User lost register app/webauthn devises after moving beetwen OU.

[PsySuck]

Hi. I found what if user enroll biometric devices set is as default and i move it to another OU - adfsmfa ask register OTP again. in Event log Invalid Key for user *****

UPN Claim are present.

If i moved back user to old OU - user able to login using old app.

[redhook62]

Hi, @PsySuck

This is in no way related to a user moving to another OU. As mentioned here discussion 197, The username has been changed. It's an RSA security feature in which case keys cannot be copied from one user to another. Either you give the same UPN as before to this user, or he will have to re-register his TOTP key.

regards

[PsySuck]

UPN was not changed. DN was changed. Without register biometric devices I can move users without any problem.

[redhook62]

Yes, the distiguishedName is stored inside the biometric key (storage only). So, you have to register your devices

[PsySuck]

In this case why OTP breaks too? Could you add this info to wiki this is very important note.

[redhook62]

On any phase of recording and playback, there is a check that is made regardless of the provider used. The user integrity is fully tested. if negative validation -> SECURITY ERROR

[PsySuck]

UPN was not changed. DN was changed. Without register biometric devices I can move users without any problem.

On Thu, 16 Jun 2022 at 09:57, redhook @.***> wrote:

Hi, @PsySuck https://github.com/PsySuck

This is in no way related to a user moving to another OU. As mentioned here discussion 197 https://github.com/neos-sdi/adfsmfa/discussions/197, The username has been changed. It's an RSA security feature in which case keys cannot be copied from one user to another. Either you give the same UPN as before to this user, or he will have to re-register his TOTP key.

regards

— Reply to this email directly, view it on GitHub https://github.com/neos-sdi/adfsmfa/issues/233#issuecomment-1157353944, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUX63WFVGGS3RKHQYUSHZLTVPLM73ANCNFSM5Y5YBJQQ . You are receiving this because you were mentioned.Message ID: @.***>

[redhook62]

As indicated in the past, I confirm that when you do not change the identification claim (UPN or Windows Account depending on your configuration), the TOTP keys (RSA, AES), the biometric key (WebAuthN) remain valid, Otherwise: SECURITY ERROR. You will need to re-register the TOTP key and the different devices for biometrics,

[PsySuck]

Wow. I replied via email on June 16.

I confirm that when you do not change the identification claim (UPN or Windows Account depending on your configuration), the TOTP keys (RSA, AES), the biometric key (WebAuthN) remain valid, and DN of user., that make me sad.

[redhook62]

To end on the subject.

There are 2 possible claims for the identity of a user (UPN, samAccount), these values ​​are used in the encoding of the keys, a verification is made, it's a security option, it's a feature. it's therefore not possible to copy TOTP or WebAuthN keys from one user to another. this will not change.

It' not very difficult when the user changes UPN (marriage for example, change of domain name), to re-register these keys (which is moreover desirable to carry out regularly).

Of course, it would have been possible to add a claim of the GUID type (ObjectID for example), but this is not more satisfactory, the name becomes humanly incomprehensible.

There is no magic solution, for version 3 there will be no modifications made in this direction. For version 4, there are other things planned for 2023. One of the concerns is to keep the compatibility linked to the storage of user attributes.

These keys must be recreated.

regards

[PsySuck]

This is weird. How i understand - UPN and SamAccountName should not changed - it is clear. But i am talking about distiguishedName In my situation: distiguishedName was CN=User1,OU=O2,DC=DC1,DC=com. i moved user. New distiguishedName CN=User1,OU=O2222,DC=DC1,DC=com. You write to me - Yes, the distiguishedName is stored inside the biometric key (storage only). It is not related to UPN and SamAccountName.

[redhook62]

Yes, now !

I understand your "Problem" a bit better, you are "playing" with OU. The Distiguishname, is optionally stored in the WebAuthN key. and this is used for security purposes (as explained before).

However, we can give you a fall-back on the username. you will have to explicitly enable this fall-back (either in the registry of each server, or only in powershell, or at best if we have some time in the console.

We don't consider WebAuthN to be the most secure option (hey yes ! the IETF takes care of that...) out of 10, our rating is 9 (very good...), however, unlike some "Experts" in security, we give 10 to the TOTP (excellent). Well, only those who have been screwed can tell you about it.

In any case, don't expect this change before November.

regards

[PsySuck]

Thank you. This is very unexpected.

[redhook62]

Hi,

This should fix your problem. You will still need to delete and recreate existing entries for affected users. then you can verify that by changing the OU, it should continue to work. This may be the November release. maybe there will be additions. Please delete the zip after you get it

to enable the feature in powershell.

$s = Get-MFAStore -Store ADDS $s.WeakPublicKeyEncoding = $true Set-MFAStore -Store ADDS $s

regards