privacyIDEA access denied for <my_User> realm=''

Sebastian · December 7, 2022, 7:58am

Hi,
we have a VDI Environment (Horizon 8) with TOTP Auth configured on the UAG. It worked well and authentication was possible, until we ugraded from Horizon 7 to 8.
We didn’t changed network, IP, Firewall, Realm or Resolver, just performed the Horizon Upgrade and a Domain Function Level Upgrade from 2008R2 to 2012R2.
When I try to authenticate I can see the following details in radius.log (IP and Username deleted)

Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Debugging config:
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Default URL https://localhost/validate/check
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Looking for config for auth-type Perl
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Password encoding guessed: ascii
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Setting client IP to <my_IP>.
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Auth-Type: Perl
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: url: https://localhost/validate/check
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: user sent to privacyidea: <my_User>
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: realm sent to privacyidea:
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: resolver sent to privacyidea:
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: client sent to privacyidea: <my_IP>
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: state sent to privacyidea:
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: urlparam client
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: urlparam user
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: urlparam pass
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Request timeout: 10
Tue Dec 6 16:02:04 2022 : Info: rlm_perl: Not verifying SSL certificate!
Tue Dec 6 16:02:05 2022 : Info: rlm_perl: elapsed time for privacyidea call: 0.141487
Tue Dec 6 16:02:05 2022 : Info: rlm_perl: privacyIDEA Result status is true!
Tue Dec 6 16:02:05 2022 : Info: rlm_perl: privacyIDEA access denied for <my_User> realm=‘’
Tue Dec 6 16:02:05 2022 : Info: rlm_perl: return RLM_MODULE_REJECT

It seems the system can’t find the User in Realm. If we add Users to the LDAP Resolver Group, the Users are synced, LDAP Connection is functional.
I appreciate every hint for troubleshoot

Regards
Sebastian

AAuer · December 7, 2022, 9:19am

Hi,
what does privacyIDEA write to the logs? You should see errors like “User not found in resolver”. Is the resolver/realm correct?

best regards
Andreas

Sebastian · December 7, 2022, 10:20am

Hi Andreas,

correct, but I can’t check it now due no access to environment at this time.
The issue maybe caused by the AD function level upgrade?
I checked the resolver and it’s still able to connect to AD and it find and add users too.
Should I delete and recreate the Realm / Resolver?

LG
Sebastian

cornelinux · December 7, 2022, 8:13pm

Take a look in the privacyIDEA audit log for this specifc request to get a better idea what happens!
It can depend on a lot of aspects like your authentication policies.

Sebastian · December 12, 2022, 11:45am

Hi Andreas,
today we recreated the Resolver + Realm, but it didnt fixed the issue. In the audit log I can see the following line:

‘1255’ ‘2022-12-12T10:30:39.081877’ ‘OK’ ‘OK’ ‘POST /validate/check’ ‘0’ ‘’ ‘totp’ ‘<my_Username>’ ‘<my_Resolver>’ ‘<my_Realm>’ ‘None’ ‘’ ‘wrong otp value’ ‘localhost’ ‘’ ‘127.0.0.1’ ‘None’ ‘None’ ‘2022-12-12T10:30:38.848703’ ‘0.233134’

We have this behavior since the Upgrade of the Horizon Unified Access Gateway and the AD Function Level Upgrade. Please let me know if you need any other Screenshots or Logs.
TOTP was functional before the Upgrade

Kind regards
Sebastian

AAuer · December 12, 2022, 12:26pm

Hi Sebastian,
“wrong otp value” and a totp-token looks like some timing problem. Can you verify the token in the PI-GUI?
best regards
Andreas

Sebastian · December 14, 2022, 7:10am

Hi,
verify Token also fails. I tried to enroll the Token with Pin and did a Token+Pin Test too, also failed.
The time zone on radius server was wrong, we changed it to DE but didnt fixed the problem.

cornelinux · December 14, 2022, 6:53pm

I guess you think you can use sha512.

Sebastian · January 3, 2023, 12:39pm

Hi,
wish u all a happy new year

I checked the TOTP Settings and it was configured with SHA256, we changed it to SHA1 and its working now. But its not the safest option, we want to use SHA256 or 512, but it doesnt work when we change this value. Is there anything else to configure first to use a higher Hash Option?

Kind Regards
Sebastian

Sebastian · January 4, 2023, 7:56am

Hi,
today I saw the info at TOTP Enrollment that the Google Authenticator only supports SHA1 ^^ Which Authenticator would you recommend to use SHA256 or higher?

AAuer · January 4, 2023, 8:19am

Hi,
the only one I know is privacyIDEA Authenticator.