2FA issues couple of days after setting it up for an account

[sylvain-prt]

Hello

First, thanks a lot for building this extension for Zimbra 2FA ... this is what I was waiting for my personal mail server for years !

I am trying this since couple of days now and I am facing a very strange issue:

• I setup the 2FA for my account without any issues
• I created 2 application passwords (1 for my mobile, 1 for my PC)

for couple of days, everything was working perfectly

this morning, no way to connect to the webmail, nor with my mobile. OTP code was reported as incorrect and application passwords were refused.

I connected using the admin and checked my profile:

• Setup of the 2FA was still done
• Application passwords were not anymore in my profile

I reset the 2FA on my profile and try to re-register my OTP application but when checking the 2FA code upon registration, it's still rejecting it

Can you please provide me some guidance ?

Thanks Sylvain

[sylvain-prt]

from the trace.log I can see an error 500 with /service/soap/EnableTwoFactorAuthRequest RESPONSE 500 text/javascript; charset=utf-8

`08:29:25.704:qtp1381713434-222 OPENED HttpConnection@7718ee46::DecryptedEndPoint@1899f2ac{l=/10.200.40.13:8443,r=/10.200.40.13:40032,OPEN,fill=-,flush=-,to=0/60000}

08:29:25.710:qtp1381713434-235:https://mail.domain.tld/service/soap/EnableTwoFactorAuthRequest REQUEST 10.200.40.13 POST _ga_NZ0BQYHXJM=GS1.1.1699453666.5.1.1699455401.0.0.0; _ga=GA1.1.716137241.1696857043; _BEAMER_USER_ID_bxOQALFw21023=a832c96b-a356-48e2-80f2-9f83920a0721; _BEAMER_FIRST_VISIT_bxOQALFw21023=2023-10-11T08:00:50.967Z; ajs_user_id=%2216000133362%22; ajs_group_id=null; ajs_anonymous_id=%22137532d4-cad4-47b2-aa03-9c18f3cec0a5%22; _hp2_props.1080212440=%7B%22account_id%22%3A%22285402%22%2C%22account_state%22%3A%22active%22%2C%22account_plan%22%3A%22pro%22%2C%22workspace_id%22%3A2%2C%22workspace_type%22%3A%22it%22%2C%22workspace_state%22%3A%22active%22%2C%22screenSize%22%3A%222560x1440%22%2C%22screenResolution%22%3A%222560x1440%22%2C%22playGodPrivileges%22%3A%22true%22%2C%22workloadPrivilege%22%3A%22Workload%20Supervisor%22%7D; _hp2_id.1080212440=%7B%22userId%22%3A%222808745011889413%22%2C%22pageviewId%22%3A%222911328902676796%22%2C%22sessionId%22%3A%225142753739607214%22%2C%22identity%22%3A%2216000133362%22%2C%22trackerVersion%22%3A%224.0%22%2C%22identityField%22%3Anull%2C%22isIdentified%22%3A1%7D; _BEAMER_LAST_POST_SHOWN_bxOQALFw21023=53944081; _BEAMER_BOOSTED_ANNOUNCEMENT_DATE_bxOQALFw21023=2023-10-17T05:21:18.290Z; _fw_crm_v=05a2ad54-0fa7-4b45-8c8c-bba7b924e846; _gcl_au=1.1.1649937135.1697018243; _ga_PPR5WX5ZWW=GS1.1.1699451016.31.0.1699451019.57.0.0; OptanonConsent=isGpcEnabled=0&datestamp=Thu+Nov+09+2023+09%3A08%3A21+GMT%2B0100+(Central+European+Standard+Time)&version=202310.1.0&isIABGlobal=false&hosts=&consentId=d93393e5-c1db-492a-8e4e-b1c6005c8dd4&interactionCount=2&landingPath=https%3A%2F%2Fwww.fiba.basketball%2F&groups=C0001%3A1%2CC0002%3A1%2CC0003%3A1%2CC0004%3A1&AwaitingReconsent=true&geolocation=FR%3BIDF&browserGpcFlag=0; __gads=ID=ed78a02a009fe1ff-221d214443df00e3:T=1697018244:RT=1699451018:S=ALNI_MbxZIJd2sn1aeXbyy3OigOH903RPw; __gpi=UID=00000c94ba438fcc:T=1697018244:RT=1699451018:S=ALNI_MbVRdSi3ani07MOgEQvL_Kljrc-dQ; _fbp=fb.1.1697018244895.1493436293; _tt_enable_cookie=1; _ttp=QVuJAwRcLJWnsF-9V3qB4_8m8H9; OptanonAlertBoxClosed=2023-10-27T08:40:53.474Z; eupubconsent-v2=CP0TM3AP0TM3AAcABBENDeCsAP_AAH_AAAQ4IywAwBOALzgimCMoIwQBQBOALzAimBF4CMAAAAAA.f_gAD_gAAAAA; ZM_ADMIN_AUTH_TOKEN=0_e28f70bc93c05e108fd4df140a0929a2417ac86c_69643d33363a34663066323762662d326138642d343633652d613063342d3930303337663333666230343b6578703d31333a313639393536303436303134373b61646d696e3d313a313b76763d313a313b747970653d363a7a696d6272613b753d313a613b7469643d393a3737323930383733343b76657273696f6e3d31343a382e382e31355f47415f333836393b637372663d313a313b; ZM_TEST=true; ZM_AUTH_TOKEN=0_332c2d13ee2851c0944d0d0d2c58f759e8d2225d_69643d33363a63323836313438342d393466372d343061322d383963302d6638326566343665353665383b6578703d31333a313639393639303930333935363b76763d313a323b747970653d363a7a696d6272613b753d313a613b7469643d393a3734303931353930343b76657273696f6e3d31343a382e382e31355f47415f333836393b637372663d313a313b; JSESSIONID=node01bf5zu9ua8dvn176tsetgjy78z3.node0; Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0

08:29:25.714:qtp1381713434-235:https://mail.domain.tld/service/soap/EnableTwoFactorAuthRequest RESPONSE 500 text/javascript; charset=utf-8

08:29:25.715:qtp1381713434-237 CLOSED HttpConnection@7718ee46::DecryptedEndPoint@1899f2ac{l=/10.200.40.13:8443,r=/10.200.40.13:40032,CLOSED,fill=-,flush=-,to=5/60000}

08:29:25.715:qtp1381713434-237 CLOSED SslConnection@2ebe2cd2::SocketChannelEndPoint@353f1839{l=/10.200.40.13:8443,r=/10.200.40.13:40032,CLOSED,fill=-,flush=-,to=0/60000}{io=0/0,kio=-1,kro=-1}->SslConnection@2ebe2cd2{NOT_HANDSHAKING,eio=-1/-1,di=-1,fill=IDLE,flush=IDLE}~>DecryptedEndPoint@1899f2ac{l=/10.200.40.13:8443,r=/10.200.40.13:40032,CLOSED,fill=-,flush=-,to=5/60000}=>HttpConnection@7718ee46[p=HttpParser{s=CLOSED,756 of 756},g=HttpGenerator@3a2bde4c{s=START}]=>HttpChannelOverHttp@65acbd67{s=HttpChannelState@32772fec{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=1,c=false/false,a=IDLE,uri=null,age=0} `

[adriangibanelbtactic]

I reset the 2FA on my profile and try to re-register my OTP application but when checking the 2FA code upon registration, it's still rejecting it

1) Maybe it's a problem regarding how the Zimbra clock is not in sync with your OTP application clock. Did you install ntpd, systemd-timesync or a similar tool in your Zimbra VPS?

2) Otherwise I guess you could check: https://wiki.zimbra.com/wiki/Steps_to_fix_two_factor_auth_setup_error.

Keep us informed.

[adriangibanelbtactic]

• Setup of the 2FA was still done

• Application passwords were not anymore in my profile

1) No other Zimbra admin account might have messed around up with that account's 2FA? 2) Did you change the account main password by any chance? Apparently when you do so the application codes are revoked.

[sylvain-prt]

• Setup of the 2FA was still done
• Application passwords were not anymore in my profile

1. No other Zimbra admin account might have messed around up with that account's 2FA?
2. Did you change the account main password by any chance? Apparently when you do so the application codes are revoked.

I’m the only administrator (specific admin account with no 2FA yet) and I’m testing the 2FA on my own personal account. I’ve not changed the password.

[sylvain-prt]

• Setup of the 2FA was still done
• Application passwords were not anymore in my profile

1. No other Zimbra admin account might have messed around up with that account's 2FA?
2. Did you change the account main password by any chance? Apparently when you do so the application codes are revoked.

I reset the 2FA on my profile and try to re-register my OTP application but when checking the 2FA code upon registration, it's still rejecting it

1. Maybe it's a problem regarding how the Zimbra clock is not in sync with your OTP application clock. Did you install ntpd, systemd-timesync or a similar tool in your Zimbra VPS?
2. Otherwise I guess you could check: https://wiki.zimbra.com/wiki/Steps_to_fix_two_factor_auth_setup_error.

Keep us informed.

I need to check the clock but it is automatically updated normally …

any idea for the ERROR 500 returned as seen in the log files ?

[adriangibanelbtactic]

any idea for the ERROR 500 returned as seen in the log files ?

I guess that it means that you put the wrong 6-digit code there.

Anything relevant in mailbox.log or zmmailboxd.out ?

[adriangibanelbtactic]

I need to check the clock but it is automatically updated normally …

Please double-check just in case.

[adriangibanelbtactic]

Finally if nothing works please make sure that the Require 2FA check for the user is unset before letting the user to resetup its 2FA.

That's something that needs to be added to the documentation as it's explained here: https://github.com/btactic/zimbra-ose-2fa/issues/3 .

[sylvain-prt]

You rocks !

there was a small time difference in the VM (azure hosted) and NTP is blocked by Azure to avoid DDOS

It's now working back !