No problem. Have you test with another app? I'm using andOTP but I don't think the problem is here.
Sincerely, Mickaël Le ven. 22 févr. 2019 à 11:39, Jeremy Van Rooyen <[email protected]> a écrit : > Apologies Mickaël, > > The webapp server and my smartphone's time is the same yes. > > Kind Regards > Jeremy > > On Friday, 22 February 2019 10:44:11 UTC+2, Mickaël wrote: >> >> Jeremy, you don't tell me if the webapp server is at the good time and >> your smartphone too. >> Token are time based, so if one of the device has not the good time, you >> will have problems. >> >> Sincerely, >> >> Mickaël >> >> Le ven. 22 févr. 2019 à 08:45, Jeremy Van Rooyen <[email protected]> a >> écrit : >> >>> Thanks for your feedback Mickaël, >>> >>> For the second part I'm presented by the qrcode and 5 scratch codes. >>> When I scan the qrcode my Google Authenticator app on phone accepts it. >>> >>> Then I click on register and enter the token displayed by the Google >>> Authenticator app and it says --> "*Credentials are rejected/invalid >>> and authentication attempt has failed.*" >>> >>> This is what I see in the CAS log file: >>> >>> *DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] >>> - <Attempting to authenticate credential >>> [OneTimeTokenCredential(token=420195)]>* >>> *DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] >>> - <Attempting authentication of [420195] using >>> [GoogleAuthenticatorAuthenticationHandler]>* >>> *DEBUG >>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >>> <Received OTP [420195]>* >>> *DEBUG >>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >>> <Received principal id [jeremy]. Attempting to locate account in credential >>> repository...>* >>> *DEBUG >>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >>> <Attempting to locate OTP token [420195] in token repository for >>> [jeremy]...>* >>> *DEBUG >>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >>> <Attempting to authorize OTP token [420195]...>* >>> * WARN >>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >>> <Authorization of OTP token [420195] has failed>* >>> >>> It sounds to me that when I use the scratch codes it is stored in the >>> mongodb and can be found in the token repository (stored in db), but not >>> for the tokens used on Google Authenticator app? Not sure if my >>> understanding is correct? >>> >>> Thanks in advance >>> Jeremy >>> >>> On Thursday, 21 February 2019 16:50:42 UTC+2, Mickaël wrote: >>>> >>>> Yes Jeremy, that's what I mean. >>>> I'm using JPA for my service registry and the CAS manager webapp but it >>>> is the same way. >>>> >>>> For the second part, are you invited to enter your token code displayed >>>> by your Google authenticator app? >>>> >>>> If it doesn't work, perhaps your server is not at the good time. NTP >>>> can help you to fix it. >>>> >>>> Sincerely, >>>> >>>> Mickaël >>>> >>>> Le jeu. 21 févr. 2019 à 13:53, Jeremy Van Rooyen <[email protected]> >>>> a écrit : >>>> >>>>> Hi Mickaël, >>>>> >>>>> On Thursday, 21 February 2019 14:01:17 UTC+2, Mickaël wrote: >>>>>> >>>>>> Hi Jeremy, >>>>>> >>>>>> It is a great news about the scratch codes. >>>>>> >>>>>> I'm not sure to understand your question about qrcode. To register a >>>>>> device, it is possible and required when a service is registered on your >>>>>> CAS with "Google Authentication" as MFA. >>>>>> >>>>> >>>>> Do you mean that the service "Google Authentication" as MFA must be >>>>> registered under the services configuration in json format? >>>>> >>>>> >>>>> >>>>>> So, at the first login without a registered device, user will be ask >>>>>> to scan the qrcode on the screen and save (or print) the scratch codes. >>>>>> After clilk on the next button, user should enter is token in the field >>>>>> to >>>>>> finish the registration and be redirected to the service. >>>>>> >>>>> >>>>> This is what happens exactly the way you explain it here. So when I >>>>> scan the qrcode with my phone it does not take the codes generated on the >>>>> Google Authenticator app. It however does take the on screen codes. >>>>> >>>>> I hope this clears up my question? >>>>> >>>>>> >>>>>> Does it answer to your question Jeremy ? >>>>>> >>>>>> My own question about this system, how to unregistered a device in >>>>>> case of change of device or loss ? I don't know URL to do that... >>>>>> >>>>>> Sincerely, >>>>>> >>>>>> Mickaël >>>>>> >>>>>> Le jeudi 21 février 2019 11:32:54 UTC+1, Jeremy Van Rooyen a écrit : >>>>>>> >>>>>>> Hi Mickaël, >>>>>>> >>>>>>> Thanks for your reply. >>>>>>> >>>>>>> So after playing around a bit more it seems like the on screen >>>>>>> scratch codes is being stored in the mongodb and using that it allows >>>>>>> me to >>>>>>> authenticate perfectly. >>>>>>> >>>>>>> The next question is how would one register via the qrcode using the >>>>>>> Google Authenticator app on phone? Or am I not understanding something? >>>>>>> >>>>>>> Kind Regards >>>>>>> Jeremy >>>>>>> >>>>>>> On Tuesday, 19 February 2019 10:30:29 UTC+2, Mickaël wrote: >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> Are you sure there is anything register in your Mongo database ? >>>>>>>> Scratch codes and token are store in DB for each user in 2 different >>>>>>>> tables. >>>>>>>> >>>>>>>> It is strange to see that, normally "WHO" is the user, not the >>>>>>>> token : >>>>>>>> *WHO: 253227* >>>>>>>> *WHAT: Supplied credentials: [[token=253227]]* >>>>>>>> >>>>>>>> For information, I am using gauth with MariaDB without any issue. >>>>>>>> >>>>>>>> Mickaël >>>>>>>> >>>>>>>> Le jeudi 15 février 2018 09:53:52 UTC+1, Janina Byky a écrit : >>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I'm trying to setup CAS 5.2.2 with Google Authenticator as second >>>>>>>>> auth factor for specified services. CAS is running over LDAP (AD) and >>>>>>>>> GAuth >>>>>>>>> based on mongo. So far everything was great, build succeed, GAuth >>>>>>>>> qrcode >>>>>>>>> appears, user registers and now it's time for TOKEN form. I'm typing >>>>>>>>> all >>>>>>>>> scratch codes and those generated by Google Authenticator, but every >>>>>>>>> single >>>>>>>>> attempt is unsuccessful. Also there's no collection created to store >>>>>>>>> tokens >>>>>>>>> in mongo. Only GAuthRepository is created with proper values of >>>>>>>>> registered >>>>>>>>> users. >>>>>>>>> >>>>>>>>> *cas.properties* >>>>>>>>> >>>>>>>>> cas.authn.accept.users= >>>>>>>>> >>>>>>>>> cas.authn.ldap[0].order=0 >>>>>>>>> cas.authn.ldap[0].type=AUTHENTICATED >>>>>>>>> cas.authn.ldap[0].ldapUrl={CUT} >>>>>>>>> cas.authn.ldap[0].connectionStrategy=DEFAULT >>>>>>>>> cas.authn.ldap[0].useSsl=true >>>>>>>>> cas.authn.ldap[0].connectTimeout=15000 >>>>>>>>> cas.authn.ldap[0].subtreeSearch=true >>>>>>>>> cas.authn.ldap[0].baseDn={CUT} >>>>>>>>> >>>>>>>>> cas.authn.ldap[0].userFilter=(|(sAMAccountName={user})(userPrincipalName={user})) >>>>>>>>> cas.authn.ldap[0].bindDn={CUT} >>>>>>>>> cas.authn.ldap[0].bindCredential={CUT} >>>>>>>>> cas.authn.ldap[0].enhanceWithEntryResolver=true >>>>>>>>> cas.authn.ldap[0].principalAttributeId=sAMAccountName >>>>>>>>> cas.authn.ldap[0].principalAttributePassword= >>>>>>>>> cas.authn.ldap[0].usePasswordPolicy=true >>>>>>>>> >>>>>>>>> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,sAMAccountName,memberOf >>>>>>>>> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true >>>>>>>>> cas.authn.ldap[0].poolPassivator=NONE >>>>>>>>> cas.authn.ldap[0].minPoolSize=2 >>>>>>>>> cas.authn.ldap[0].maxPoolSize=15 >>>>>>>>> >>>>>>>>> >>>>>>>>> cas.authn.mfa.globalProviderId=mfa-gauth >>>>>>>>> cas.authn.mfa.globalFailureMode=CLOSED >>>>>>>>> >>>>>>>>> cas.authn.mfa.gauth.issuer=TEST >>>>>>>>> cas.authn.mfa.gauth.codeDigits=6 >>>>>>>>> cas.authn.mfa.gauth.timeStepSize=60 >>>>>>>>> cas.authn.mfa.gauth.windowSize=3 >>>>>>>>> cas.authn.mfa.gauth.label=TEST >>>>>>>>> cas.authn.mfa.gauth.rank=0 >>>>>>>>> >>>>>>>>> cas.authn.mfa.gauth.cleaner.enabled=true >>>>>>>>> cas.authn.mfa.gauth.cleaner.schedule.startDelay=20000 >>>>>>>>> cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=60000 >>>>>>>>> >>>>>>>>> cas.authn.mfa.gauth.bypass.type=DEFAULT >>>>>>>>> >>>>>>>>> cas.authn.mfa.gauth.mongo.clientUri=${mongo.uri} >>>>>>>>> cas.authn.mfa.gauth.mongo.dropCollection=false >>>>>>>>> cas.authn.mfa.gauth.mongo.collection=GAuthRepository >>>>>>>>> >>>>>>>>> cas.authn.mfa.gauth.mongo.tokenCollection=GoogleAuthenticatorMongoDbTokenRepository >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *pom.xml* >>>>>>>>> >>>>>>>>> <dependency> >>>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>>> <artifactId>cas-server-webapp${app.server}</artifactId> >>>>>>>>> <version>${cas.version}</version> >>>>>>>>> <type>war</type> >>>>>>>>> <scope>runtime</scope> >>>>>>>>> </dependency> >>>>>>>>> <dependency> >>>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>>> <artifactId>cas-server-support-ldap</artifactId> >>>>>>>>> <version>${cas.version}</version> >>>>>>>>> </dependency> >>>>>>>>> <dependency> >>>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>>> <artifactId>cas-server-support-saml</artifactId> >>>>>>>>> <version>${cas.version}</version> >>>>>>>>> </dependency> >>>>>>>>> <dependency> >>>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>>> <artifactId>cas-server-support-gauth</artifactId> >>>>>>>>> <version>${cas.version}</version> >>>>>>>>> </dependency> >>>>>>>>> <dependency> >>>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>>> <artifactId>cas-server-support-gauth-mongo</artifactId> >>>>>>>>> <version>${cas.version}</version> >>>>>>>>> </dependency> >>>>>>>>> >>>>>>>>> >>>>>>>>> *catalina.log* >>>>>>>>> >>>>>>>>> 2018-02-15 09:31:13,952 DEBUG >>>>>>>>> [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] >>>>>>>>> - <Authentication handlers used for this transaction are >>>>>>>>> [GoogleAuthenticatorAuthenticationHandler,LdapAuthenticationHandler,HttpBasedServiceCredentialsAuthenticationHandler]> >>>>>>>>> 2018-02-15 09:31:13,953 DEBUG >>>>>>>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] >>>>>>>>> - >>>>>>>>> <Received OTP [*253227*]> >>>>>>>>> 2018-02-15 09:31:13,954 DEBUG >>>>>>>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] >>>>>>>>> - >>>>>>>>> <Received principal id *[j.byky*]> >>>>>>>>> 2018-02-15 09:31:13,970 DEBUG >>>>>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >>>>>>>>> <[GoogleAuthenticatorAuthenticationHandler] exception details: >>>>>>>>> [Failed to >>>>>>>>> authenticate code *253227*].> >>>>>>>>> 2018-02-15 09:31:13,971 DEBUG >>>>>>>>> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] >>>>>>>>> - <Credential is not one of username/password and is not accepted by >>>>>>>>> handler [LdapAuthenticationHandler]> >>>>>>>>> 2018-02-15 09:31:13,972 ERROR >>>>>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >>>>>>>>> <*Authentication >>>>>>>>> has failed. Credentials may be incorrect or CAS cannot find >>>>>>>>> authentication >>>>>>>>> handler that supports [[token=253227]] of type >>>>>>>>> [GoogleAuthenticatorTokenCredential]*.> >>>>>>>>> 2018-02-15 09:31:13,976 INFO >>>>>>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >>>>>>>>> <Audit >>>>>>>>> trail record BEGIN >>>>>>>>> ============================================================= >>>>>>>>> *WHO: 253227* >>>>>>>>> *WHAT: Supplied credentials: [[token=253227]]* >>>>>>>>> ACTION: AUTHENTICATION_SUCCESS >>>>>>>>> APPLICATION: CAS >>>>>>>>> WHEN: Thu Feb 15 09:31:13 CET 2018 >>>>>>>>> CLIENT IP ADDRESS: 10.100.100.20 >>>>>>>>> SERVER IP ADDRESS: 10.40.0.2 >>>>>>>>> ============================================================= >>>>>>>>> >>>>>>>>> > >>>>>>>>> 2018-02-15 09:31:13,978 ERROR >>>>>>>>> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] >>>>>>>>> - >>>>>>>>> <1 errors, 0 successes> >>>>>>>>> org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 >>>>>>>>> successes >>>>>>>>> at >>>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400) >>>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>>> at >>>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380) >>>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>>> at >>>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220) >>>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>>> at >>>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke(<generated>) >>>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>>> at >>>>>>>>> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) >>>>>>>>> ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>>> at >>>>>>>>> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738) >>>>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>>> at >>>>>>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) >>>>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>>> at >>>>>>>>> org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:85) >>>>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>>> at >>>>>>>>> org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:134) >>>>>>>>> ~[inspektr-audit-1.8.0.GA.jar:1.8.0.GA] >>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>>> ~[?:1.8.0_162] >>>>>>>>> at >>>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>>>>>>>> ~[?:1.8.0_162] >>>>>>>>> at >>>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>>> ~[?:1.8.0_162] >>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162] >>>>>>>>> ... >>>>>>>>> >>>>>>>>> 2018-02-15 09:31:13,982 INFO >>>>>>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >>>>>>>>> <Audit >>>>>>>>> trail record BEGIN >>>>>>>>> ============================================================= >>>>>>>>> WHO: *253227* >>>>>>>>> WHAT: [event=error,timestamp=Thu Feb 15 09:31:13 CET >>>>>>>>> 2018,source=OneTimeTokenAuthenticationWebflowEventResolver] >>>>>>>>> ACTION: AUTHENTICATION_EVENT_TRIGGERED >>>>>>>>> APPLICATION: CAS >>>>>>>>> WHEN: Thu Feb 15 09:31:13 CET 2018 >>>>>>>>> CLIENT IP ADDRESS: 10.100.100.20 >>>>>>>>> SERVER IP ADDRESS: 10.40.0.2 >>>>>>>>> ============================================================= >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Can anybody tell me what I'm missing? >>>>>>>>> >>>>>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f5e936-6e6e-422c-9fb1-5140e5408eda%40apereo.org >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f5e936-6e6e-422c-9fb1-5140e5408eda%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/141bb8a9-d702-4511-95b6-ce8004cb3ff4%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/141bb8a9-d702-4511-95b6-ce8004cb3ff4%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/16c20cee-e056-4d0b-afee-e237fe673185%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/16c20cee-e056-4d0b-afee-e237fe673185%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAM2C0Gz90hRt4mZVuQu4kYKd_L%2BziSC4JZnUAufpQY_h%3DadUcQ%40mail.gmail.com.
