Unable to login after windows hello pin is configured

[karlholmberg]

Hello, I get the following error when trying to authenticate with windows hello pin. Failed to authenticate with hello key: AcquireTokenFailed(ErrorResponse { error: "invalid_request", error_description: "AADSTS1400001: Request nonce is not provided. Trace ID: ### Correlation ID: ### Timestamp: 2024-05-06 17:30:09Z", error_codes: [1400001] })

I have tried Himmelblau in both Ubuntu 24.04 and openSUSE Tumbleweed. I get the same error in both.

[dmulder]

I noticed that happen once when the user was enrolled without MFA. I made some recent changes that prevents a non-mfa user from enrolling in windows Hello. Could you tell me a little more about your environment? Is the user enrolled in MFA? What type of authentication did you do (did it prompt for an mfa token, or did it fall back to a DAG/url auth)? Which version of Himmelblau are you using?

[dmulder]

Also, can you enable debug in himmelblaud, and provide the debug output?

[dmulder]

Hrm, there is only one request in that particular exchange where I didn't send a nonce. When I add it I don't get any complaints from Azure, so perhaps that is the issue. I'm just surprised that your tenant is flagging that as an error, but mine is not. Perhaps there is a setting in Azure to enforce this?

[dmulder]

Azure is completely ignoring invalid parameters there though, so it could be that's an incorrect place but is being ignored.

[karlholmberg]

I am using Himmelblau 0.3.1 in a kvm vm with emulated tpm. When trying with SFA it has worked, But i was never prompted to use windows hello when logging in with SFA. But when logging in with MFA, I get prompted to set up a windows hello key after success with user+pw and TOTP. The windows hello pin gets set up but i am never able to actually login with the windows hello pin.

[dmulder]

I am using Himmelblau 0.3.1 in a kvm vm with emulated tpm. When trying with SFA it has worked, But i was never prompted to use windows hello when logging in with SFA. But when logging in with MFA, I get prompted to set up a windows hello key after success with user+pw and TOTP. The windows hello pin gets set up but i am never able to actually login with the windows hello pin.

You can't enroll in Windows Hello with SFA (at least I haven't found a way to do it), so that's the expected behavior. That's interesting that pin enrollment is successful, but it's rejecting auth. I am sending a nonce, but only in the Hello jwt. It may be that it's expecting a nonce in the payload also.

@karlholmberg I assume you are building Himmelblau yourself? Or are there debian packages available somewhere?

[karlholmberg]

For Ubuntu i built it myself, for openSUSE i installed it with "zypper install himmelblau"

[dmulder]

For Ubuntu i built it myself, for openSUSE i installed it with "zypper install himmelblau"

@karlholmberg Is this a production Azure tenant, or is it a test tenant with defaults? I'm wondering what is different between our tenants that would cause this to fail.

[karlholmberg]

No this is a test tenant, I have had it for a while, but it should be using defaults.

[dmulder]

Can you join the himmelblau matrix channel #himmelblau:matrix.org and we can chat there?

[dmulder]

Also, @karlholmberg can you provide the contents of your /var/cache/himmelblaud/himmelblau.conf, as well as any config changes you've added to /etc/himmelblau/himmelblau.conf? You can share privately and obfuscated if necessary.

[dmulder]

Last comment, then I'm done for today. Would you compile and run the example code in https://github.com/himmelblau-idm/msal_example Don't provide me the output (it's full of authorization tokens/sensitive output). But let me know generally what happens when run with an MFA user. You could provide the output that's been obfuscated potentially.