Closed hawleyOSU closed 3 years ago
OTP support has not been added to the module as of yet.
Itβs not TOTP, itβs Duo HOTP or Push, thatβs missing. Any user with Duo can not use the module. If you want to contact me feel free. I looked at the code and it just needs to include the OTP in the token requestβs header. I looked at the code and can even show you working code for this. Unfortunately at this time my employer does not allow me to share IP.
Feel free to reclassify this as a feature request if necessary, but until it supports MFA users with Duo can not use the module.
Andy Hawley
From: Shawn Melton @.> Sent: Thursday, March 25, 2021 1:01 PM To: thycotic-ps/thycotic.secretserver @.> Cc: Hawley, Andrew @.>; Author @.> Subject: Re: [thycotic-ps/thycotic.secretserver] [Bug] Users with (Duo) MFA Applied can not authenticate with New-Session (#130)
TOTP support has not been added to the module as if yet.
β You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/thycotic-ps/thycotic.secretserver/issues/130*issuecomment-807100355__;Iw!!KGKeukY!hdxbCohHeyzzQlItJxLgkM4BVvy53rBabI9ILwenD5zfAFPUk_fJ6HwMhEJmgGjEEQ$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AQLPTRPCJXXVA2R4DP6W3ETTFNT5FANCNFSM4ZZXRMJQ__;!!KGKeukY!hdxbCohHeyzzQlItJxLgkM4BVvy53rBabI9ILwenD5zfAFPUk_fJ6HwMhEL2J_ctNg$.
If users want to add a ππ» to your request and a sufficient amount show interest in the need to support it then it can be moved up in priority.
I'm not aware of many using the module for interactive sessions at this time.
Describe the bug Users with MFA enabled, specifically Duo, can not authenticate with new-session, and receive an invalid Duo Pin code error.
To Reproduce Steps to reproduce the behavior:
Expected behavior User should be able to provide an OTP pin or the string "push" as a parameter to new-tsssession. This value should be passed to Invoke-RestApi as $invokeParams.Header. Including
$Headers = @{"OTP" = $OTP}
in the header of the oauth2 request will cause Secret Server to issue the request for a push or validate the string as a user OTP.Environment (please complete the following information):
Secret Server Build/Version: 10.9.0000035
PowerShell version