Good day,
Having an issue connection PrivacyIDEA 3.2.2 server running on Ubuntu 18.04, all configuration (with small changes from official sources) done according to this article: https://blog.quickbreach.io/posts/setup-a-free-2fa-solution-on-owa/
the issue is following:
user access owa page, gets redirected to adfs, pass with log in and password to 2FA step (TOTP) and the gets error Login failed! Please try again!
on ADFS Server there are 2 error messages in eventlog:
PrivacyIDEA Provider:
validateOTP: The request was aborted: Could not create SSL/TLS secure channel.
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.WebClient.UploadValues(Uri address, String method, NameValueCollection data)
at privacyIDEAADFSProvider.OTPprovider.validateOTP(String OTPuser, String OTPpin, String realm, String transaction_id)
2) Schannel:
A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.
PI is working without ADFS but when trying to configure with ADFS, i am getting event error in ADFS Admin triggerChallenge: The remote server returned an error: (400) Bad Request.
System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.UploadValues(Uri address, String method, NameValueCollection data)
at privacyIDEAADFSProvider.OTPprovider.triggerChallenge(String OTPuser, String realm, String token)
validateOTP: The remote server returned an error: (400) Bad Request.
System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.UploadValues(Uri address, String method, NameValueCollection data)
at privacyIDEAADFSProvider.OTPprovider.validateOTP(String OTPuser, String OTPpin, String realm, String transaction_id)
Note- i dont see any log on PI server or audit log.
i tried all method posted in forum related with Dotnet ( installed Dotnet 4.7) but no luck.
I am using wild card certificate and TLS 1.1 is Disabled in Apache in PI server
using below "
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLCompression off
SSLSessionTickets off