Jump to content

Google Authenticator is overriden if an authenticator instance already exists.


Jim

Recommended Posts

Hey,

 

I stumbled upon a strange behavoir. Google Authenticator profile for the reset portal overrides the existing one in my Microsoft 2FA app if an authenticator instance already exists- which is the one I setup for the pwstate instance. Is this a known issue, or did I do something wrong?

 

Steps to reproduce:

- Setup a user in passwordstate and setup Manual AD + google auth on

- Let the user login and create and add an account in the MS 2fa app

- Set up verification method to Google Auth in Password reset portal settings for the user 

- Enroll in password reset portal with that that user

- Scan the QR code

 

and voila. Your existing secret is overriden and you can't login to passwordstate instance anymore.

 

What am I doing wrong here? 

 

Cheers,

J

Link to comment
Share on other sites

Hi Jim,

 

Thanks for bringing this to our attention, and we will need to change the Issuer label here so we do not have conflicts like this - we did overlook this when we developed the Portal, thinking most of the users of the Portal would not be using Passwordstate.

We will post back here once a new build of the Portal is available, which would be in about a week or two. If this is urgent, possibly you could use two different Apps i.e. the one supplied by Google, or Sophos Authenticator.

Regards

Click Studios

Link to comment
Share on other sites

Hi Jim,

 

Just a quick update to this - We are releasing a new build of Passwordstate today, build 8537, which addresses this issue.  You can now save a Google Authenticator for the main Passwordstate web site, and also for the Password Reset Portal.

 

Thanks for bringing this to our attention, we really appreciate it:)  Please upgrade when you get a chance!

 

Regards,

Support

 

Link to comment
Share on other sites

Hey,

 

I have upgraded the both instances we had, and still no avail. I reinstalled the resetportal to the latest as well. It still overwrite the existing one in the current authenticator (MS MFA app).

 

Another remark, this upgrade has broken the HA. I removed the 2nd host from HA and can't add it to the HA hosts again...

 

I think I might have done something wrong.

 

Cheers,

J

Link to comment
Share on other sites

Hi Jim,

 

I just tested this again, and I can scan in two separate accounts without issue. I tested this with both Google Authenticator and Microsoft's Authenticator App. Is it possible you have a proxy server which cached the download of the portal upgrade zip file? A reinstall should have fixed it anyway though.

 

If you go into the Bin folder for where you have installed the Portal, is the file version 8.5.3.7 for the file you see below?

 

Can you let us know what's broken with your HA? If required, you can do a manual upgrade to replace all files - https://www.clickstudios.com.au/downloads/version9/High_Availability_Server_Manual_Upgrade_Instructions.pdf

 

portalversion.png

 

Regards

Click Studios

Link to comment
Share on other sites

Hey,

 

What I would like to clarify is that we use Microsoft Authenticator app and not Google Authenticator App. It's compatible with Google Authenticator stuff. But somehow, in this case, it get's messed up. The identifier string stays the same. Even if I add pwstate authenticator token first; change it's name and add reset portal authenticator token, it still overrides. I am gambling on that this happens because of them both having an identifier in common which causes the app to think that the both are the same entity with a different token.

 

In google authenticator app, it works and both tokens are registered seperately. But both tokens get the the same name.

 

It is the same version as you have shown in the screenshot. See the versions of installed dll and the installer that I used.

 

As for what I mean that the HA got broken, I don't see my hosts in the HA menu.

 

Both hosts do function as standalone at the moment.

Screenshot 2018-11-21 at 13.28.23.png

Screenshot 2018-11-21 at 13.34.40.png

Link to comment
Share on other sites

Hi Jim,

 

I tested this change with both version of these Authenticators, and the name was different for each environment for me. I will get someone else here to test here as well to confirm.

 

Can you let me know what you mean by "Both hosts do function as standalone at the moment"? For your HA Node, the PassiveNode key in the web.config file should either be set to True or Active - without this, it will not report back to the primary server.

Regards

Click Studios

Link to comment
Share on other sites

Hi Jim,

 

Your primary site should be set to False. Please make this change and restart both Passwordstate Windows Services.

 

Can you please also confirm what sort of SQL Server Replication you are using between your two database servers?

Thanks

Click Studios

Link to comment
Share on other sites

Hey,

 

I tried that one for HA and didn't work as well. I think it's would be wise to do a teamviewer session so that I can see the root cause. You have my mail. Let us arrange a time slot that we both are awake :)

 

For the authenticator issue: We can mark it as resolved. I have 2 devices that check positive and 1 device that gives negative so far (android and ISO device checks positive; 1 ios device checks negative). So we can assume it works and the other device will be troubleshooted here locally.

 

We are about to enforce it to our organization and would like to make sure that devs don't suffer the consequences of the change in the ways they are used to work. Want the intrusion to be minimal and no issues will help us :)

 

We are implementing it in Active-Active setup behind an Azure Loadbalancer. Behind it, 2 VMS host passwordstate. First instance also hosts the password reset portal for the time being. For the DB, we are using a AzureSQL instance. We will use a geo-replicated set later on. But in this case, it should be transparent to the application and both HA pwstate instances should be able to write.

 

Is it an idea to round up this thread and move to another one for the HA configuration maybe?

 

Cheers,

J

Link to comment
Share on other sites

Hi Jim,

 

I've just emailed you requesting more information regarding the HA issue. If you are using an Active/Active setup, then the HA Server should report directly to the DB.

Can you also confirm if the Passwordstate Windows Service is started on both web servers?

Thanks

Click Studios

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...