Can't complete user registration if using TouchID and Safari

[PsySuck]

Hi. My setup:

• I am using the latest version. AD as storage.
• OS MacOS Monterey 12.0.1
• I am using touchID for logon.

I found I cannot complete registration if using TouchID and Safari. If the user has already registered using another browser, then you can make an enroll touchID using safari. Steps to reproduce:

1. A new user enroll app using Safari.

2. Further attempt to enroll the biometric device TouchID error appears: Your account is not validated ! You can try the operation again by selecting "Previous".

   This request has been cancelled by the user.

If you make the user first using the powershell command or use another browser, the problem is not reproducible. There is nothing in event logs.

[redhook62]

HI @PsySuck

The registration process is per device and not for each browser, So if you have already registered your MacOS, you don't need to do it again.

I think it is preferable to make the first registration with safari, the FIDO attestation will certainly be more in line with Apple standards.

It is important to request verification of the user's presence in the security settings (Preferred)

regards

redhook

[PsySuck]

Hello, @redhook62. It is not about use one enrolled device in different browsers. My configuration: TOTP and Biometric - required. Other providers are disabled.

New users try perform first registration in Safari - can't complete registration. New users try perform first registration in Chrome - can complete registration and after that can enroll touchID in safari.

BTW enrolled Yubikey with NFC on macos - works on iphone too.

[redhook62]

Hi, @PsySuck

As indicated in the October release. Apple became interested very late in WebAuthN, and also immediately wanted to change things, by justifying itself on their Blog despite a lack of credibility ...: https://webkit.org/blog/11312/meet -face-id-and-touch-id-for-the-web /

It emerges that any connection / registration must be initiated from a button or any other effective action of the user that it was with FaceID or TouchID and that the usage counter must always remain at Zero, this which is not logical since this function prevents the replay of assertions. (MacOs, Iphone, Ipad, ...) by using WebKit.

When registering your device, a attestation will be created, its type depends on the type of device above all but also on the browser used. once stored to allow future authentication, this certificate will always be reused, and only its usage counter will be regularly incremented. This is the reason why I am asking you to delete your keys registered for a user and re-register your iPhone through the options.

This is what I ask you to achieve.

1) Make sure that the connection is initiated by the user (Click Button). So turn off "FastLogin" in the security options.

2) Make sure that user presence verification is enabled

3) Validate a registration (Attestation) with your Apple device and Safari !

4) Make sure that the recording went well

5) Try to reconnect using TouchID

You do not need to register your device again with Chrome or any other browser Please confirm the completion of the steps described.

6) Try to sign in with Chrome

7) Try to log in with Safari again

Please confirm the completion of the steps described.

I think Chrome doesn't create an Apple Type Attestation or it increments the usage count. whether it is one or / and the other it does not comply with the specifications indicated by Apple.

Confirm the test results to me, so that I can understand and move forward on your problem.

regards

redhook

[PsySuck]

Hello. I missed point about User attestation. Thanks I will check it.

On Wed, 10 Nov 2021, 16:11 redhook, @.***> wrote:

Hi, @PsySuck https://github.com/PsySuck

As indicated in the October release. Apple became interested very late in WebAuthN, and also immediately wanted to change things, by justifying itself on their Blog despite a lack of credibility ...: https://webkit.org/blog/11312/meet -face-id-and-touch-id-for-the-web /

It emerges that any connection / registration must be initiated from a button or any other effective action of the user that it was with FaceID or TouchID and that the usage counter must always remain at Zero, this which is not logical since this function prevents the replay of assertions. (MacOs, Iphone, Ipad, ...) by using WebKit.

When registering your device, a certificate will be created, its type depends on the type of device above all but also on the browser used. once stored to allow future authentication, this certificate will always be reused, and only its usage counter will be regularly incremented. This is the reason why I am asking you to delete your keys registered for a user and re-register your iPhone through the options.

This is what I ask you to achieve.

1. Make sure that the connection is initiated by the user (Click Button). So turn off "FastLogin" in the security options.

[image: image] https://user-images.githubusercontent.com/26826945/141116798-f827d146-42d6-46fd-859f-5ec03ff798c8.png

1. Make sure that user presence verification is enabled

[image: image] https://user-images.githubusercontent.com/26826945/141116973-70964788-60ee-441b-af9d-a3081a883057.png

1.

Validate a registration (Attestation) with your Apple device and Safari ! 2.

Make sure that the recording went well 3.

Try to reconnect using TouchID

You do not need to register your device again with Chrome or any other browser Please confirm the completion of the steps described.

1.

Try to sign in with Chrome 2.

Try to log in with Safari again

Please confirm the completion of the steps described.

I think Chrome doesn't create an Apple Type Attestation or it increments the usage count. whether it is one or / and the other it does not comply with the specifications indicated by Apple.

Confirm the test results to me, so that I can understand and move forward on your problem.

regards

redhook

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/neos-sdi/adfsmfa/issues/201#issuecomment-965124575, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUX63WANZ2J3CFJTB2EESWTULJVRDANCNFSM5HR4J2UA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[PsySuck]

I disabled fast login, but is still try to auth/register without ask me click to button.

[redhook62]

Hi,

If, you do not have the form with a button, a configuration problem surely, because this option is available since the integration of WebAuthN 2 years ago.

Next week, I'll send you a debug build.

regards

[PsySuck]

How i can check fast login parameters in config or via powershell?

In the first screen

[PsySuck]

I think i have config problem: I found it in eventlog - Error decrypting value for Pass Phrase Encryption : The parameter is incorrect.

[redhook62]

@PsySuck

Yes, there is a concern. Here is the procedure to follow.

On your Primary ADFS server as Local administrator.

Launch PowerShell in Administrator mode Export-MFASystemConfiguration -ExportFilePath c:\temp\myconfig.xml

1) Search for "XORSecret" and replace the value with: "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"

2) Search for "password" under the ActiveDirectory tag, replace the value with your clear password.

3) Search for "SQLPassword" under the SQLServer tag (if applicable), replace the value with your clear password.

4) Search for "password" under the SendMail tag (if applicable), replace the value with your clear password.

5) Save the xml file.

Launch PowerShell in Administrator mode Import-MFASystemConfiguration -ImportFilePath c:\temp\myconfig.xml

Launch the MMC Console Select the Security Node. Test your conncetions.

If success the click "SAVE"

regards

redhook

[PsySuck]

Hi. It works. Thank you! But i still can't use safari for full registration. There are no additional logs?

[redhook62]

Hi,

I still don't have a clear idea of what error you have. I would like to add logs to help you, but I still need to know where to do it. in all the code this is not possible.

First, please confirm to me that you have performed the tests I requested. Then, are your system and your browser up to date ? Do not rely on chrome, even if the system does not support WebAuthN, Chrome, Edge, Brave implement it.

Delete all the registered WebAuthN keys on your test user (in the console for example). Then reactivate the Fast Login.

With Safari, try a registration, you must have a form offering a connection with a button. If this is not the case, in the browser activate the debugger (F12), and in the console type "navigator.userAgentData.platform" and note the result. Please make a detailed report of these operations.

regards

[PsySuck]

I deleted user via MMC. I checked AD attributes. Fast Login disabled.

https://user-images.githubusercontent.com/87027160/142001721-a738b4b0-5350-445b-bc8e-caec34cc7a97.mov In Develover Tools

[redhook62]

What is the value of "navigator.userAgentData.platform" F12 - Console

[PsySuck]

Are you sure about f12?

[PsySuck]

Error exist only in Safari.

[redhook62]

In developers tools / console at prompt -> navigator.userAgentData.platform

Your browser platform is not well detected, we need to have the value of your "navigator.userAgentData.platform"

regards

[PsySuck]

[redhook62]

Ok, your platform is "MacIntel".

I will send you a custom build soon.

regards

[PsySuck]

Funny. I don't have this problem on test env.

[redhook62]

Please try this one

You MUST have a form with a button for registering or for logon. let Fast Login enabled for other platforms

Uninstall prior version Install this one

that's all

regards

[PsySuck]

Should i export or import config?

[redhook62]

Funny. I don't have this problem on test env.

With the same version ? with same parameters on WebAuthN security ? Before WebAuthN update Apple attestation was set to None (no check at all)

[redhook62]

Should i export or import config?

No, just unintall the prior msi and install the new one

[PsySuck]

With the same version ? 3.1.2110.0 on Test. 3.1.2110.1 on Prod. with same parameters on WebAuthN security ? Yes. Before WebAuthN update Apple attestation was set to None (no check at all). I think yes

[PsySuck]

Same result. I found erro during installation on both node: Error Initializing WebAuthN Metdata Repository : There was no endpoint listening at net.tcp://localhost:5987/WebAdminService that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. /// Server stack trace: at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper) at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment1 preamble, TimeoutHelper& timeoutHelper) at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper) at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout) at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Neos.IdentityServer.MultiFactor.IWebAdminServices.HasBLOBPayloadCache() at Neos.IdentityServer.MultiFactor.Data.WebAdminManagerClient.HasBLOBPayloadCache() at Neos.IdentityServer.MultiFactor.WebAuthN.Metadata.BaseSystemMetadataRepository.HasBLOBPayloadCache() at Neos.IdentityServer.MultiFactor.WebAuthN.Metadata.MDSMetadataRepository.d__3.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult()

I din't see this in Netsh http show urlacl

[redhook62]

Hi,

Ok, I will therefore put explicit logs. For the indicated error, yes this happens during the installation, when the services are not yet available. You can ignore this error, just check that the Windows Service "MFA Notification Hub" is started on each server.

[PsySuck]

I tested new build on test env. Same problem now present on test env too.

[redhook62]

Hi, @psySuck

Can you test this build. We put some logs to trace why you have problems in registration (watching to UserAgentData or UserAgent)

Please after, look at the eventlog of your ADFS Servers, for Warning entries events 100, 101, 102, 103. Then send us your results

regards

[PsySuck]

I can't find these events.

In event Log of your ADFS Server - Application

[PsySuck]

I checked Applications, System, ADFS admin and ADFS trace - nothing.

this afternoon, iwill send you a new build with new traces and javascript alerts. That there are no logs, it is already an important information

[redhook62]

Hi, @PsySuck

Added more logs (warnings in Application EventLog) and alerts when detecting your device. You can also check javascript errors

Please send me back your test results.

regards

[PsySuck]

Empty even if registration was successful complete in Brave

[redhook62]

@PsySuck

Just one Question.

Did you get javascript alerts (messageBox)? Yes, if no, I think you need to check your browser settings.

Either way, when the useragent is null, you must have a form to click on. moreover at the start of your session at least one entry in the eventlog must be written. Then, in the registration process, we must have inputs, the just going to make sure that with a null value, all the registration process proceeds normally for any device.

regards

[PsySuck]

Hello. You are right - here is problem.

I uncheck this option and now i am able to enroll device via safari.

[redhook62]

Hi @PsySuck

Great !

Can you confirm me that it works now ?

regards

[PsySuck]

I can confirm - it . Look like this setting was enabled by default in last mouth by Apple. Can i close this ticket or you need additional info from me?

[redhook62]

Hi @PsySuck

I am very satisfied that you can register. Yes you can close the issue if you want. If, you have any other questions, I would be very happy to answer them. In the meantime, I wish you a good WE.

regards

redhook

[PsySuck]

Thank you!

[redhook62]

Hi @rtemelcea, @PsySuck

We will be rolling out a version for the month of December. With modifications concerning Apple devices among others. We added properties in the WebAuthN (PowerShell) configuration.

• ForbiddenBrowsers: IE, Samsung (redirected to choose another option)
• InitiatedBrowsers: Safari (the user must click on a button to initiate registration or login ceremony)
• NoCounterBrowsers: Safari (Usage count is always 0)

You must let "Fast Login" active. With Safari (IPhone, IPad, Desktop, ....) you must click to use FaceID or TouchID With Chrome or others "Fast Login" must be used.

You can also test with "Allow privacy-preserving measurement of ad effectiveness" on safari parameters.

Can you give me a feedback before publication?

regards

redhook

[PsySuck]

Hi. I am checking.

пт, 26 нояб. 2021 г. в 12:58, redhook @.***>:

Hi @rtemelcea https://github.com/rtemelcea, @PsySuck https://github.com/PsySuck

We will be rolling out a version for the month of December. With modifications concerning Apple devices among others. We added properties in the WebAuthN (PowerShell) configuration.

• ForbiddenBrowsers: IE, Samsung (redirected to choose another option)
• InitiatedBrowsers: Safari (the user must click on a button to initiate registration or login ceremony)
• NoCounterBrowsers: Safari (Usage count is always 0)

You must let "Fast Login" active. With Safari (IPhone, IPad, Desktop, ....) you must click to use FaceID or TouchID With Chrome or others "Fast Login" must be used.

Can you give me a feedback before publication?

adfsmfa 3.1.2112.0.zip https://github.com/neos-sdi/adfsmfa/files/7607929/adfsmfa.3.1.2112.0.zip

regards

redhook

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/neos-sdi/adfsmfa/issues/201#issuecomment-979838959, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUX63WBJBXQR2OU4MFXC4VLUN5K3TANCNFSM5HR4J2UA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[rtemelcea]

I will check and come back with an answer by this night

[PsySuck]

I can't enroll device anymore.

пт, 26 нояб. 2021 г. в 13:15, rtemelcea @.***>:

I will check and come back with an answer by this night

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/neos-sdi/adfsmfa/issues/201#issuecomment-979850870, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUX63WDQJVQEEMDVJYSIYRDUN5M5NANCNFSM5HR4J2UA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[PsySuck]

[PsySuck]

[redhook62]

have you used "Allow privacy-preserving measurement of ad effectiveness" ? If yes try to disable it

[PsySuck]

It was disabled.

[redhook62]

Hi @PsySuck, @rtemelcea

I just tested with your userAgent, for me everything works correctly (Registration and Logon) The Fast Login is deactivated and offers a form with a button (your browser is Safari). The usage counter remains at 0.

It is possible that your browser is preventing its detection. So to understand check your settings. However, the changes we made allow you to change the behavior. so try the following after installing the latest build.

$c = get-mfaProvider -ProviderType Biometrics
$c.InitiatedBrowsers = "safari; unknown"
$c.NoCounterBrowsers = "safari; unknown"
Set-mfaProvider -ProviderType Biometrics $c

regards

redhook

[PsySuck]

`PS C:\Windows\system32> $c.NoCounterBrowsers = "safari; unknown" 'NoCounterBrowsers' is a ReadOnly property. At line:1 char:1

• $c.NoCounterBrowsers = "safari; unknown"

• 
  + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
  + FullyQualifiedErrorId : PropertyAssignmentException`

I think fast login works even if it is disabled in GUI. I disabled it but all browser still try enroll device automatically.

[PsySuck]

Hm. Could you describe update procedure?

On Sat, 27 Nov 2021, 11:07 redhook, @.***> wrote:

@PsySuck https://github.com/PsySuck

Yes, but you must install the latest build provided for this

latest build https://github.com/neos-sdi/adfsmfa/files/7609495/adfsmfa.zip

regards

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/neos-sdi/adfsmfa/issues/201#issuecomment-980522304, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUX63WDTD7MNAPCRV5QZY2TUOCGTDANCNFSM5HR4J2UA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[redhook62]

Download Uninstall your current beta version

regards