TOTP not wokring "wrong otp value" after running ubuntu update

Hi
I managed to configure TOTP to run with LDAP authentication (MS Active
Directory in my case)
Everything worked perfectly until yesterday when I did Ubuntu updates, and
now TOTP tokens are not working anymore, i’m getting
"Wrong otp value".

In the past, I installed NTP daemon and it solved my problem but now,
though ntp is installed and I can’t get
my totp tokens to work.

any idea what changed in the last version of PrivacyIDEA that can break
TOTP functionality?

partial log:

rlm_perl: Added pair Auth-Type = Perl
++[perl] returns reject
Failed to authenticate the user.
Sending Access-Reject of id 249 to 192.168.0.1 port 41078
Reply-Message = “wrong otp value”

Thanks

We really try to avoid breaking changes.
privacyIDEA is running over 700 unit tests on each commit with ~4500
assert.
The totp token is tested here:


with 27 tests.

The only thing added - not changed - was the autoresync.

If you would provide more information about your TOTP token settings,
which kind of tokens you are using etc.
…you might even get your enlightenment during the time of writing.

At least this often happens to me, when I start to write a question and
I really go into detail, the answer will pop infront of my inner eye
even before hitting the button send.

You should try it :wink:
…if not, it is great if you provide more information.Am Montag, den 04.07.2016, 08:32 -0700 schrieb Itaios:

Hi
I managed to configure TOTP to run with LDAP authentication (MS Active
Directory in my case)
Everything worked perfectly until yesterday when I did Ubuntu updates,
and now TOTP tokens are not working anymore, i’m getting
“Wrong otp value”.

In the past, I installed NTP daemon and it solved my problem but now,
though ntp is installed and I can’t get
my totp tokens to work.

any idea what changed in the last version of PrivacyIDEA that can
break TOTP functionality?

partial log:

rlm_perl: Added pair Auth-Type = Perl
++[perl] returns reject
Failed to authenticate the user.
Sending Access-Reject of id 249 to 192.168.0.1 port 41078
Reply-Message = “wrong otp value”

Thanks


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/2b717752-40a2-466f-9e9b-cc8873afca47%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Thanks for the feedback.

Really strange. Did you really enroll the tokens with 60 secs?
Did you update from 2.12 to 2.13?

Anyway. Good that it is working again.

Kind regards
CorneliusAm Dienstag, den 05.07.2016, 05:36 -0700 schrieb Itaios:

Hi Cornelius,
After changing tokens from 60 to 30 seconds as you recommended,

I’m now able to use them again, with Active directory and Cisco FW.

Thank you!

On Monday, July 4, 2016 at 6:59:29 PM UTC+3, Cornelius Kölbel wrote:
We really try to avoid breaking changes.
privacyIDEA is running over 700 unit tests on each commit with
~4500
assert.
The totp token is tested here:
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py
with 27 tests.

    The only thing added - not changed - was the autoresync. 
    https://github.com/privacyidea/privacyidea/commits/master/privacyidea/lib/tokens/totptoken.py 
    
    If you would provide more information about your TOTP token
    settings, 
    which kind of tokens you are using etc. 
    ...you might even get your enlightenment during the time of
    writing. 
    
    At least this often happens to me, when I start to write a
    question and 
    I really go into detail, the answer will pop infront of my
    inner eye 
    even before hitting the button send. 
    
    You should try it ;-) 
    ...if not, it is great if you provide more information. 
    
    
    
    Am Montag, den 04.07.2016, 08:32 -0700 schrieb Itaios: 
    > Hi 
    > I managed to configure TOTP to run with LDAP authentication
    (MS Active 
    > Directory in my case) 
    > Everything worked perfectly until yesterday when I did
    Ubuntu updates, 
    > and now TOTP tokens are not working anymore, i'm getting 
    > "Wrong otp value". 
    > 
    > 
    > 
    > 
    > In the past, I installed NTP daemon and it solved my problem
    but now, 
    > though ntp is installed and I can't get 
    > my totp tokens to work. 
    > 
    > 
    > any idea what changed in the last version of PrivacyIDEA
    that can 
    > break TOTP functionality? 
    > 
    > 
    > partial log: 
    > 
    > 
    > rlm_perl: Added pair Auth-Type = Perl 
    > ++[perl] returns reject 
    > Failed to authenticate the user. 
    > Sending Access-Reject of id 249 to 192.168.0.1 port 41078 
    > Reply-Message = "wrong otp value" 
    > 
    > 
    > 
    > 
    > Thanks 
    > 
    > 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/2b717752-40a2-466f-9e9b-cc8873afca47%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1ff0d6f5-b167-4268-bb5f-307ed08bf19d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Cornelius,
After changing tokens from 60 to 30 seconds as you recommended,

I’m now able to use them again, with Active directory and Cisco FW.

Thank you!On Monday, July 4, 2016 at 6:59:29 PM UTC+3, Cornelius Kölbel wrote:

We really try to avoid breaking changes.
privacyIDEA is running over 700 unit tests on each commit with ~4500
assert.
The totp token is tested here:

https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_tokens_totp.py
with 27 tests.

The only thing added - not changed - was the autoresync.

https://github.com/privacyidea/privacyidea/commits/master/privacyidea/lib/tokens/totptoken.py

If you would provide more information about your TOTP token settings,
which kind of tokens you are using etc.
…you might even get your enlightenment during the time of writing.

At least this often happens to me, when I start to write a question and
I really go into detail, the answer will pop infront of my inner eye
even before hitting the button send.

You should try it :wink:
…if not, it is great if you provide more information.

Am Montag, den 04.07.2016, 08:32 -0700 schrieb Itaios:

Hi
I managed to configure TOTP to run with LDAP authentication (MS Active
Directory in my case)
Everything worked perfectly until yesterday when I did Ubuntu updates,
and now TOTP tokens are not working anymore, i’m getting
"Wrong otp value".

In the past, I installed NTP daemon and it solved my problem but now,
though ntp is installed and I can’t get
my totp tokens to work.

any idea what changed in the last version of PrivacyIDEA that can
break TOTP functionality?

partial log:

rlm_perl: Added pair Auth-Type = Perl
++[perl] returns reject
Failed to authenticate the user.
Sending Access-Reject of id 249 to 192.168.0.1 port 41078
Reply-Message = “wrong otp value”

Thanks


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/2b717752-40a2-466f-9e9b-cc8873afca47%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel