ADFSMFA 3.0.0.2 TOTP code

[MDaugaardDK]

Im experince some problems in ADFSMFA 3.0.0.1 and 3.0.0.2. When im registre my self with TOTP (Microsoft and Google auth.) its OK. im entering the code 1. time and am aprroved.
But afterwards, when im entering the code from TOTP app, it wont go on.... the boks with "Enter Code" just keep coming back. Nothing to see in ADFS log.

My setup is.
Active Directory Storage Mode
Security Configuration: RNG 256 Bits
TOTP;
Code history: 2
algorithm: SHA512
Security mode: RNG
Key Length: DEFAULT (1024 Bits)

Maybe my setup is wrong?

[redhook62]

Hi, @MDaugaardDK

I don't really understand the sequence you have explain.
But keep in mind that your adfs servers, the client device MUST be sync with universal time.
eg time.windows.com
TOTP is based on current time. (in your case : the current and the 2 prior codes).
You must also provide a company name see : #9

Regards

Regards

[MDaugaardDK]

i think all is in sync. GMT+2.

But when im entering the TOTP code it is not invalid.. but im getting redirectet to entering the code again... maybe ADFS problem on my side?
Im trying to use ADFSMFA on Exchange ECP

[redhook62]

Yes, by default you have three tries, finally this is configurable. at the last unsuccessful attempt you must be blocked and restart your session.
Also check, the "Anti Replay" function if this is activated you cannot enter the same code during the validation window which is 5 minutes by default.
I will confirm you tomorrow by testing with the parameters which you indicated to me.
Using Exchange has no impact.

Regards

[redhook62]

Hi, @MDaugaardDK

I just tested with the parameters provided, and of course everything works perfectly.

It is therefore necessary that you check a few points.

• The ADFS servers and the client device must be synchronized on the hour (the code changes every 30 seconds + the 2 previous "shadow" codes). the best is to activate the syncro with an atomic clock (eg: time.windows.com)

• you must make sure that all the prerequisites are respected, see: https://github.com/neos-sdi/adfsmfa/wiki/01-Installation#prerequisites
  In particular, on the question of rights on ADDS.

• You must also make sure that on each Relying Party (each federated application, described in ADFS publishes an upn type claim, see: https://github.com/neos-sdi/adfsmfa#remarks
  This one : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
  And of course the userPrincipalName must be present for each user (name.surname@domain.com or other)

If you have more informations ?

Regards

[MDaugaardDK]

Today everything works fine.... think it was because our Service Account was not a part of Account Operators :-)