[BUG] MFA not working

[gifu88]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

MFA validation is not working.

Expected Behavior

MFA Validating and login to console.

Steps To Reproduce

1. Create Unifi Account with same name/email
2. Enable MFA
3. Login using username/password of the Unifi account
4. Try to enter TOTP from mail or authenticator app
5. It fails

Environment

- OS:debian bookworm
- How docker service was installed: 
I created a docker-compose file on my own including database and application.

See docker creation and container logs for possible cause.

CPU architecture

x86-64

Docker creation

version: "2.1"
services:
  unifi-network-application:
    image: lscr.io/linuxserver/unifi-network-application:latest
    container_name: unifi-network-application
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - MONGO_USER=unifi
      - MONGO_PASS=MONGOPASS
      - MONGO_HOST=unifi-network-application-database
      - MONGO_PORT=27017
      - MONGO_DBNAME=unifi-db
      - MEM_LIMIT=1024 #optional
    #     - MEM_STARTUP=1024 #optional
    #     - MONGO_TLS= #optional
    #     - MONGO_AUTHSOURCE= #optional
    volumes:
      - /home/username/docker/unifi-network-application/config:/config
    ports:
      - 8443:8443
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
      - 1900:1900/udp #optional
      - 8843:8843 #optional
      - 8880:8880 #optional
      - 6789:6789 #optional
      - 5514:5514/udp #optional
    restart: unless-stopped
    labels:
      - com.centurylinklabs.watchtower.enable=true
    depends_on:
      - unifi-network-application-database
  unifi-network-application-database:
    image: docker.io/mongo:4.4
    container_name: unifi-network-application-database
    environment:
      - TZ=Europe/Berlin
    ports:
      - 27017:27017
    volumes:
      - /home/username/docker/unifi-network-application/database:/data/db
      - /home/username/docker/unifi-network-application/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro
    restart: unless-stopped
    labels:
      - com.centurylinklabs.watchtower.enable=true
networks: {}

Container logs

date command inside container from application and database is different. This could be the cause.

date command application:
Tue Jan 23 03:04:46 PM CET 2024

date command database:
Tue Jan 23 15:02:55 CET 2024

Current time from local PC:
Tue Jan 23 15:02:55 CET 2024

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[gifu88]

Update: Watchtower updated the container this night. Both outputs of date are the same now. But it still doesn't work. Maybe it's something else.

[j0nnymoe]

Check your actual unifi server logs. Log file should be somewhere within your /config mount.

[gifu88]

I'm at work right now so I just had a quick look at the server.log:
[2024-01-24 10:39:29,912] WARN view - Successfully authenticated SSO user MYUSERNAME, but it does not match any local admin

This is weird, because I can log in with the same username but the local password. If I use the password of my Unifi Account, it prompts for the TOTP token.

Edit: Sync local user to Ubiquiti SSO is on of course:

Edit2: Login in to https://account.ui.com/ using my username+ ubiquiti pw + TOTP also works

[gifu88]

With the recent update to 8.0.28 the problem is still there.

[j0nnymoe]

Maybe the conflict because you're using the same username for local and unifi accounts. Personally never used unifi accounts so got no way to test.

[gifu88]

I followed a guide similar to this one:
https://patrickdomingues.com/2020/07/17/how-to-enable-unifi-controller-mfa/

But you gave me an idea. Will report back later.

[gifu88]

Sorry for bothering you. The username AND password needs to be the same with the Ubiquiti account. It works perfect now.

I simply did not have the same password as the Ubiquiti Account.