Logged with UserPrincipalName can not enroll tokens

Ubuntu 18.04, PrivacyIDEA 3.3.3 - installed from repo

I am struggling with problem, that users can not issue tokens when logged in with UPN.
Error I got:
× ERR905: Cannot pass user_object as well as user, resolver, realm in policy (None, ‘user’, ‘enrollPUSH’)

Already spent 48h googling, writing there is my last chance.

Same user works fine when logged with SPN.
Logged with UPN I can delete Tokens created by same user when logged with SPN.
Tokens work fine.
I have setup with ADFS for OWA 2FA with TOTP.

Any hints would be great
Than You

Found that I can enroll tokens with LoginAttribute, that is written first in resolver config
I this is SAM, then UPN fail, if UPN, then SAM is failing.

My mistake on original post SPN should be replaced with SAM.


This is how it is currently designed.

The multi login attribute is mainly ment for users authenticating against /validate/check, i.e. for the applications connected to privacyIDEA.

In the webui the user should login with his main login attribute.

Thank You - now this is clear and resolved.

1 Like