Logged with UserPrincipalName can not enroll tokens

rinalds · August 29, 2020, 7:35pm

Ubuntu 18.04, PrivacyIDEA 3.3.3 - installed from repo

I am struggling with problem, that users can not issue tokens when logged in with UPN.
Error I got:
× ERR905: Cannot pass user_object as well as user, resolver, realm in policy (None, ‘user’, ‘enrollPUSH’)

Already spent 48h googling, writing there is my last chance.

Same user works fine when logged with SPN.
Logged with UPN I can delete Tokens created by same user when logged with SPN.
Tokens work fine.
I have setup with ADFS for OWA 2FA with TOTP.

Any hints would be great
Than You
R

rinalds · September 2, 2020, 7:08pm

Found that I can enroll tokens with LoginAttribute, that is written first in resolver config
I this is SAM, then UPN fail, if UPN, then SAM is failing.

P.S.
My mistake on original post SPN should be replaced with SAM.

R

cornelinux · September 4, 2020, 4:52pm

This is how it is currently designed.

The multi login attribute is mainly ment for users authenticating against /validate/check, i.e. for the applications connected to privacyIDEA.

In the webui the user should login with his main login attribute.

rinalds · September 4, 2020, 5:57pm

Thank You - now this is clear and resolved.
R