Upgrade to 2.2.0.18

[anorstrom]

Hi,
Have tested the new version with RSA and ADDS mode, and it works fine when we re-register the MFA adapter (Register-MFASystem –Activate –RestartFarm –KeysFormat RSA -RSACertificateDuration 10, which generates a new certificate), and then enable new users for MFA.

Tested also to upgrade a current installation with RSA and ADDS, but that seems to break it:

• Current users get "An error occurred" instead of prompted for MFA Code.
• I can add new users with PowerShell, but they also get "An error occurred" instead of prompted for MFA Code.

Maybe this is expected in this beta version?
Or is there a way to get the current certificate working with the new version, instead of generating a new certificate by re-register the MFA adapter?

Thanks,
Andreas

[redhook62]

Hi,
I will test today, but no changes with the previous version.
Verify, that the thumprint is OK in the security options.
If you change the security mode RNG-RSA or CUSTOM, All the existing users keys became invalid. each user must rescan the QR-Code with a new Key.
You can revert to RNG and see if your users are loging as well.

Regards

[anorstrom]

I didn't change the mode, it was on RSA before the upgrade, but will test with RNG to see what happens.

Just a note. The thumbprint looks good, but when I go to security options the "side-bat" is not green. I didn't run Install-MFACertificate after the upgrade, because that will generate a new certificate and make all current keys invalid, right?

[redhook62]

Hi,

Have you test before with a "Maximum Key lenght" with 2048 bytes ?
Many of devices cannot scan this huge QR-Code.
In my configuration i am using 1024.
This do change the security level, because all the whole key is checked on validation. but limiting the display size, allow the majority of devices to scan the QR without problems.

So, stay connected, i will test this afternoon.

Thanks very much !

Regards

[anorstrom]

Yes, we used 2048 before, so didn't change that.
But that is good information. Would you say it is better to go for 1024 for compatibility reasons?

[redhook62]

Hi,

Yes, it should be better to use 2048 bytes, but many phones (not the last at 1000$) could not scan the code.
So, if you have'nt recent phones in organization, 1024 should be the best.
But i can ensure you, when verification is made after entering the TOTPCode, we are checking the effective user with the whole Key (2048 sha256).

I check you problem this PM

Regards

[redhook62]

Encryption, is always done with all the whole length of key ! aka : 2048 Bytes

Regards

[anorstrom]

Tested a little bit more with re-register the MFA adapter and generate a new RSA certificate.

It seems like that does not work either when I set Hash Algorithm to SH2A56. Set to SHA1 works fine, but when I set it to SAH256 the verification after scanning the QR code does not pass (I always remove and re-add user after changing Hash Algorithm). Maybe that is related to this issue to?

[redhook62]

Hi,

SHA256 hash algo is not supported by the majority of OTP apps. Only Auty app is supporting it.
See discussion : #7

Cdt

[redhook62]

Hi, @anorstrom

Yes, It's a bug ! Thank you !

We made a mistake, we have removed iteration in hash mode when validating the QRCode.
So, we have made tests with RNG, RSA and custom with key len of 1024 and 2048 bytes. We also checked with hash mode SHA1 and SHA256.

We push a new install tonight, and source code with other evolutions tomorrow.

Best regards

redhook

[anorstrom]

Super, thank you!