Hi,
we have a VDI Environment (Horizon 8) with TOTP Auth configured on the UAG. It worked well and authentication was possible, until we ugraded from Horizon 7 to 8.
We didn’t changed network, IP, Firewall, Realm or Resolver, just performed the Horizon Upgrade and a Domain Function Level Upgrade from 2008R2 to 2012R2.
When I try to authenticate I can see the following details in radius.log (IP and Username deleted)
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Debugging config:
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Default URL https://localhost/validate/check
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Looking for config for auth-type Perl
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Password encoding guessed: ascii
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Setting client IP to <my_IP>.
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Auth-Type: Perl
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: url: https://localhost/validate/check
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: user sent to privacyidea: <my_User>
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: realm sent to privacyidea:
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: resolver sent to privacyidea:
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: client sent to privacyidea: <my_IP>
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: state sent to privacyidea:
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: urlparam client
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: urlparam user
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: urlparam pass
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Request timeout: 10
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Not verifying SSL certificate!
Tue Dec 6 16:02:05 2022 : Info: rlm_perl: elapsed time for privacyidea call: 0.141487
Tue Dec 6 16:02:05 2022 : Info: rlm_perl: privacyIDEA Result status is true!
Tue Dec 6 16:02:05 2022 : Info: rlm_perl: privacyIDEA access denied for <my_User> realm=‘’
Tue Dec 6 16:02:05 2022 : Info: rlm_perl: return RLM_MODULE_REJECT
It seems the system can’t find the User in Realm. If we add Users to the LDAP Resolver Group, the Users are synced, LDAP Connection is functional.
I appreciate every hint for troubleshoot
correct, but I can’t check it now due no access to environment at this time.
The issue maybe caused by the AD function level upgrade?
I checked the resolver and it’s still able to connect to AD and it find and add users too.
Should I delete and recreate the Realm / Resolver?
Take a look in the privacyIDEA audit log for this specifc request to get a better idea what happens!
It can depend on a lot of aspects like your authentication policies.
We have this behavior since the Upgrade of the Horizon Unified Access Gateway and the AD Function Level Upgrade. Please let me know if you need any other Screenshots or Logs.
TOTP was functional before the Upgrade
Hi,
verify Token also fails. I tried to enroll the Token with Pin and did a Token+Pin Test too, also failed.
The time zone on radius server was wrong, we changed it to DE but didnt fixed the problem.
I checked the TOTP Settings and it was configured with SHA256, we changed it to SHA1 and its working now. But its not the safest option, we want to use SHA256 or 512, but it doesnt work when we change this value. Is there anything else to configure first to use a higher Hash Option?
Hi,
today I saw the info at TOTP Enrollment that the Google Authenticator only supports SHA1 ^^ Which Authenticator would you recommend to use SHA256 or higher?
