Closed MDaugaardDK closed 4 years ago
redhook62
commented
4 years ago Hi, @MDaugaardDK
I don't really understand the sequence you have explain. But keep in mind that your adfs servers, the client device MUST be sync with universal time. eg time.windows.com TOTP is based on current time. (in your case : the current and the 2 prior codes). You must also provide a company name see : https://github.com/neos-sdi/adfsmfa/issues/9
Regards
Regards
MDaugaardDK
commented
4 years ago i think all is in sync. GMT+2.
But when im entering the TOTP code it is not invalid.. but im getting redirectet to entering the code again... maybe ADFS problem on my side? Im trying to use ADFSMFA on Exchange ECP
redhook62
commented
4 years ago Yes, by default you have three tries, finally this is configurable. at the last unsuccessful attempt you must be blocked and restart your session. Also check, the "Anti Replay" function if this is activated you cannot enter the same code during the validation window which is 5 minutes by default. I will confirm you tomorrow by testing with the parameters which you indicated to me. Using Exchange has no impact.
Regards
redhook62
commented
4 years ago Hi, @MDaugaardDK
I just tested with the parameters provided, and of course everything works perfectly.
It is therefore necessary that you check a few points.
The ADFS servers and the client device must be synchronized on the hour (the code changes every 30 seconds + the 2 previous "shadow" codes). the best is to activate the syncro with an atomic clock (eg: time.windows.com)
you must make sure that all the prerequisites are respected, see: https://github.com/neos-sdi/adfsmfa/wiki/01-Installation#prerequisites In particular, on the question of rights on ADDS.
You must also make sure that on each Relying Party (each federated application, described in ADFS publishes an upn type claim, see: https://github.com/neos-sdi/adfsmfa#remarks This one : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn And of course the userPrincipalName must be present for each user (name.surname@domain.com or other)
If you have more informations ?
Regards
MDaugaardDK
commented
4 years ago Today everything works fine.... think it was because our Service Account was not a part of Account Operators :-)
Im experince some problems in ADFSMFA 3.0.0.1 and 3.0.0.2. When im registre my self with TOTP (Microsoft and Google auth.) its OK. im entering the code 1. time and am aprroved. But afterwards, when im entering the code from TOTP app, it wont go on.... the boks with "Enter Code" just keep coming back. Nothing to see in ADFS log.
My setup is. Active Directory Storage Mode Security Configuration: RNG 256 Bits TOTP; Code history: 2 algorithm: SHA512 Security mode: RNG Key Length: DEFAULT (1024 Bits)
Maybe my setup is wrong?