Ubuntu test setup with c100 OTP tokens

Ubuntu server 16.04
PrivacyIDEA 2.21.4
OTP c100 tokens

I’m using a very old version of privacyidea in a VM and want to try and replace it with a Ras Pi2. As a test I installed a pre-configured image of Ubuntu server on the Pi from Ubuntu 16.04.7 LTS (Xenial Xerus) and then installed privacyidea with

# add-apt-repository ppa:privacyidea/privacyidea
# apt-get install python-privacyidea privacyideaadm privacyidea-apache2 privacyidea-radius
# pi-manage admin add admin

Then in the web interface I create the default realm and import tokens from a CSV file. It shows 3 tokens imported successfully. As a test I select the one of the tokens and enter the OTP value and click “Test OTP only” and I get “OTP verification failed”. If I enter 2 OTP values and “Resync Token” I get “Token resync failed”.

I thought it might be a problem with the platform so I tried the same in a new VM running the same version of Ubuntu server, same result.

Turned debug on and get

[2018-02-15 23:16:54,390][3164][140292231509760][DEBUG][privacyidea.lib.token:197] Exiting get_tokens_paginate with result {‘tokens’: [{‘info’: {u’hashlib’: u’sha1’}, ‘failcount’: 0, ‘user_id’: u’‘, ‘description’: u’imported’, ‘tokentype’: u’hotp’, ‘count_window’: 10, ‘username’: ‘’, ‘realms’: [u’defrealm’], ‘count’: 0, ‘maxfail’: 10, ‘resolver_type’: u’‘, ‘rollout_state’: u’‘, ‘resolver’: u’‘, ‘user_realm’: ‘’, ‘active’: True, ‘locked’: False, ‘serial’: u’1000408404335’, ‘sync_window’: 1000, ‘id’: 3, ‘otplen’: 6, ‘revoked’: False}], ‘current’: 1, ‘prev’: None, ‘count’: 1, ‘next’: None}
[2018-02-15 23:16:54,391][3164][140292231509760][DEBUG][privacyidea.api.token:197] Exiting list_api with result <Response 959 bytes [200 OK]>
[2018-02-15 23:16:54,404][3164][140292231509760][DEBUG][privacyidea.api.lib.utils:239] Can not get param: No JSON object could be decoded

root@pi:~# cat /etc/privacyidea/pi.cfg

import logging
SUPERUSER_REALM = [‘super’]
PI_ENCFILE = ‘/etc/privacyidea/enckey’
PI_AUDIT_KEY_PRIVATE = ‘/etc/privacyidea/private.pem’
PI_AUDIT_KEY_PUBLIC = ‘/etc/privacyidea/public.pem’
PI_LOGFILE = ‘/var/log/privacyidea/privacyidea.log’
PI_LOGLEVEL = 10
PI_PEPPER = ‘-------------------------’
SECRET_KEY = ‘------------------------’
SQLALCHEMY_DATABASE_URI = ‘mysql://pi:nP5exMy5W32F@localhost/pi’

You must enter two consecutive OTP values. (I think you have done this).

The c100 is an event based token.
If these are the tokens you used earlier, it could be that the internal counter of the token has increase very high.
Then you might need to adapt the syncWindow in the token details.
By default the syncWindow is set to 1000. I.e. privacyIDEA will only search these two consecutive OTP values in the next (first) 1000 values. Increase to 10.000 and try again.

Yes, two consecutive OTP values from a token that is several years old. I know it works because it’s in use on another system. As you said there’s a good chance that it’s not in sync.

As a test I changed SyncWindow and CountWindow to 10,000 in the GUI but it didn’t make a difference, I get the same errors. I checked the log file and it looks like sync_window is still 1000 and count_window is 10.

[2018-02-16 08:43:42,864][1115][140155129714432][DEBUG][privacyidea.models:197] Exiting get_vars with result {'info': {u'hashlib': u'sha1'}, 'failcount': 0, 'user_id': u'', 'description': u'imported', 'tokentype': u'hotp', 'count_window': 10, 'realms': [u'defrealm'], 'count': 0, 'maxfail': 10, 'resolver_type': u'', 'rollout_state': u'', 'resolver': u'', 'active': True, 'locked': False, 'serial': u'1000408404335', 'sync_window': 1000, 'id': 3, 'otplen': 6, 'revoked': False}
[2018-02-16 08:43:42,864][1115][140155129714432][DEBUG][privacyidea.models:197] Exiting get with result {'info': {u'hashlib': u'sha1'}, 'failcount': 0, 'user_id': u'', 'description': u'imported', 'tokentype': u'hotp', 'count_window': 10, 'realms': [u'defrealm'], 'count': 0, 'maxfail': 10, 'resolver_type': u'', 'rollout_state': u'', 'resolver': u'', 'active': True, 'locked': False, 'serial': u'1000408404335', 'sync_window': 1000, 'id': 3, 'otplen': 6, 'revoked': False}
[2018-02-16 08:43:42,864][1115][140155129714432][DEBUG][privacyidea.lib.token:197] Exiting get_tokens_paginate with result {'tokens': [{'info': {u'hashlib': u'sha1'}, 'failcount': 0, 'user_id': u'', 'description': u'imported', 'tokentype': u'hotp', 'count_window': 10, 'username': '', 'realms': [u'defrealm'], 'count': 0, 'maxfail': 10, 'resolver_type': u'', 'rollout_state': u'', 'resolver': u'', 'user_realm': '', 'active': True, 'locked': False, 'serial': u'1000408404415', 'sync_window': 1000, 'id': 3, 'otplen': 6, 'revoked': False}], 'current': 1, 'prev': None, 'count': 1, 'next': None}
[2018-02-16 08:43:42,865][1115][140155129714432][DEBUG][privacyidea.api.token:197] Exiting list_api with result <Response 959 bytes [200 OK]>
[2018-02-16 08:43:42,877][1115][140155129714432][DEBUG][privacyidea.api.lib.utils:239] Can not get param: No JSON object could be decoded

You need to change the syncWindow in the token detail.

If you change it in the system settings, this is only the value for new enrolled tokens.
http://privacyidea.readthedocs.io/en/latest/configuration/system_config.html#token-default-settings

That was it! I didn’t realise it was a token setting as well as System. Changed to 10,000, resync token successfully. Thanks for your help.