Migrated to Postgres Login with Apache fails. Test Token in WebUI works

We recently migrated our privacyidea from mysql to postgres with pgloader.

Testing my TOTP in the WebUI shows that it works:

but logging in with it won’t work. In the Apache Logs as well as when I do pi-manage validate it shows this error:

ERROR=‘ascii’ codec can’t decode byte 0xba in position 3: ordinal not in range(128)

any idea what that could be?

for those that have the same problem, i figured it out.

the database still had some old tokens that were created with a different enckey.

in the webui the token test calls the api specifically for {{tokenname}} and with a newly created token the enckey is the correct one and it can test the tokens correctly.

but if you login via apache it only has you username and tries every token, starting with the oldest one (that was made with a different enckey) and fails to decrypt the first one -> it fails.

Feedback maybe, try all tokens per user before giving up.

1 Like