Upgrade to 2.2.0.18 about adfsmfa HOT 10 CLOSED

Hi,
I will test today, but no changes with the previous version.
Verify, that the thumprint is OK in the security options.
If you change the security mode RNG-RSA or CUSTOM, All the existing users keys became invalid. each user must rescan the QR-Code with a new Key.
You can revert to RNG and see if your users are loging as well.

Regards

from adfsmfa.

I didn't change the mode, it was on RSA before the upgrade, but will test with RNG to see what happens.

Just a note. The thumbprint looks good, but when I go to security options the "side-bat" is not green. I didn't run Install-MFACertificate after the upgrade, because that will generate a new certificate and make all current keys invalid, right?

from adfsmfa.

Hi,

Have you test before with a "Maximum Key lenght" with 2048 bytes ?
Many of devices cannot scan this huge QR-Code.
In my configuration i am using 1024.
This do change the security level, because all the whole key is checked on validation. but limiting the display size, allow the majority of devices to scan the QR without problems.

So, stay connected, i will test this afternoon.

Thanks very much !

Regards

from adfsmfa.

Yes, we used 2048 before, so didn't change that.
But that is good information. Would you say it is better to go for 1024 for compatibility reasons?

from adfsmfa.

Hi,

Yes, it should be better to use 2048 bytes, but many phones (not the last at 1000$) could not scan the code.
So, if you have'nt recent phones in organization, 1024 should be the best.
But i can ensure you, when verification is made after entering the TOTPCode, we are checking the effective user with the whole Key (2048 sha256).

I check you problem this PM

Regards

from adfsmfa.

Encryption, is always done with all the whole length of key ! aka : 2048 Bytes

Regards

from adfsmfa.

Tested a little bit more with re-register the MFA adapter and generate a new RSA certificate.

It seems like that does not work either when I set Hash Algorithm to SH2A56. Set to SHA1 works fine, but when I set it to SAH256 the verification after scanning the QR code does not pass (I always remove and re-add user after changing Hash Algorithm). Maybe that is related to this issue to?

from adfsmfa.

Hi,

SHA256 hash algo is not supported by the majority of OTP apps. Only Auty app is supporting it.
See discussion : #7

Cdt

from adfsmfa.

Hi, @anorstrom

Yes, It's a bug ! Thank you !

We made a mistake, we have removed iteration in hash mode when validating the QRCode.
So, we have made tests with RNG, RSA and custom with key len of 1024 and 2048 bytes. We also checked with hash mode SHA1 and SHA256.

We push a new install tonight, and source code with other evolutions tomorrow.

Best regards

redhook

from adfsmfa.

Super, thank you!

from adfsmfa.