>>>> APPLICATION: CAS >>>>>>>> WHEN: Thu Feb 15 09:31:13 CET 2018 >>>>>>>> CLIENT IP ADDRESS: 10.100.100.20 >>>>>>>> SERVER IP ADDRESS: 10.40.0.2 >>>>>>>> ============================================================= >>>>>>>> >>>>>>>> > >>>>>>>> 2018-02-15 09:31:13,978 ERROR >>>>>>>> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] >>>>>>>> - >>>>>>>> <1 errors, 0 successes> >>>>>>>> org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 >>>>>>>> successes >>>>>>>> at >>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400) >>>>>>>> >>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>> at >>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380) >>>>>>>> >>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>> at >>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220) >>>>>>>> >>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>> at >>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke(<generated>) >>>>>>>> >>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>> at >>>>>>>> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) >>>>>>>> >>>>>>>> ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>> at >>>>>>>> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738) >>>>>>>> >>>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>> at >>>>>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) >>>>>>>> >>>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>> at >>>>>>>> org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:85) >>>>>>>> >>>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>> at >>>>>>>> org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:134) >>>>>>>> >>>>>>>> ~[inspektr-audit-1.8.0.GA.jar:1.8.0.GA] >>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>> ~[?:1.8.0_162] >>>>>>>> at >>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>>>>>>> >>>>>>>> ~[?:1.8.0_162] >>>>>>>> at >>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>> >>>>>>>> ~[?:1.8.0_162] >>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162] >>>>>>>> ... >>>>>>>> >>>>>>>> 2018-02-15 09:31:13,982 INFO >>>>>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >>>>>>>> <Audit >>>>>>>> trail record BEGIN >>>>>>>> ============================================================= >>>>>>>> WHO: *253227* >>>>>>>> WHAT: [event=error,timestamp=Thu Feb 15 09:31:13 CET >>>>>>>> 2018,source=OneTimeTokenAuthenticationWebflowEventResolver] >>>>>>>> ACTION: AUTHENTICATION_EVENT_TRIGGERED >>>>>>>> APPLICATION: CAS >>>>>>>> WHEN: Thu Feb 15 09:31:13 CET 2018 >>>>>>>> CLIENT IP ADDRESS: 10.100.100.20 >>>>>>>> SERVER IP ADDRESS: 10.40.0.2 >>>>>>>> ============================================================= >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Can anybody tell me what I'm missing? >>>>>>>> >>>>>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f5e936-6e6e-422c-9fb1-5140e5408eda%40apereo.org >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f5e936-6e6e-422c-9fb1-5140e5408eda%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/141bb8a9-d702-4511-95b6-ce8004cb3ff4%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/141bb8a9-d702-4511-95b6-ce8004cb3ff4%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/16c20cee-e056-4d0b-afee-e237fe673185%40apereo.org.
