IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Native ISAM TOTP Not working when SPNEGO Desktop SSO is turned on

    Posted Wed October 17, 2018 04:43 AM
    We're using version 9.0.5 for this and we notice that we're getting a ton of reports from our users getting "

    FBTOTP330E Unable to locate the HMAC secret key" after entering their OTP. So you'd think that from the error that the secret key from the DB somehow got deleted but no, it's there.

    This happens even when using the default native TOTP mechanism built in AAC, access it through WebSEAL which has SPNEGO auth turned on go to the URL i.e. https://avtseal.adb.org/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:totp, input OTP and you get the error. 

    Now, if you turn off IWA in your browser, do a forms auth instead, go to the same URL, enter TOTP and you get a success!

    Anyone experiencing the same?

    @Jon Harry, any ideas?

    ​​

    ------------------------------
    Pierre Passin
    ------------------------------


  • 2.  RE: Native ISAM TOTP Not working when SPNEGO Desktop SSO is turned on

    Posted Wed October 17, 2018 06:05 AM
    Hello Pierre,

    As far as I know the lookup for secret key would be based on the UserID.

    My best guess would be that somehow the UserID for the user is different in the credential when authenticating with Kerberos/SPNEGO vs. authenticating with Form-based login.

    Are you able to get a look at the credential in the two cases so you can check for differences?

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Native ISAM TOTP Not working when SPNEGO Desktop SSO is turned on

    Posted Wed October 17, 2018 11:08 AM
    We got to compare the decoded iv-creds username value between the request from webseal to aac of the forms auth vs kerb auth.

    forms auth has the full DN while kerberos only has the CN.

    is there a way to make webseal send the same when doing kerb? @Jon harry​

    ------------------------------
    Pierre Passin
    ------------------------------

    Original Message


  • 4.  RE: Native ISAM TOTP Not working when SPNEGO Desktop SSO is turned on

    Posted Thu October 18, 2018 12:01 AM
    nevermind.

    forms auth sends to AAC  whatever is placed in the forms (whether lowercase/all caps). Users place lowercaps on their usernames most of the time. The DB has usernames all in lowercase.

    While kerb, relies on AD's sAMAccountName that's all upper case thus DB call fails.

    We'll just adjust our config somewhere.

    Thanks @Jon Harry

    ------------------------------
    Pierre Passin
    ------------------------------

    Original Message


  • 5.  RE: Native ISAM TOTP Not working when SPNEGO Desktop SSO is turned on

    Posted Thu October 18, 2018 02:59 AM
    Edited by Scott Andrews Thu October 18, 2018 03:01 AM
    In webseald.conf (Web Reverse Proxy configuration file) ensure you have a level added for SPNEGO (level = kerberosv5) -

    [authentication-levels]
    #----------------------
    # STEP UP
    #----------------------

    # authentication levels
    #
    # Syntax:
    # level = <method-name>
    #
    # Valid method names are:
    # unauthenticated
    # password
    # token-card
    # ssl
    # ext-auth-interface
    # ltpa
    # kerberosv5
    # oauth
    #
    level = unauthenticated
    level = password
    level = kerberosv5
    level = ext-auth-interface


  • 6.  RE: Native ISAM TOTP Not working when SPNEGO Desktop SSO is turned on

    Posted Thu October 18, 2018 03:04 AM
    Hi Pierre,

    basically the problem is that abc is case sensitive while WebSEAL doesn't care. So when a user fills in his UID different while registering TOTP and later while trying to use TOTP, the AAC can't find the user in the database. We solved it by setting a parameter at webseal.conf which forces weasel using the spelling as it is stored in the LDAP. Can't remember right now but will have a look to our documentation. Actually I'd like to rise a feature request on that hence a PMR didn't lead to success but hence it was solved that way I haven't done now.

    Best,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------

    Original Message


  • 7.  RE: Native ISAM TOTP Not working when SPNEGO Desktop SSO is turned on

    Posted Thu October 18, 2018 09:44 PM
    Exactly the issue. As a workaround we just did a trigger on the DB to force it to lowercase then at the AAC policy level set userid to lowercase before totp gets invoked.

    ------------------------------
    Pierre Passin
    ------------------------------

    Original Message


Related Content