I see your email was cut off :-) You are using what and OTP?
Kind Regards Jeremy On Friday, 22 February 2019 12:45:10 UTC+2, Mickaël wrote: > > No problem. > > Have you test with another app? I'm using andOTP but I don't think the > problem is here. > > Sincerely, > > Mickaël > > Le ven. 22 févr. 2019 à 11:39, Jeremy Van Rooyen <[email protected] > <javascript:>> a écrit : > >> Apologies Mickaël, >> >> The webapp server and my smartphone's time is the same yes. >> >> Kind Regards >> Jeremy >> >> On Friday, 22 February 2019 10:44:11 UTC+2, Mickaël wrote: >>> >>> Jeremy, you don't tell me if the webapp server is at the good time and >>> your smartphone too. >>> Token are time based, so if one of the device has not the good time, you >>> will have problems. >>> >>> Sincerely, >>> >>> Mickaël >>> >>> Le ven. 22 févr. 2019 à 08:45, Jeremy Van Rooyen <[email protected]> >>> a écrit : >>> >>>> Thanks for your feedback Mickaël, >>>> >>>> For the second part I'm presented by the qrcode and 5 scratch codes. >>>> When I scan the qrcode my Google Authenticator app on phone accepts it. >>>> >>>> Then I click on register and enter the token displayed by the Google >>>> Authenticator app and it says --> "*Credentials are rejected/invalid >>>> and authentication attempt has failed.*" >>>> >>>> This is what I see in the CAS log file: >>>> >>>> *DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] >>>> - <Attempting to authenticate credential >>>> [OneTimeTokenCredential(token=420195)]>* >>>> *DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] >>>> - <Attempting authentication of [420195] using >>>> [GoogleAuthenticatorAuthenticationHandler]>* >>>> *DEBUG >>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >>>> <Received OTP [420195]>* >>>> *DEBUG >>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >>>> <Received principal id [jeremy]. Attempting to locate account in >>>> credential >>>> repository...>* >>>> *DEBUG >>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >>>> <Attempting to locate OTP token [420195] in token repository for >>>> [jeremy]...>* >>>> *DEBUG >>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >>>> <Attempting to authorize OTP token [420195]...>* >>>> * WARN >>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - >>>> <Authorization of OTP token [420195] has failed>* >>>> >>>> It sounds to me that when I use the scratch codes it is stored in the >>>> mongodb and can be found in the token repository (stored in db), but not >>>> for the tokens used on Google Authenticator app? Not sure if my >>>> understanding is correct? >>>> >>>> Thanks in advance >>>> Jeremy >>>> >>>> On Thursday, 21 February 2019 16:50:42 UTC+2, Mickaël wrote: >>>>> >>>>> Yes Jeremy, that's what I mean. >>>>> I'm using JPA for my service registry and the CAS manager webapp but >>>>> it is the same way. >>>>> >>>>> For the second part, are you invited to enter your token code >>>>> displayed by your Google authenticator app? >>>>> >>>>> If it doesn't work, perhaps your server is not at the good time. NTP >>>>> can help you to fix it. >>>>> >>>>> Sincerely, >>>>> >>>>> Mickaël >>>>> >>>>> Le jeu. 21 févr. 2019 à 13:53, Jeremy Van Rooyen <[email protected]> >>>>> a écrit : >>>>> >>>>>> Hi Mickaël, >>>>>> >>>>>> On Thursday, 21 February 2019 14:01:17 UTC+2, Mickaël wrote: >>>>>>> >>>>>>> Hi Jeremy, >>>>>>> >>>>>>> It is a great news about the scratch codes. >>>>>>> >>>>>>> I'm not sure to understand your question about qrcode. To register a >>>>>>> device, it is possible and required when a service is registered on >>>>>>> your >>>>>>> CAS with "Google Authentication" as MFA. >>>>>>> >>>>>> >>>>>> Do you mean that the service "Google Authentication" as MFA must be >>>>>> registered under the services configuration in json format? >>>>>> >>>>>> >>>>>> >>>>>>> So, at the first login without a registered device, user will be ask >>>>>>> to scan the qrcode on the screen and save (or print) the scratch codes. >>>>>>> After clilk on the next button, user should enter is token in the field >>>>>>> to >>>>>>> finish the registration and be redirected to the service. >>>>>>> >>>>>> >>>>>> This is what happens exactly the way you explain it here. So when I >>>>>> scan the qrcode with my phone it does not take the codes generated on >>>>>> the >>>>>> Google Authenticator app. It however does take the on screen codes. >>>>>> >>>>>> I hope this clears up my question? >>>>>> >>>>>>> >>>>>>> Does it answer to your question Jeremy ? >>>>>>> >>>>>>> My own question about this system, how to unregistered a device in >>>>>>> case of change of device or loss ? I don't know URL to do that... >>>>>>> >>>>>>> Sincerely, >>>>>>> >>>>>>> Mickaël >>>>>>> >>>>>>> Le jeudi 21 février 2019 11:32:54 UTC+1, Jeremy Van Rooyen a écrit : >>>>>>>> >>>>>>>> Hi Mickaël, >>>>>>>> >>>>>>>> Thanks for your reply. >>>>>>>> >>>>>>>> So after playing around a bit more it seems like the on screen >>>>>>>> scratch codes is being stored in the mongodb and using that it allows >>>>>>>> me to >>>>>>>> authenticate perfectly. >>>>>>>> >>>>>>>> The next question is how would one register via the qrcode using >>>>>>>> the Google Authenticator app on phone? Or am I not understanding >>>>>>>> something? >>>>>>>> >>>>>>>> Kind Regards >>>>>>>> Jeremy >>>>>>>> >>>>>>>> On Tuesday, 19 February 2019 10:30:29 UTC+2, Mickaël wrote: >>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> Are you sure there is anything register in your Mongo database ? >>>>>>>>> Scratch codes and token are store in DB for each user in 2 different >>>>>>>>> tables. >>>>>>>>> >>>>>>>>> It is strange to see that, normally "WHO" is the user, not the >>>>>>>>> token : >>>>>>>>> *WHO: 253227* >>>>>>>>> *WHAT: Supplied credentials: [[token=253227]]* >>>>>>>>> >>>>>>>>> For information, I am using gauth with MariaDB without any issue. >>>>>>>>> >>>>>>>>> Mickaël >>>>>>>>> >>>>>>>>> Le jeudi 15 février 2018 09:53:52 UTC+1, Janina Byky a écrit : >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I'm trying to setup CAS 5.2.2 with Google Authenticator as second >>>>>>>>>> auth factor for specified services. CAS is running over LDAP (AD) >>>>>>>>>> and GAuth >>>>>>>>>> based on mongo. So far everything was great, build succeed, GAuth >>>>>>>>>> qrcode >>>>>>>>>> appears, user registers and now it's time for TOKEN form. I'm typing >>>>>>>>>> all >>>>>>>>>> scratch codes and those generated by Google Authenticator, but every >>>>>>>>>> single >>>>>>>>>> attempt is unsuccessful. Also there's no collection created to store >>>>>>>>>> tokens >>>>>>>>>> in mongo. Only GAuthRepository is created with proper values of >>>>>>>>>> registered >>>>>>>>>> users. >>>>>>>>>> >>>>>>>>>> *cas.properties* >>>>>>>>>> >>>>>>>>>> cas.authn.accept.users= >>>>>>>>>> >>>>>>>>>> cas.authn.ldap[0].order=0 >>>>>>>>>> cas.authn.ldap[0].type=AUTHENTICATED >>>>>>>>>> cas.authn.ldap[0].ldapUrl={CUT} >>>>>>>>>> cas.authn.ldap[0].connectionStrategy=DEFAULT >>>>>>>>>> cas.authn.ldap[0].useSsl=true >>>>>>>>>> cas.authn.ldap[0].connectTimeout=15000 >>>>>>>>>> cas.authn.ldap[0].subtreeSearch=true >>>>>>>>>> cas.authn.ldap[0].baseDn={CUT} >>>>>>>>>> >>>>>>>>>> cas.authn.ldap[0].userFilter=(|(sAMAccountName={user})(userPrincipalName={user})) >>>>>>>>>> cas.authn.ldap[0].bindDn={CUT} >>>>>>>>>> cas.authn.ldap[0].bindCredential={CUT} >>>>>>>>>> cas.authn.ldap[0].enhanceWithEntryResolver=true >>>>>>>>>> cas.authn.ldap[0].principalAttributeId=sAMAccountName >>>>>>>>>> cas.authn.ldap[0].principalAttributePassword= >>>>>>>>>> cas.authn.ldap[0].usePasswordPolicy=true >>>>>>>>>> >>>>>>>>>> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,sAMAccountName,memberOf >>>>>>>>>> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true >>>>>>>>>> cas.authn.ldap[0].poolPassivator=NONE >>>>>>>>>> cas.authn.ldap[0].minPoolSize=2 >>>>>>>>>> cas.authn.ldap[0].maxPoolSize=15 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> cas.authn.mfa.globalProviderId=mfa-gauth >>>>>>>>>> cas.authn.mfa.globalFailureMode=CLOSED >>>>>>>>>> >>>>>>>>>> cas.authn.mfa.gauth.issuer=TEST >>>>>>>>>> cas.authn.mfa.gauth.codeDigits=6 >>>>>>>>>> cas.authn.mfa.gauth.timeStepSize=60 >>>>>>>>>> cas.authn.mfa.gauth.windowSize=3 >>>>>>>>>> cas.authn.mfa.gauth.label=TEST >>>>>>>>>> cas.authn.mfa.gauth.rank=0 >>>>>>>>>> >>>>>>>>>> cas.authn.mfa.gauth.cleaner.enabled=true >>>>>>>>>> cas.authn.mfa.gauth.cleaner.schedule.startDelay=20000 >>>>>>>>>> cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=60000 >>>>>>>>>> >>>>>>>>>> cas.authn.mfa.gauth.bypass.type=DEFAULT >>>>>>>>>> >>>>>>>>>> cas.authn.mfa.gauth.mongo.clientUri=${mongo.uri} >>>>>>>>>> cas.authn.mfa.gauth.mongo.dropCollection=false >>>>>>>>>> cas.authn.mfa.gauth.mongo.collection=GAuthRepository >>>>>>>>>> >>>>>>>>>> cas.authn.mfa.gauth.mongo.tokenCollection=GoogleAuthenticatorMongoDbTokenRepository >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *pom.xml* >>>>>>>>>> >>>>>>>>>> <dependency> >>>>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>>>> >>>>>>>>>> <artifactId>cas-server-webapp${app.server}</artifactId> >>>>>>>>>> <version>${cas.version}</version> >>>>>>>>>> <type>war</type> >>>>>>>>>> <scope>runtime</scope> >>>>>>>>>> </dependency> >>>>>>>>>> <dependency> >>>>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>>>> <artifactId>cas-server-support-ldap</artifactId> >>>>>>>>>> <version>${cas.version}</version> >>>>>>>>>> </dependency> >>>>>>>>>> <dependency> >>>>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>>>> <artifactId>cas-server-support-saml</artifactId> >>>>>>>>>> <version>${cas.version}</version> >>>>>>>>>> </dependency> >>>>>>>>>> <dependency> >>>>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>>>> <artifactId>cas-server-support-gauth</artifactId> >>>>>>>>>> <version>${cas.version}</version> >>>>>>>>>> </dependency> >>>>>>>>>> <dependency> >>>>>>>>>> <groupId>org.apereo.cas</groupId> >>>>>>>>>> >>>>>>>>>> <artifactId>cas-server-support-gauth-mongo</artifactId> >>>>>>>>>> <version>${cas.version}</version> >>>>>>>>>> </dependency> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *catalina.log* >>>>>>>>>> >>>>>>>>>> 2018-02-15 09:31:13,952 DEBUG >>>>>>>>>> [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] >>>>>>>>>> >>>>>>>>>> - <Authentication handlers used for this transaction are >>>>>>>>>> [GoogleAuthenticatorAuthenticationHandler,LdapAuthenticationHandler,HttpBasedServiceCredentialsAuthenticationHandler]> >>>>>>>>>> 2018-02-15 09:31:13,953 DEBUG >>>>>>>>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] >>>>>>>>>> - >>>>>>>>>> <Received OTP [*253227*]> >>>>>>>>>> 2018-02-15 09:31:13,954 DEBUG >>>>>>>>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] >>>>>>>>>> - >>>>>>>>>> <Received principal id *[j.byky*]> >>>>>>>>>> 2018-02-15 09:31:13,970 DEBUG >>>>>>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >>>>>>>>>> <[GoogleAuthenticatorAuthenticationHandler] exception details: >>>>>>>>>> [Failed to >>>>>>>>>> authenticate code *253227*].> >>>>>>>>>> 2018-02-15 09:31:13,971 DEBUG >>>>>>>>>> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] >>>>>>>>>> >>>>>>>>>> - <Credential is not one of username/password and is not accepted by >>>>>>>>>> handler [LdapAuthenticationHandler]> >>>>>>>>>> 2018-02-15 09:31:13,972 ERROR >>>>>>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >>>>>>>>>> <*Authentication >>>>>>>>>> has failed. Credentials may be incorrect or CAS cannot find >>>>>>>>>> authentication >>>>>>>>>> handler that supports [[token=253227]] of type >>>>>>>>>> [GoogleAuthenticatorTokenCredential]*.> >>>>>>>>>> 2018-02-15 09:31:13,976 INFO >>>>>>>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >>>>>>>>>> <Audit >>>>>>>>>> trail record BEGIN >>>>>>>>>> ============================================================= >>>>>>>>>> *WHO: 253227* >>>>>>>>>> *WHAT: Supplied credentials: [[token=253227]]* >>>>>>>>>> ACTION: AUTHENTICATION_SUCCESS >>>>>>>>>> APPLICATION: CAS >>>>>>>>>> WHEN: Thu Feb 15 09:31:13 CET 2018 >>>>>>>>>> CLIENT IP ADDRESS: 10.100.100.20 >>>>>>>>>> SERVER IP ADDRESS: 10.40.0.2 >>>>>>>>>> ============================================================= >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> 2018-02-15 09:31:13,978 ERROR >>>>>>>>>> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] >>>>>>>>>> - >>>>>>>>>> <1 errors, 0 successes> >>>>>>>>>> org.apereo.cas.authentication.AuthenticationException: 1 errors, >>>>>>>>>> 0 successes >>>>>>>>>> at >>>>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400) >>>>>>>>>> >>>>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>>>> at >>>>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380) >>>>>>>>>> >>>>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>>>> at >>>>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220) >>>>>>>>>> >>>>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>>>> at >>>>>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke(<generated>) >>>>>>>>>> >>>>>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2] >>>>>>>>>> at >>>>>>>>>> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) >>>>>>>>>> >>>>>>>>>> ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>>>> at >>>>>>>>>> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738) >>>>>>>>>> >>>>>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>>>> at >>>>>>>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) >>>>>>>>>> >>>>>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>>>> at >>>>>>>>>> org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:85) >>>>>>>>>> >>>>>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE] >>>>>>>>>> at >>>>>>>>>> org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:134) >>>>>>>>>> >>>>>>>>>> ~[inspektr-audit-1.8.0.GA.jar:1.8.0.GA] >>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>>>> ~[?:1.8.0_162] >>>>>>>>>> at >>>>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>>>>>>>>> >>>>>>>>>> ~[?:1.8.0_162] >>>>>>>>>> at >>>>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>>>> >>>>>>>>>> ~[?:1.8.0_162] >>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162] >>>>>>>>>> ... >>>>>>>>>> >>>>>>>>>> 2018-02-15 09:31:13,982 INFO >>>>>>>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >>>>>>>>>> <Audit >>>>>>>>>> trail record BEGIN >>>>>>>>>> ============================================================= >>>>>>>>>> WHO: *253227* >>>>>>>>>> WHAT: [event=error,timestamp=Thu Feb 15 09:31:13 CET >>>>>>>>>> 2018,source=OneTimeTokenAuthenticationWebflowEventResolver] >>>>>>>>>> ACTION: AUTHENTICATION_EVENT_TRIGGERED >>>>>>>>>> APPLICATION: CAS >>>>>>>>>> WHEN: Thu Feb 15 09:31:13 CET 2018 >>>>>>>>>> CLIENT IP ADDRESS: 10.100.100.20 >>>>>>>>>> SERVER IP ADDRESS: 10.40.0.2 >>>>>>>>>> ============================================================= >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Can anybody tell me what I'm missing? >>>>>>>>>> >>>>>>>>> -- >>>>>> - Website: https://apereo.github.io/cas >>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "CAS Community" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f5e936-6e6e-422c-9fb1-5140e5408eda%40apereo.org >>>>>> >>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f5e936-6e6e-422c-9fb1-5140e5408eda%40apereo.org?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/141bb8a9-d702-4511-95b6-ce8004cb3ff4%40apereo.org >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/141bb8a9-d702-4511-95b6-ce8004cb3ff4%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/16c20cee-e056-4d0b-afee-e237fe673185%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/16c20cee-e056-4d0b-afee-e237fe673185%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cc0b95f7-a7ad-4c8e-8b03-82b9bd30ef0e%40apereo.org.
