Thanks for your feedback Mickaël,
For the second part I'm presented by the qrcode and 5 scratch codes. When I
scan the qrcode my Google Authenticator app on phone accepts it.
Then I click on register and enter the token displayed by the Google
Authenticator app and it says --> "*Credentials are rejected/invalid and
authentication attempt has failed.*"
This is what I see in the CAS log file:
*DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Attempting to authenticate credential
[OneTimeTokenCredential(token=420195)]>*
*DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Attempting authentication of [420195] using
[GoogleAuthenticatorAuthenticationHandler]>*
*DEBUG
[org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Received OTP [420195]>*
*DEBUG
[org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Received principal id [jeremy]. Attempting to locate account in credential
repository...>*
*DEBUG
[org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Attempting to locate OTP token [420195] in token repository for
[jeremy]...>*
*DEBUG
[org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Attempting to authorize OTP token [420195]...>*
* WARN
[org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] -
<Authorization of OTP token [420195] has failed>*
It sounds to me that when I use the scratch codes it is stored in the
mongodb and can be found in the token repository (stored in db), but not
for the tokens used on Google Authenticator app? Not sure if my
understanding is correct?
Thanks in advance
Jeremy
On Thursday, 21 February 2019 16:50:42 UTC+2, Mickaël wrote:
>
> Yes Jeremy, that's what I mean.
> I'm using JPA for my service registry and the CAS manager webapp but it is
> the same way.
>
> For the second part, are you invited to enter your token code displayed by
> your Google authenticator app?
>
> If it doesn't work, perhaps your server is not at the good time. NTP can
> help you to fix it.
>
> Sincerely,
>
> Mickaël
>
> Le jeu. 21 févr. 2019 à 13:53, Jeremy Van Rooyen <jeremy...@gmail.com
> <javascript:>> a écrit :
>
>> Hi Mickaël,
>>
>> On Thursday, 21 February 2019 14:01:17 UTC+2, Mickaël wrote:
>>>
>>> Hi Jeremy,
>>>
>>> It is a great news about the scratch codes.
>>>
>>> I'm not sure to understand your question about qrcode. To register a
>>> device, it is possible and required when a service is registered on your
>>> CAS with "Google Authentication" as MFA.
>>>
>>
>> Do you mean that the service "Google Authentication" as MFA must be
>> registered under the services configuration in json format?
>>
>>
>>
>>> So, at the first login without a registered device, user will be ask to
>>> scan the qrcode on the screen and save (or print) the scratch codes. After
>>> clilk on the next button, user should enter is token in the field to finish
>>> the registration and be redirected to the service.
>>>
>>
>> This is what happens exactly the way you explain it here. So when I scan
>> the qrcode with my phone it does not take the codes generated on the Google
>> Authenticator app. It however does take the on screen codes.
>>
>> I hope this clears up my question?
>>
>>>
>>> Does it answer to your question Jeremy ?
>>>
>>> My own question about this system, how to unregistered a device in case
>>> of change of device or loss ? I don't know URL to do that...
>>>
>>> Sincerely,
>>>
>>> Mickaël
>>>
>>> Le jeudi 21 février 2019 11:32:54 UTC+1, Jeremy Van Rooyen a écrit :
>>>>
>>>> Hi Mickaël,
>>>>
>>>> Thanks for your reply.
>>>>
>>>> So after playing around a bit more it seems like the on screen scratch
>>>> codes is being stored in the mongodb and using that it allows me to
>>>> authenticate perfectly.
>>>>
>>>> The next question is how would one register via the qrcode using the
>>>> Google Authenticator app on phone? Or am I not understanding something?
>>>>
>>>> Kind Regards
>>>> Jeremy
>>>>
>>>> On Tuesday, 19 February 2019 10:30:29 UTC+2, Mickaël wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> Are you sure there is anything register in your Mongo database ?
>>>>> Scratch codes and token are store in DB for each user in 2 different
>>>>> tables.
>>>>>
>>>>> It is strange to see that, normally "WHO" is the user, not the token :
>>>>> *WHO: 253227*
>>>>> *WHAT: Supplied credentials: [[token=253227]]*
>>>>>
>>>>> For information, I am using gauth with MariaDB without any issue.
>>>>>
>>>>> Mickaël
>>>>>
>>>>> Le jeudi 15 février 2018 09:53:52 UTC+1, Janina Byky a écrit :
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I'm trying to setup CAS 5.2.2 with Google Authenticator as second
>>>>>> auth factor for specified services. CAS is running over LDAP (AD) and
>>>>>> GAuth
>>>>>> based on mongo. So far everything was great, build succeed, GAuth qrcode
>>>>>> appears, user registers and now it's time for TOKEN form. I'm typing all
>>>>>> scratch codes and those generated by Google Authenticator, but every
>>>>>> single
>>>>>> attempt is unsuccessful. Also there's no collection created to store
>>>>>> tokens
>>>>>> in mongo. Only GAuthRepository is created with proper values of
>>>>>> registered
>>>>>> users.
>>>>>>
>>>>>> *cas.properties*
>>>>>>
>>>>>> cas.authn.accept.users=
>>>>>>
>>>>>> cas.authn.ldap[0].order=0
>>>>>> cas.authn.ldap[0].type=AUTHENTICATED
>>>>>> cas.authn.ldap[0].ldapUrl={CUT}
>>>>>> cas.authn.ldap[0].connectionStrategy=DEFAULT
>>>>>> cas.authn.ldap[0].useSsl=true
>>>>>> cas.authn.ldap[0].connectTimeout=15000
>>>>>> cas.authn.ldap[0].subtreeSearch=true
>>>>>> cas.authn.ldap[0].baseDn={CUT}
>>>>>>
>>>>>> cas.authn.ldap[0].userFilter=(|(sAMAccountName={user})(userPrincipalName={user}))
>>>>>> cas.authn.ldap[0].bindDn={CUT}
>>>>>> cas.authn.ldap[0].bindCredential={CUT}
>>>>>> cas.authn.ldap[0].enhanceWithEntryResolver=true
>>>>>> cas.authn.ldap[0].principalAttributeId=sAMAccountName
>>>>>> cas.authn.ldap[0].principalAttributePassword=
>>>>>> cas.authn.ldap[0].usePasswordPolicy=true
>>>>>>
>>>>>> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,sAMAccountName,memberOf
>>>>>> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
>>>>>> cas.authn.ldap[0].poolPassivator=NONE
>>>>>> cas.authn.ldap[0].minPoolSize=2
>>>>>> cas.authn.ldap[0].maxPoolSize=15
>>>>>>
>>>>>>
>>>>>> cas.authn.mfa.globalProviderId=mfa-gauth
>>>>>> cas.authn.mfa.globalFailureMode=CLOSED
>>>>>>
>>>>>> cas.authn.mfa.gauth.issuer=TEST
>>>>>> cas.authn.mfa.gauth.codeDigits=6
>>>>>> cas.authn.mfa.gauth.timeStepSize=60
>>>>>> cas.authn.mfa.gauth.windowSize=3
>>>>>> cas.authn.mfa.gauth.label=TEST
>>>>>> cas.authn.mfa.gauth.rank=0
>>>>>>
>>>>>> cas.authn.mfa.gauth.cleaner.enabled=true
>>>>>> cas.authn.mfa.gauth.cleaner.schedule.startDelay=20000
>>>>>> cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=60000
>>>>>>
>>>>>> cas.authn.mfa.gauth.bypass.type=DEFAULT
>>>>>>
>>>>>> cas.authn.mfa.gauth.mongo.clientUri=${mongo.uri}
>>>>>> cas.authn.mfa.gauth.mongo.dropCollection=false
>>>>>> cas.authn.mfa.gauth.mongo.collection=GAuthRepository
>>>>>>
>>>>>> cas.authn.mfa.gauth.mongo.tokenCollection=GoogleAuthenticatorMongoDbTokenRepository
>>>>>>
>>>>>>
>>>>>>
>>>>>> *pom.xml*
>>>>>>
>>>>>> <dependency>
>>>>>> <groupId>org.apereo.cas</groupId>
>>>>>> <artifactId>cas-server-webapp${app.server}</artifactId>
>>>>>> <version>${cas.version}</version>
>>>>>> <type>war</type>
>>>>>> <scope>runtime</scope>
>>>>>> </dependency>
>>>>>> <dependency>
>>>>>> <groupId>org.apereo.cas</groupId>
>>>>>> <artifactId>cas-server-support-ldap</artifactId>
>>>>>> <version>${cas.version}</version>
>>>>>> </dependency>
>>>>>> <dependency>
>>>>>> <groupId>org.apereo.cas</groupId>
>>>>>> <artifactId>cas-server-support-saml</artifactId>
>>>>>> <version>${cas.version}</version>
>>>>>> </dependency>
>>>>>> <dependency>
>>>>>> <groupId>org.apereo.cas</groupId>
>>>>>> <artifactId>cas-server-support-gauth</artifactId>
>>>>>> <version>${cas.version}</version>
>>>>>> </dependency>
>>>>>> <dependency>
>>>>>> <groupId>org.apereo.cas</groupId>
>>>>>> <artifactId>cas-server-support-gauth-mongo</artifactId>
>>>>>> <version>${cas.version}</version>
>>>>>> </dependency>
>>>>>>
>>>>>>
>>>>>> *catalina.log*
>>>>>>
>>>>>> 2018-02-15 09:31:13,952 DEBUG
>>>>>> [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver]
>>>>>>
>>>>>> - <Authentication handlers used for this transaction are
>>>>>> [GoogleAuthenticatorAuthenticationHandler,LdapAuthenticationHandler,HttpBasedServiceCredentialsAuthenticationHandler]>
>>>>>> 2018-02-15 09:31:13,953 DEBUG
>>>>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler]
>>>>>> -
>>>>>> <Received OTP [*253227*]>
>>>>>> 2018-02-15 09:31:13,954 DEBUG
>>>>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler]
>>>>>> -
>>>>>> <Received principal id *[j.byky*]>
>>>>>> 2018-02-15 09:31:13,970 DEBUG
>>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>>>>> <[GoogleAuthenticatorAuthenticationHandler] exception details: [Failed
>>>>>> to
>>>>>> authenticate code *253227*].>
>>>>>> 2018-02-15 09:31:13,971 DEBUG
>>>>>> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
>>>>>>
>>>>>> - <Credential is not one of username/password and is not accepted by
>>>>>> handler [LdapAuthenticationHandler]>
>>>>>> 2018-02-15 09:31:13,972 ERROR
>>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>>>>> <*Authentication
>>>>>> has failed. Credentials may be incorrect or CAS cannot find
>>>>>> authentication
>>>>>> handler that supports [[token=253227]] of type
>>>>>> [GoogleAuthenticatorTokenCredential]*.>
>>>>>> 2018-02-15 09:31:13,976 INFO
>>>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
>>>>>> <Audit
>>>>>> trail record BEGIN
>>>>>> =============================================================
>>>>>> *WHO: 253227*
>>>>>> *WHAT: Supplied credentials: [[token=253227]]*
>>>>>> ACTION: AUTHENTICATION_SUCCESS
>>>>>> APPLICATION: CAS
>>>>>> WHEN: Thu Feb 15 09:31:13 CET 2018
>>>>>> CLIENT IP ADDRESS: 10.100.100.20
>>>>>> SERVER IP ADDRESS: 10.40.0.2
>>>>>> =============================================================
>>>>>>
>>>>>> >
>>>>>> 2018-02-15 09:31:13,978 ERROR
>>>>>> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver]
>>>>>> -
>>>>>> <1 errors, 0 successes>
>>>>>> org.apereo.cas.authentication.AuthenticationException: 1 errors, 0
>>>>>> successes
>>>>>> at
>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400)
>>>>>>
>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>>>>> at
>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380)
>>>>>>
>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>>>>> at
>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220)
>>>>>>
>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>>>>> at
>>>>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke(<generated>)
>>>>>>
>>>>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>>>>> at
>>>>>> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
>>>>>> ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>>>> at
>>>>>> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738)
>>>>>>
>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>>>> at
>>>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
>>>>>>
>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>>>> at
>>>>>> org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:85)
>>>>>>
>>>>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>>>> at
>>>>>> org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:134)
>>>>>>
>>>>>> ~[inspektr-audit-1.8.0.GA.jar:1.8.0.GA]
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>> ~[?:1.8.0_162]
>>>>>> at
>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>>>>>
>>>>>> ~[?:1.8.0_162]
>>>>>> at
>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>>>
>>>>>> ~[?:1.8.0_162]
>>>>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162]
>>>>>> ...
>>>>>>
>>>>>> 2018-02-15 09:31:13,982 INFO
>>>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
>>>>>> <Audit
>>>>>> trail record BEGIN
>>>>>> =============================================================
>>>>>> WHO: *253227*
>>>>>> WHAT: [event=error,timestamp=Thu Feb 15 09:31:13 CET
>>>>>> 2018,source=OneTimeTokenAuthenticationWebflowEventResolver]
>>>>>> ACTION: AUTHENTICATION_EVENT_TRIGGERED
>>>>>> APPLICATION: CAS
>>>>>> WHEN: Thu Feb 15 09:31:13 CET 2018
>>>>>> CLIENT IP ADDRESS: 10.100.100.20
>>>>>> SERVER IP ADDRESS: 10.40.0.2
>>>>>> =============================================================
>>>>>>
>>>>>>
>>>>>>
>>>>>> Can anybody tell me what I'm missing?
>>>>>>
>>>>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f5e936-6e6e-422c-9fb1-5140e5408eda%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f5e936-6e6e-422c-9fb1-5140e5408eda%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/141bb8a9-d702-4511-95b6-ce8004cb3ff4%40apereo.org.
