OTP Verification failed on Token details page

Question
1

HI,

I installed a privacyIDEA server on Debian with pip to enable MFA on my AD FS server.
The connection with the Plugin and my AD server works. But when I enroll a new Token with TOTP and check the generated OTP-Value with the integrated check field in the Token details page i get an error.
I have not changed any values in the settings other than adding my realm and configuring my LDAP connection.

What am I doing wrong? Why dosent the server accept the newly generated OTP from my authenticator app?

2

Hello @franth and welcome to privacyidea.

There are a lot of reasons why authentication might fail.

What error message do you actually get? You need to help other to help you!

You can also take a look in the audit log. You can filter for “validate/check” and see more details about the failing request.

Some authenticator apps work a bit awkward and ignore settings. So if you e.g. enroll a SHA256 TOTP token and try to use google authenticator or microsoft authenticator they may silentily f*** up.

3

Thank you for your response.

I didnt post the Audit log because i didnt found anything suspicious in it. there is just a “Wrong otp value” message and then “OTP verrifivation faield”

'804','2020-07-03T07:01:05.765156','OK','OK','POST /token/init','1','TOTP0000AB02','totp','franadm@LAB.local','lab','Standard','theo','','','172.28.1.104','','172.28.1.20','None','None'
'805','2020-07-03T07:06:32.503208','OK','OK','POST /auth','1','None','None','','lab','None','theo','','internal admin','172.28.1.104','','172.28.1.20','None','None'
'806','2020-07-03T07:06:50.330656','OK','OK','GET /system/','1','None','None','None','None','None','theo','','None','172.28.1.104','','172.28.1.20','None','None'
'807','2020-07-03T07:06:50.667391','OK','OK','GET /token/','1','TOTP0000AB02','totp','None','None','None','theo','','realm: None','172.28.1.104','','172.28.1.20','None','None'
'808','2020-07-03T07:06:50.712237','OK','OK','GET /realm/','1','None','None','None','None','None','theo','','','172.28.1.104','','172.28.1.20','None','None'
'809','2020-07-03T07:06:50.754108','OK','OK','GET /application/','1','None','None','None','None','None','theo','','','172.28.1.104','','172.28.1.20','None','None'
'810','2020-07-03T07:06:50.813042','OK','OK','GET /machine/token','1','TOTP0000AB02','totp','None','None','None','theo','','serial: TOTP0000AB02, hostname: None','172.28.1.104','','172.28.1.20','None','None'
'811','2020-07-03T07:07:00.101010','OK','OK','POST /validate/check','0','TOTP0000AB02','totp','','','','None','','wrong otp value','172.28.1.104','','172.28.1.20','None','None'
'812','2020-07-03T07:07:00.188216','OK','OK','GET /token/','1','TOTP0000AB02','totp','None','None','None','theo','','realm: None','172.28.1.104','','172.28.1.20','None','None'
'813','2020-07-03T07:07:04.303370','OK','OK','POST /validate/check','0','TOTP0000AB02','None','','','','None','','OTP verification failed.','172.28.1.104','','172.28.1.20','None','None'
'814','2020-07-03T07:07:04.523668','OK','OK','GET /token/','1','TOTP0000AB02','totp','None','None','None','theo','','realm: None','172.28.1.104','','172.28.1.20','None','None'
'815','2020-07-03T07:07:12.467140','OK','OK','GET /audit/','1','**','','**','**','','theo','','','172.28.1.104','','172.28.1.20','None','None'
'816','2020-07-03T07:07:12.572823','OK','OK','GET /audit/','1','**','','**','**','','theo','','','172.28.1.104','','172.28.1.20','None','None'

I Installed Ubuntu 20.04 on a diffrent VM and tried it there…
After some fiddleing with installing python3.7 I got it working perfectly.
I think there is something missing in the debian install guide…
nevertheless iam happy with Ubuntu… But offical support for Python3.8 would be nice.

4

Do You mean https://privacyidea.readthedocs.io/en/latest/installation/pip.html?

Actually Python 3.8 works, it is just not yet mentioned in the docs.

5

Yes I followed this guide. using Debian 10.

I will try Python3.8 on my Ubuntu machine next Monday.