DKB does not accept connections anymore

[Jan-2k]

Hi!

I recently recognized that my previous working application suddenly throws an error while fetching transactions from my DKB account. I used the example code from https://python-fints.readthedocs.io/en/latest/trouble.html to verify if the error I receive is a result of incorrect session handling inside my application or if there are general problems with DKB sessions. If I use the example code I'm getting the following output:

We need the name of the TAN medium, let's fetch them from the bank
Dialog response: 9050 - Die Nachricht enthält Fehler.
Dialog response: 9800 - Dialog abgebrochen
Dialog response: 9010 - Die angegebene Bankreferenz/Dialog-ID ist nicht gültig.
Traceback (most recent call last):
  File "test.py", line 42, in <module>
    minimal_interactive_cli_bootstrap(f)
  File "/home/***/.local/lib/python3.7/site-packages/fints/utils.py", line 322, in minimal_interactive_cli_bootstrap
    m = client.get_tan_media()
  File "/home/***/.local/lib/python3.7/site-packages/fints/client.py", line 1360, in get_tan_media
    response = dialog.send(seg)
  File "/home/***/.local/lib/python3.7/site-packages/fints/dialog.py", line 156, in send
    self.client.process_response_message(self, response, internal_send=internal_send)
  File "/home/***/.local/lib/python3.7/site-packages/fints/client.py", line 230, in process_response_message
    self._process_response(dialog, None, response)
  File "/home/***/.local/lib/python3.7/site-packages/fints/client.py", line 1284, in _process_response
    raise FinTSClientError("Error during dialog initialization, could not fetch BPD. Please check that you "
fints.exceptions.FinTSClientError: Error during dialog initialization, could not fetch BPD. Please check that you passed the correct bank identifier to the HBCI URL of the correct bank.

I also found out, that the dialog-id sometimes is 0 during the communication:

We need the name of the TAN medium, let's fetch them from the bank
DEBUG:fints.connection:Sending >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        fints.message.FinTSCustomerMessage([
            fints.segments.message.HNHBK3( # Nachrichtenkopf
                header = fints.formals.SegmentHeader('HNHBK', 1, 3), # Segmentkopf
                message_size = 494, # Größe der Nachricht (nach Verschlüsselung und Komprimierung)
                hbci_version = 300, # HBCI-Version
                dialog_id = '0', # Dialog-ID
                message_number = 1, # Nachrichtennummer
            ),

Does anyone else happen to experience the same error or has information about how to fix this?

Bye
Jan

[oregano87]

Hi
Have the same issue.

WARNING:fints.client:You should register your program with the ZKA and pass your own product_id as a parameter.
We need the name of the TAN medium, let's fetch them from the bank
ERROR:fints.client:Dialog response: 9050 - Die Nachricht enthält Fehler.
ERROR:fints.client:Dialog response: 9800 - Dialog abgebrochen
ERROR:fints.client:Dialog response: 9010 - Die angegebene Bankreferenz/Dialog-ID ist nicht gültig.

[DevDavido]

Having the same issue with DKB:

Dialog response: 9050 - Die Nachricht enthält Fehler.
Dialog response: 9800 - Dialog abgebrochen
Dialog response: 9010 - Die angegebene Bankreferenz/Dialog-ID ist nicht gültig.
! fints client exception for DKB (blz 12030000) user XXX: Error during dialog initialization, could not fetch BPD. Please check that you passed the correct bank identifier to the HBCI URL of the correct bank.

BLZ: 12030000
URL: https://banking-dkb.s-fints-pt-dkb.de/fints30

Tried all settings from OpenHBCI but no success.

[MEschenbacher]

I'm connecting to DKB for a few months now, without problems. Is this resolved?

[s3ntin3l8]

I have been using it before successfully (p until 2 months ago) but now I'm receiving the same error. So it is not resolved.

[MEschenbacher]

What's the end date of the time span for which you are showing transactions? For DKB, I need to set end_date=datetime.date.today()

[ngoettin]

This problem still persists. The documentation on the response code 9010 which is received is not too helpful either:

[bst2k]

Any News about this error? Got the same problem..

[ngoettin]

Unfortunately not. I'm also not quite sure on how to tackle this problem

[frederictobiasc]

Hi,
I tested the DKB using the test script, everything (despite get holdings) works.
The TAN methods response contains the following items:

fints.segments.dialog.HIRMS2( # Rückmeldungen zu Segmenten
	                    header = fints.formals.SegmentHeader('HIRMS', 4, 2, 4), # Segmentkopf
	                    responses = [ # Rückmeldung
	                                fints.formals.Response( # Rückmeldung
	                                    code = '3050',
	                                    reference_element = None,
	                                    text = 'UPD nicht mehr aktuell, aktuelle Version enthalten.',
	                                ),
	                                fints.formals.Response( # Rückmeldung
	                                    code = '3920',
	                                    reference_element = None,
	                                    text = 'Zugelassene Zwei-Schritt-Verfahren für den Benutzer.',
	                                    parameters = [
	                                            '921',
	                                        ],
	                                ),
	                                fints.formals.Response( # Rückmeldung
	                                    code = '0020',
	                                    reference_element = None,
	                                    text = 'Der Auftrag wurde ausgeführt.',
	                                ),
	                        ],
	                ),

DKB offers quite some TAN options. Have you tried playing with them? I've only activated Push-TAN and it works.

[bst2k]

@frederictobiasc do you have an example Code for using the TAN to log in? In the Troubleshot Test Code i only got the same error as before.

I also tried the following Code from the Website

with f:
    # Since PSD2, a TAN might be needed for dialog initialization. Let's check if there is one required
    if f.init_tan_response:
        print("A TAN is required", f.init_tan_response.challenge)
        tan = input('Please enter TAN:')
        f.send_tan(f.init_tan_response, tan)

    # Fetch accounts
    accounts = f.get_sepa_accounts()

with the error result

fints.exceptions.FinTSClientError: Error during dialog initialization, could not fetch BPD. Please check that you passed the correct bank identifier to the HBCI URL of the correct bank.

In general, using https://banking-dkb.s-fints-pt-dkb.de/fints30 for BLZ 12030000 is still correct? Asking cause in the long response i also saw this:

ERROR:fints.client:Dialog response: 9050 - Die Nachricht enthält Fehler.
ERROR:fints.client:Dialog response: 9800 - Dialog abgebrochen
ERROR:fints.client:Dialog response: 9010 - Die angegebene Bankreferenz/Dialog-ID ist nicht gültig.

[frederictobiasc]

Hi @bst2k,

I only used the test script I linked above, so I cannot provide any other code.

If I were you, I would carefully check for typos. Here are my client_args (redacted).

logging.basicConfig(level=logging.DEBUG)
client_args = (
    '12030000',  # BLZ
    'username',  # USER
    'password',
    'https://banking-dkb.s-fints-pt-dkb.de/fints30'  # ENDPOINT
)

If this doesn't work, I would start and contact DKB if I were you, because then there must obviously something wrong. I had a conversation with a technical support representative of DKB myself and he stated that they happily assist in case of problems.
Maybe you want to ask them for a development account of their FinTS implementation?

I hope that helps!
BTW: I fixed the link above to the test script.

[bst2k]

There can't be any typos due i copy login and password from KeePass and the online login works. Also the Bank Data must be correct, I found the confirmation in the FAQ:

Falls du die Schnittstelle zu unserem Banking im Programm manuell einrichten musst, nutze diese Parameter:

Bankleitzahl: 120 300 00
Sicherheitsmedium: HBCI-PIN mit chipTAN/TAN2go
Benutzerkennung: Dein Anmeldename
Kunden-ID: Dieses Feld bitte frei lassen
HBCI-Version: FinTS 3.0
Kommunikationsadresse: https://banking-dkb.s-fints-pt-dkb.de/fints30

So it reads like there is no adjustments for the account needed. To be sure I wrote an message to the DKB Support.

When i log into my online banking I get an push from my "DKB-Banking" app where i need to confirm the log in, probably the connection is blocked cause I got no push message to confirm. Did somebody know an workaround for this?

[frederictobiasc]

I also don't get a Pushtan for login. This is only necessary when doing things like requesting data.
Would you mind telling what TAN options are enabled in your DKB account?
If you want to, you can also share your (anonymized) log for me to compare. Maybe this leads to some insights.

[bst2k]

Thanks for your help @frederictobiasc

My only activated TAN is TAN2go.

If I run this Code:

import logging
from fints.client import FinTS3PinTanClient

logging.basicConfig(
    level=logging.DEBUG,
    filename="log.log",
    filemode="w"
)

f = FinTS3PinTanClient(
    '12030000',
    'LOGIN',
    'PASSWORD',
    'https://banking-dkb.s-fints-pt-dkb.de/fints30'
)


with f:
    info = f.get_information()
    print(info)

I get an successfully result from DKB.

{'bank': {'name': 'Deutsche Kreditbank Aktiengesellschaft', 'supported_operations': .....

If I change the get_information to get_sepa_accounts I got the same error like in the other Threads:

DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): banking-dkb.s-fints-pt-dkb.de:443
DEBUG:urllib3.connectionpool:https://banking-dkb.s-fints-pt-dkb.de:443 "POST /fints30 HTTP/1.1" 200 882
DEBUG:fints.connection:Received <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

...

	                fints.segments.dialog.HIRMG2( # Rückmeldungen zur Gesamtnachricht
	                    header = fints.formals.SegmentHeader('HIRMG', 3, 2), # Segmentkopf
	                    responses = [ # Rückmeldung
	                                fints.formals.Response( # Rückmeldung
	                                    code = '9050',
	                                    reference_element = None,
	                                    text = 'Die Nachricht enthält Fehler.',
	                                ),
	                                fints.formals.Response( # Rückmeldung
	                                    code = '3905',
	                                    reference_element = None,
	                                    text = 'Es wurde keine Challenge erzeugt.',
	                                ),
	                                fints.formals.Response( # Rückmeldung
	                                    code = '9800',
	                                    reference_element = None,
	                                    text = 'Dialog abgebrochen',
	                                ),
	                        ],
	                ),
	                fints.segments.dialog.HIRMS2( # Rückmeldungen zu Segmenten
	                    header = fints.formals.SegmentHeader('HIRMS', 4, 2, 4), # Segmentkopf
	                    responses = [ # Rückmeldung
	                                fints.formals.Response( # Rückmeldung
	                                    code = '3920',
	                                    reference_element = None,
	                                    text = 'Zugelassene Zwei-Schritt-Verfahren für den Benutzer.',
	                                    parameters = [
	                                            '921',
	                                        ],
	                                ),
	                                fints.formals.Response( # Rückmeldung
	                                    code = '9955',
	                                    reference_element = None,
	                                    text = 'Auftrag nicht ausgeführt - Die Gerätebezeichnung ist unbekannt. (MBV07390100255)',
	                                ),
	                        ],
	                ),

...

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Same error occurs when running the "Troubleshooting" Code.

[frederictobiasc]

If I change the get_information to get_sepa_accounts I got the same error like in the other Threads:

I just tested it, and it works wonderfully for me. IMO, this justifies opening a ticket at DKB FinTS support. I'm curious to hear what they tell.

[frederictobiasc]

Is there any chance you have multiple devices registered for the Tan2go mechanism?
Have you already found this thread?

[bst2k]

Ticket is open, when the support replies I share the answer here.

No I did not found this Thread, thanks for sharing. I definitely got only one device connected, believe there couldn't be more then one. Could you tell me where I set up the pushTan Device Name? I didn't see this in the documentation.

[frederictobiasc]

I don't know where to set it up. I just guessed that there may be a problem if more than one push tan device is registered at the bank. For me, it just works. But I just noticed, that I also have "chipTan" activated. Maybe this changes the behaviour? Probably fiddling with the options wouldn't hurt.

[bst2k]

chipTan was activated at the start, I deactivated it yesterday while testing, so this sadly changed nothing. In my "TAN2go-Verwaltung" there is only one connected device show up, my Device that I am using daily. Ticket is still open :-(

[frederictobiasc]

Hi @bst2k,
I got news for you. I got hold on a DKB account showing your reported issue. Could you please check one thing? Please make sure, you're using a customized login name (not 12345_p). You can set one in the online banking: Service -> "Anmeldename für mein Banking ändern"
If you needed to change it, please give it an hour before you try python-fints.

[bst2k]

@frederictobiasc thanks for your Tip. My login was really still like "12345_p" but is now changed to a customized one. I waited for around one hour and tried it again. Unfortunately I still have the same error and still no DKB response.

[frederictobiasc]

@bst2k thanks for verifying that. I did another thing, just wanted to make sure, this is unrelated to the account name: I added the account in Gnucash (you can also use KMyMoney, both use Aqbanking as backend for FinTS). After successfully adding the account there, I was able to use it as well with python-fints.
Would you mind trying that and report back if this works for you as well? If possible, keep the logs so that we can examine what operations were executed. This could help fixing the bug here.

[bst2k]

@frederictobiasc I took a look at GnuCash and .... got the same error of "BPD nicht mehr aktuell, aktuelle Version enthalten. (S)", so I think there must be any DKB Account Settings to be adjusted.

23:39:34 Server-Zertifikat abrufen
23:39:34 Verbindung vorbereiten
23:39:34 Mit Server verbinden...
23:39:34 Verwende GnuTLS Default Ciphers.
23:39:34 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
23:39:58 Verbunden.
23:39:58 Verbindung beendet.
23:39:58 Zertifikat erhalten
23:39:58 Allgemeine Bankinfos abrufen (SCA)
23:39:58 AqHBCI gestartet
23:39:58 Aufträge werden kodiert
23:39:58 Nachricht senden
23:39:58 Verwende GnuTLS Default Ciphers.
23:39:58 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
23:39:58 Nachricht gesendet
23:39:58 Aufträge gesendet
23:39:58 Auf Antwort warten
23:39:58 Antwort erhalten
23:39:58 HBCI: 3060 - Bitte beachten Sie die enthaltenen Warnungen/Hinweise. (M)
23:39:58 HBCI: 0100 - Dialog beendet. (M)
23:39:58 HBCI: 3050 - BPD nicht mehr aktuell, aktuelle Version enthalten. (S)
23:39:58 HBCI: 0020 - Informationen fehlerfrei entgegengenommen. (S)
23:39:58 Beende Dialog mit dem Server
23:39:58 Aufträge werden kodiert
23:39:58 Nachricht senden
23:39:58 Verwende GnuTLS Default Ciphers.
23:39:58 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
23:39:58 Nachricht gesendet
23:39:58 Aufträge gesendet
23:39:58 Auf Antwort warten
23:39:58 Antwort erhalten
23:39:58 HBCI: 0010 - Nachricht entgegengenommen. (M)
23:39:58 HBCI: 0100 - Dialog beendet. (M)
23:39:58 AqHBCI abgeschlossen.
23:39:58 Gefundene Serveradresse: SSL: banking-dkb.s-fints-pt-dkb.de/fints30, none
23:39:58 Gefundene Serveradresse: TCP: banking.s-fints-pt-dkb.de, base64
23:39:58 Systemkennung abrufen
23:39:58 AqHBCI gestartet
23:39:58 Aufträge werden kodiert
23:40:08 Aufträge konnten nicht kodiert werden
23:40:08 AqHBCI abgeschlossen.
23:40:08 Die Aktion wurde durch den Benutzer abgebrochen.
23:40:08 Vorgang abgeschlossen, Sie können das Fenster nun schließen.

• EDIT
  I tried this with the StarMoney software as they advertise it on the website and now it works! However, I had to enter a pushTan for the setup and had to confirm the log in in the app. Thank you very much for your help :)

[frederictobiasc]

@bst2k glad that worked out for you too.GnuCash required me to enter a TAN too. Please note that "BPD nicht mehr aktuell" != "could not fetch BPD", so that's an improvement ;)
I'm posting the log file of the AqHBCI transaction after that python-fints started working. Maybe any of the developers, eg. @raphaelm can make sense of it:

11:11:19 Server-Zertifikat abrufen
11:11:19 Verbindung vorbereiten
11:11:19 Mit Server verbinden...
11:11:19 Verwende GnuTLS Default Ciphers.
11:11:19 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
11:11:25 Verbunden.
11:11:25 Verbindung beendet.
11:11:25 Zertifikat erhalten
11:11:25 Allgemeine Bankinfos abrufen (SCA)
11:11:25 AqHBCI gestartet
11:11:25 Aufträge werden kodiert
11:11:25 Nachricht senden
11:11:25 Verwende GnuTLS Default Ciphers.
11:11:25 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
11:11:25 Nachricht gesendet
11:11:25 Aufträge gesendet
11:11:25 Auf Antwort warten
11:11:25 Antwort erhalten
11:11:25 HBCI: 3060 - Bitte beachten Sie die enthaltenen Warnungen/Hinweise. (M)
11:11:25 HBCI: 0100 - Dialog beendet. (M)
11:11:25 HBCI: 3050 - BPD nicht mehr aktuell, aktuelle Version enthalten. (S)
11:11:25 HBCI: 0020 - Informationen fehlerfrei entgegengenommen. (S)
11:11:25 Beende Dialog mit dem Server
11:11:25 Aufträge werden kodiert
11:11:25 Nachricht senden
11:11:25 Verwende GnuTLS Default Ciphers.
11:11:25 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
11:11:26 Nachricht gesendet
11:11:26 Aufträge gesendet
11:11:26 Auf Antwort warten
11:11:26 Antwort erhalten
11:11:26 HBCI: 0010 - Nachricht entgegengenommen. (M)
11:11:26 HBCI: 0100 - Dialog beendet. (M)
11:11:26 AqHBCI abgeschlossen.
11:11:26 Gefundene Serveradresse: SSL: banking-dkb.s-fints-pt-dkb.de/fints30, none
11:11:26 Gefundene Serveradresse: TCP: banking.s-fints-pt-dkb.de, base64
11:11:26 Systemkennung abrufen
11:11:26 AqHBCI gestartet
11:11:26 Aufträge werden kodiert
11:11:36 Nachricht senden
11:11:36 Verwende GnuTLS Default Ciphers.
11:11:36 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
11:11:36 Nachricht gesendet
11:11:36 Aufträge gesendet
11:11:36 Auf Antwort warten
11:11:36 Antwort erhalten
11:11:36 HBCI: 3060 - Bitte beachten Sie die enthaltenen Warnungen/Hinweise. (M)
11:11:36 HBCI: 0020 - Auftrag ausgeführt. (S)
11:11:36 HBCI: 3920 - Zugelassene Zwei-Schritt-Verfahren für den Benutzer. (S)
11:11:36 HBCI: 0020 - Der Auftrag wurde ausgeführt. (S)
11:11:36 Dialog wurde nicht abgebrochen, PIN scheint gültig zu sein
11:11:36 Beende Dialog mit dem Server
11:11:36 Aufträge werden kodiert
11:11:36 Nachricht senden
11:11:36 Verwende GnuTLS Default Ciphers.
11:11:36 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
11:11:36 Nachricht gesendet
11:11:36 Aufträge gesendet
11:11:36 Auf Antwort warten
11:11:36 Antwort erhalten
11:11:36 HBCI: 0010 - Nachricht entgegengenommen. (M)
11:11:36 HBCI: 0100 - Dialog beendet. (M)
11:11:36 Dialog wurde nicht abgebrochen, PIN scheint gültig zu sein
11:11:36 AqHBCI abgeschlossen.
11:11:49 Anforderung der Kontenliste
11:11:49 AqHBCI gestartet
11:11:49 Wähle iTAN Modus "TAN2go" (921, Version 6, Prozess 2)
11:11:49 Aufträge werden kodiert
11:11:49 Nachricht senden
11:11:49 Verwende GnuTLS Default Ciphers.
11:11:49 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
11:11:49 Nachricht gesendet
11:11:49 Aufträge gesendet
11:11:49 Auf Antwort warten
11:11:49 Antwort erhalten
11:11:49 HBCI: 3060 - Bitte beachten Sie die enthaltenen Warnungen/Hinweise. (M)
11:11:49 HBCI: 3920 - Zugelassene Zwei-Schritt-Verfahren für den Benutzer. (M)
11:11:49 HBCI: 0030 - Auftrag empfangen - Bitte die empfangene TAN eingeben.(MBT62820200002) (S)
11:11:49 Dialog wurde nicht abgebrochen, PIN scheint gültig zu sein
11:12:30 Aufträge werden kodiert
11:12:30 Nachricht senden
11:12:30 Verwende GnuTLS Default Ciphers.
11:12:30 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
11:12:30 Nachricht gesendet
11:12:30 Auf Antwort warten
11:12:30 Antwort erhalten
11:12:30 HBCI: 3060 - Bitte beachten Sie die enthaltenen Warnungen/Hinweise. (M)
11:12:30 HBCI: 3050 - UPD nicht mehr aktuell, aktuelle Version enthalten. (S)
11:12:30 HBCI: 3050 - BPD nicht mehr aktuell, aktuelle Version enthalten. (S)
11:12:30 HBCI: 3920 - Zugelassene Zwei-Schritt-Verfahren für den Benutzer. (S)
11:12:30 HBCI: 0020 - Der Auftrag wurde ausgeführt. (S)
11:12:30 Die TAN "123465" wurde benutzt, Sie können sie streichen.
11:12:30 Dialog wurde nicht abgebrochen, PIN scheint gültig zu sein
11:12:30 Beende Dialog mit dem Server
11:12:30 Aufträge werden kodiert
11:12:30 Nachricht senden
11:12:30 Verwende GnuTLS Default Ciphers.
11:12:30 TLS: SSL-Ciphers ausgehandelt: TLS1.3:ECDHE-RSA-AES-256-GCM:AEAD
11:12:30 Nachricht gesendet
11:12:30 Aufträge gesendet
11:12:30 Auf Antwort warten
11:12:30 Antwort erhalten
11:12:30 HBCI: 0010 - Nachricht entgegengenommen. (M)
11:12:30 HBCI: 0100 - Dialog beendet. (M)
11:12:30 Dialog wurde nicht abgebrochen, PIN scheint gültig zu sein
11:12:30 AqHBCI abgeschlossen.
11:12:30 Vorgang abgeschlossen, Sie können das Fenster nun schließen.

[stevstrong]

Hi there,

I am facing the same issue as the OP with DKB, tried the same script on trouble page.
I made some more research on this and I think something is wrong in the lib on getting the TAN medium procedure.

I printed out the fetched TAN mechanism in line 312:

python-fints/fints/utils.py

Lines 309 to 311 in 9e80e6b

	if not client.get_current_tan_mechanism():
	client.fetch_tan_mechanisms()
	mechanisms = list(client.get_tan_mechanisms().items())

and got this info:
[('921', fints.formals.TwoStepParameters6(security_function='921', tan_process='2', tech_id='TAN2go', zka_id=None, zka_version=None, name='TAN2go', max_length_input=6, allowed_format=fints.formals.AllowedFormat.NUMERIC, text_return_value='TAN-Nummer', max_length_return_value=3, multiple_tans_allowed=True, tan_time_dialog_association=fints.formals.TANTimeDialogAssociation.ALLOWED, cancel_allowed=False, sms_charge_account_required=fints.formals.SMSChargeAccountRequired.MUST_NOT, principal_account_required=fints.formals.PrincipalAccountRequired.MUST_NOT, challenge_class_required=False, challenge_structured=False, initialization_mode=fints.formals.InitializationMode.CLEARTEXT_PIN_NO_TAN, description_required=fints.formals.DescriptionRequired.MUST, response_hhd_uc_required=False, supported_media_number=2))]

I could identify that there is only one current mechanism '921' which is Tan2Go, having tan_proccess='2'.

Then I get the debug printout corresponding to fints/utils.py#L320 with the following message including the HKTAN6 segment:

We need the name of the TAN medium, let's fetch them from the bank

DEBUG:fints.connection:Sending >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        fints.message.FinTSCustomerMessage([
            fints.segments.message.HNHBK3( # Nachrichtenkopf
                header = fints.formals.SegmentHeader('HNHBK', 1, 3), # Segmentkopf
                message_size = 494, # Größe der Nachricht (nach Verschlüsselung und Komprimierung)
                hbci_version = 300, # HBCI-Version
                dialog_id = '0', # Dialog-ID
                message_number = 1, # Nachrichtennummer
            ),
[...]
                        fints.segments.auth.HKTAN6( # Zwei-Schritt-TAN-Einreichung, version 6
                            header = fints.formals.SegmentHeader('HKTAN', 5, 6), # Segmentkopf
                            tan_process = '4', # TAN-Prozess
                            segment_type = 'HKIDN', # Segmentkennung
                            parameter_challenge_class = fints.formals.ParameterChallengeClass( # Parameter Challenge-Klasse
                                    parameters = [
                                            None,
                                            # 8 empty items skipped
                                        ],
                                ),
                            tan_medium_name = 'DUMMY', # Bezeichnung des TAN-Mediums
                        ),

Obviously, there is the wrong tan_process requested ('4') instead of '2' which is stated in the printed mechanism.

The corresponding reply:

[...]
                        fints.segments.dialog.HIRMG2( # Rückmeldungen zur Gesamtnachricht
                            header = fints.formals.SegmentHeader('HIRMG', 3, 2), # Segmentkopf
                            responses = [ # Rückmeldung
                                        fints.formals.Response( # Rückmeldung
                                            code = '9050',
                                            reference_element = None,
                                            text = 'Die Nachricht enthält Fehler.',
                                        ),
                                        fints.formals.Response( # Rückmeldung
                                            code = '3905',
                                            reference_element = None,
                                            text = 'Es wurde keine Challenge erzeugt.',
                                        ),
                                        fints.formals.Response( # Rückmeldung
                                            code = '9800',
                                            reference_element = None,
                                            text = 'Dialog abgebrochen',
                                        ),
                                ],
                        ),
                        fints.segments.dialog.HIRMS2( # Rückmeldungen zu Segmenten
                            header = fints.formals.SegmentHeader('HIRMS', 4, 2, 4), # Segmentkopf
                            responses = [ # Rückmeldung
                                        fints.formals.Response( # Rückmeldung
                                            code = '3920',
                                            reference_element = None,
                                            text = 'Zugelassene Zwei-Schritt-Verfahren für den Benutzer.',
                                            parameters = [
                                                    '921',
                                                ],
                                        ),
                                        fints.formals.Response( # Rückmeldung
                                            code = '9955',
                                            reference_element = None,
                                            text = 'Auftrag nicht ausgeführt - Die Gerätebezeichnung ist unbekannt. (MBV07390100255)',
                                        ),
                                ],
                        ),
[...]

Here, the reply has errors (9050, 9800,9955) which are simply ignored by the lib!

Next, the debug message indicates sending another message right after this one:
NOTE:
There is no DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): banking-dkb.s-fints-pt-dkb.de:443 message between receiving the reply and sending the next message!

[...]
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

DEBUG:fints.connection:Sending >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        fints.message.FinTSCustomerMessage([
            fints.segments.message.HNHBK3( # Nachrichtenkopf
                header = fints.formals.SegmentHeader('HNHBK', 1, 3), # Segmentkopf
                message_size = 390, # Größe der Nachricht (nach Verschlüsselung und Komprimierung)
                hbci_version = 300, # HBCI-Version
                dialog_id = '219139696033=178479258792BLDS=', # Dialog-ID
                message_number = 2, # Nachrichtennummer
            ),
...
                        fints.segments.auth.HKTAB4( # TAN-Generator/Liste anzeigen Bestand, version 4
                            header = fints.formals.SegmentHeader('HKTAB', 3, 4), # Segmentkopf
                            tan_media_type = fints.formals.TANMediaType2.ALL, # TAN-Medium-Art: Alle
                            tan_media_class = fints.formals.TANMediaClass3.ALL, # TAN-Medium-Klasse: Alle Medien
                        ),
                        fints.segments.message.HNSHA2( # Signaturabschluss, version 2
                            header = fints.formals.SegmentHeader('HNSHA', 4, 2), # Segmentkopf
                            security_reference = '8045870', # Sicherheitskontrollreferenz
                            user_defined_signature = fints.formals.UserDefinedSignature( # Benutzerdefinierte Signatur
                                    pin = '***',
                                ),
                        ),
[...]

to which comes the reply:

[...]
                        fints.segments.dialog.HIRMG2( # Rückmeldungen zur Gesamtnachricht
                            header = fints.formals.SegmentHeader('HIRMG', 3, 2), # Segmentkopf
                            responses = [ # Rückmeldung
                                        fints.formals.Response( # Rückmeldung
                                            code = '9050',
                                            reference_element = None,
                                            text = 'Die Nachricht enthält Fehler.',
                                        ),
                                        fints.formals.Response( # Rückmeldung
                                            code = '9800',
                                            reference_element = None,
                                            text = 'Dialog abgebrochen',
                                        ),
                                        fints.formals.Response( # Rückmeldung
                                            code = '9010',
                                            reference_element = None,
                                            text = 'Die angegebene Bankreferenz/Dialog-ID ist nicht gültig.',
                                        ),
                                ],
                        ),
                        fints.segments.dialog.HIRMS2( # Rückmeldungen zu Segmenten
                            header = fints.formals.SegmentHeader('HIRMS', 4, 2, 3), # Segmentkopf
                            responses = [ # Rückmeldung
                                        fints.formals.Response( # Rückmeldung
                                            code = '9010',
                                            reference_element = None,
                                            text = 'Auftrag wegen genereller Fehler in Auftragsnachricht nicht verarbeitet.',
                                        ),
                                ],
                        ),
[...]
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

ERROR:fints.client:Dialog response: 9050 - Die Nachricht enthält Fehler.
ERROR:fints.client:Dialog response: 9800 - Dialog abgebrochen
ERROR:fints.client:Dialog response: 9010 - Die angegebene Bankreferenz/Dialog-ID ist nicht gültig.

These errors are now detected by the lib but I think the final errors are just a consequence of the previous ones which were disregarded:

• I think the last message should have had dialog_id = 0 (because of the previous errors the previous dialog was considered to be ended by DKB server, so that a new one with id 0 is expected)
• the leading message with dialog_id 0 should have the right tan_process.

Can anyone acknowledge that my observations are right?
Otherwise what else can be the problem here?

[raphaelm]

Can anyone acknowledge that my observations are right?

No, at least your second observation is wrong.

If tan_process=2 is wanted, it is correct that the client replies with tan_process=4. If you want to read up on that, here's the relevant spec:
https://www.hbci-zka.de/dokumente/spezifikation_deutsch/fintsv3/FinTS_3.0_Security_Sicherheitsverfahren_PINTAN_2020-07-10_final_version.pdf

You'll want to first read chapter B.4.2 "Abläufe bei Prozessveriante 2" starting on page 29.

For the first observation, without having looked into it in detail, it indeed looks like a bug that the 9050 response code does not result in a Python exception.

Otherwise what else can be the problem here?

No idea. It's interesting that get_sepa_accounts seems to be a problem, which usually is one of the more straight-forward calls. Maybe something is wrong with our HKSPA1 implementation, or maybe with DKB's. Maybe they want 2FA for HKSPA1? Would be weird. No idea, and no fun to debug since I don't have a DKB account ;)

[raphaelm]

I see a few people have tried gnucash/aqbanking, has anyone tried hibiscus/hbci4java? In hibiscus, it's possible to pull a trace of the raw HBCI communication, so if hibiscus works, one (probably not me) could start a message-by-message comparison with our output to try to figure out the difference.

[stevstrong]

For the first observation, without having looked into it in detail, it indeed looks like a bug that the 9050 response code does not result in a Python exception.

@raphaelm , thanks for acknowledging at least that there is something wrong because of failed parsing the errors from the reply.
I think, it should be easy to debug / check under which circumstances can this happen.
This is important because it could avoid consequent misleading errors.
I could myself dig deeper if you could tell me some references which file/module/function(s)/parameters should I look into/at.
Meanwhile I am reading the passage from the doc you mentioned.

It's interesting that get_sepa_accounts seems to be a problem, which usually is one of the more straight-forward calls.

I did not even reach that function and had already an exception ;)

[stevstrong]

I could now break down the issue to the following call stack:

python-fints/fints/utils.py

Line 321 in 9e80e6b

m = client.get_tan_media()

python-fints/fints/client.py

Line 1360 in 9e80e6b

with context as dialog:

python-fints/fints/dialog.py

Lines 34 to 37 in 9e80e6b

	def __enter__(self):
	if self._context_count == 0:
	if not self.lazy_init:
	self.init()

python-fints/fints/dialog.py

Lines 47 to 85 in 9e80e6b

	def init(self, *extra_segments):
	if self.paused:
	raise FinTSDialogStateError("Cannot init() a paused dialog")
	from fints.client import FinTSClientMode, NeedTANResponse
	if self.client.mode == FinTSClientMode.OFFLINE:
	raise FinTSDialogOfflineError("Cannot open a dialog with mode=FinTSClientMode.OFFLINE. "
	"This is a control flow error, no online functionality "
	"should have been attempted with this FinTSClient object.")
	if self.need_init and not self.open:
	segments = [
	HKIDN2(
	self.client.bank_identifier,
	self.client.customer_id,
	self.client.system_id,
	SystemIDStatus.ID_NECESSARY if self.client.customer_id != CUSTOMER_ID_ANONYMOUS else SystemIDStatus.ID_UNNECESSARY
	),
	HKVVB3(
	self.client.bpd_version,
	self.client.upd_version,
	Language2.DE,
	self.client.product_name,
	self.client.product_version
	),
	]
	if self.client.mode == FinTSClientMode.INTERACTIVE and self.client.get_tan_mechanisms():
	tan_seg = self.client._get_tan_segment(segments[0], '4')
	segments.append(tan_seg)
	else:
	tan_seg = None
	for s in extra_segments:
	segments.append(s)
	try:
	self.open = True
	retval = self.send(*segments, internal_send=True)

python-fints/fints/dialog.py

Lines 115 to 158 in 9e80e6b

	def send(self, *segments, **kwargs):
	internal_send = kwargs.pop('internal_send', False)
	if self.paused:
	raise FinTSDialogStateError("Cannot send() on a paused dialog")
	if not self.open:
	if self.lazy_init and self.need_init:
	self.init()
	if not self.open:
	raise FinTSDialogStateError("Cannot send on dialog that is not open")
	message = self.new_customer_message()
	for s in segments:
	message += s
	self.finish_message(message)
	assert message.segments[0].message_number == self.next_message_number[message.DIRECTION]
	self.messages[message.DIRECTION][message.segments[0].message_number] = message
	self.next_message_number[message.DIRECTION] += 1
	response = self.client.connection.send(message)
	# assert response.segments[0].message_number == self.next_message_number[response.DIRECTION]
	# FIXME Better handling of HKEND in exception case
	self.messages[response.DIRECTION][response.segments[0].message_number] = response
	self.next_message_number[response.DIRECTION] += 1
	if self.enc_mechanism:
	self.enc_mechanism.decrypt(message)
	for auth_mech in self.auth_mechanisms:
	auth_mech.verify(message)
	if self.dialog_id == DIALOG_ID_UNASSIGNED:
	seg = response.find_segment_first(HNHBK3)
	if not seg:
	raise FinTSDialogError('Could not find dialog_id')
	self.dialog_id = seg.dialog_id
	self.client.process_response_message(self, response, internal_send=internal_send)
	return response

In the dialog.send() function:

• no callbacks passed to connection.send() function (line 137),
• due to internal_send = true the error messages are not logged in client.process_response_message()
• the errors 9050, 9800 are not handled in client._process_response() (line 1266 in client.py)

That is why the lib just disregards the errors and goes further causing further subsequent errors.

I have seen in line 140:

        # FIXME Better handling of HKEND in exception case

which indicates that the problem was recognized and I assume that a solution has to be implemented.

How could a solution to parse the errors occurred in this phase look like?
Of course, this would not solve the final problem with DKB having issue with TAN-process=4 and DUMMY as device description, but at least it will stop at the first error and not cause subsequent errors.

[marsp61]

Sinece approx. 2 Month dkb tan2go doesn't work. The app just opens for less than a second before it closes again. Do not receive any TAN's from this app.

[JHthe4]

Hi,

just wanted to give a quick update since I dug into this issue and was able to find the root of the problem: Apparently, when you try to sign in via FinTS for the first time, it requires a TAN from Tan2Go (TAN mechanism 921). However, it requires the passing of the identifier of the TAN device, which is always passed as "DUMMY".

Using my IDE, I went into the implementation of the library and literally made a single change, adding the identifier of my TAN2Go device in the selected_tan_medium field below. The device identifier can be obtained from the TAN2Go app, under the menu item "TAN2go-Verbindungen".

class FinTS3PinTanClient(FinTS3Client):

    def __init__(self, bank_identifier, user_id, pin, server, customer_id=None, *args, **kwargs):
        self.pin = Password(pin) if pin is not None else pin
        self._pending_tan = None
        self.connection = FinTSHTTPSConnection(server)
        self.allowed_security_functions = []
        self.selected_security_function = None
        self.selected_tan_medium = None #made the change here to a String: "<<my identifier>>"
        self._bootstrap_mode = True
        super().__init__(bank_identifier=bank_identifier, user_id=user_id, customer_id=customer_id, *args, **kwargs)

This is the line in question.

After this simple change, the troubleshooting script from the website worked perfectly. In my opinion, this should be handled in the init phase. Maybe the constructor should just be expanded with an optional parameter to allow for setting the TAN medium. This is not the most smooth solution, but it would help to circumvent this bug at least a little. I've created a pull request for this under #146 which can hotfix the issue until we implement a better solution.

[LGro]

Maybe the constructor should just be expanded with an optional parameter to allow for setting the TAN medium.

Just for the record, even without the proposed change to the constructor one can set the selected_tan_medium from the call context instead of adjusting the python-fints source:

f = FinTS3PinTanClient(...)
f.selected_tan_medium = "pushtan"

Thanks for the hint of how to figure out which tan medium is appropriate from the app, btw ☺️