Hi Scott,
Spot on!
Unfortunately then this was not an 'after a while' mystery, nor a random error.
The cause is that we implemented some http headers using the TAM_CRED_ATTRS_SVC.
One of these http-headers contains the surname from the inetorgperson and can contain national Swedish characters.
Evidently the national characters are not UTF-8 encoded causing the error.
So any user with one or more national characters in their surname cannot use their totp verification.
There are other http-headers we need to build/extract from the ldap and pass on down the line that can contain Swedish naitional characters which probably also render this error.
Are you aware of any workaround for this -- we won't survive without national characters.
The (legacy) LDAP server is IBM TDS 6.3 (possibly 6.4) and 'unfortunately' already populated with users/groups etc and also used by other applications in the organization.
many thanks in advance
------------------------------
Anders Domeij
CGI Sweden AB
------------------------------
Original Message:
Sent: Mon November 09, 2020 03:28 PM
From: Scott Exton
Subject: TOTP failure (after a while)
Anders,
You will get this error message when invalid authentication data is being passed back from AAC to WebSEAL. More than likely this will be caused by non-utf8 encoded characters being passed back from AAC. I would suggest that you raise a support ticket for this and get the support team to investigate further.
Thanks.
Scott A. ExtonSenior Software Engineer
Chief Programmer - IBM Security Verify AccessIBM Master Inventor
|
Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com | 1 Corporate Court Bundall, QLD 4217 Australia |
Original Message:
Sent: 11/9/2020 7:28:00 AM
From: Anders Domeij
Subject: TOTP failure (after a while)
ISVA 10.0 installed from the official Helm repo into a Kubernetes Cluster.
Hi we have 3 users that have all registered the TOTP QR code to Google authenticator in their phones.
In the reverse proxy we have protected a (some) junctions with the TOTP mechanism allowing only these 3 users to access the protected content provided they enter the TOTP code.
All this has worked for several weeks, but last week 2 of the 3 users receive this message after entering the PIN code:
Server Error
The Application Gateway could not complete your request due to an unexpected error.
Diagnostic Information
Method: POST
URL: /mga/sps/authsvc?StateId=qUaNDWhWX5rGTlImo5WSYtiH0r8ebl2rBSGi9cajNGzCwLWb1NJaTvaqSoOwOaTo9bH6918fhyjYL0q4wbd5KjjdsarOhjMYwrpKRgo3Nd9Q5rcsZS1NlcaZYZV75SSI
Error Code: 0x38cf081d
Error Text: DPWWA2077E Could not authenticate user. An EAI server returned invalid authentication data.
Solution
Provide your System Administrator with the above information to assist in troubleshooting the problem.
while the 3rd user passes the PIN code page without any issues. The EAI server referenced in the error message I believe is the ISVA internal server, we have no external server EAI server configured.
What is the root of this problem? And where should we start looking for clues??
Rgds
------------------------------
Anders Domeij
CGI Sweden AB
------------------------------