ADFS TOTP with PrivacyIDEA setup

Mikhal_Mc_Alister · February 6, 2020, 11:49am

Good day,
Having an issue connection PrivacyIDEA 3.2.2 server running on Ubuntu 18.04, all configuration (with small changes from official sources) done according to this article: https://blog.quickbreach.io/posts/setup-a-free-2fa-solution-on-owa/
the issue is following:
user access owa page, gets redirected to adfs, pass with log in and password to 2FA step (TOTP) and the gets error Login failed! Please try again!
on ADFS Server there are 2 error messages in eventlog:

PrivacyIDEA Provider:
validateOTP: The request was aborted: Could not create SSL/TLS secure channel.

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.WebClient.UploadValues(Uri address, String method, NameValueCollection data)
at privacyIDEAADFSProvider.OTPprovider.validateOTP(String OTPuser, String OTPpin, String realm, String transaction_id)
2) Schannel:
A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

henry · February 6, 2020, 1:25pm

Could not create SSL/TLS secure channel

Does your PI server have a valid SSL cert?

Mikhal_Mc_Alister · February 6, 2020, 2:00pm

selfsigned cert and it is imported in trusted root ca on ADFS server. ADFS on the other hand signed by Let’s Encrypt Authority X3.

cornelinux · February 6, 2020, 9:47pm

Might be this:

Mikhal_Mc_Alister · February 7, 2020, 8:18am

You`re the legend, was thinking that this the TLS 1.x issue, but did not got that deep into apache2 configuration.
OPT working good now.

SantoshKMishra · February 6, 2021, 2:14pm

Hi All,

i am trying to use windows 2012 R2 ADFS with PI.

PI is working without ADFS but when trying to configure with ADFS, i am getting event error in ADFS Admin
triggerChallenge: The remote server returned an error: (400) Bad Request.

System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.UploadValues(Uri address, String method, NameValueCollection data)
at privacyIDEAADFSProvider.OTPprovider.triggerChallenge(String OTPuser, String realm, String token)

validateOTP: The remote server returned an error: (400) Bad Request.

System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.UploadValues(Uri address, String method, NameValueCollection data)
at privacyIDEAADFSProvider.OTPprovider.validateOTP(String OTPuser, String OTPpin, String realm, String transaction_id)

Note- i dont see any log on PI server or audit log.

i tried all method posted in forum related with Dotnet ( installed Dotnet 4.7) but no luck.

I am using wild card certificate and TLS 1.1 is Disabled in Apache in PI server
using below "

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLCompression off
SSLSessionTickets off

i am using latest ADFSprovider for PI

Any Help please ??