Error when switching from DUO to TOTP authentication
AnsweredWe had a valid instance of DUO setup and functioning properly on our Cerberus instance encompassing some of our AD users. A decision was made to turn off DUO and instead use TOTP for MFA. I went into the DUO configuration screen and unchecked the "Enable DUO 2FA Integration" button and then updated. All good. Then I tried to login with an account that was part of the now disabled DUO MFA. My expectation was that it would initiate the TOTP setup process but instead I got an error message saying "It looks like you have DUO 2-factor authentication enabled on your account, but there's a problem with your server's DUO configuration. Please contact your administrator for assistance." That's not true.
What I did to fix was to go into the AD domain setup that this user authenticates through, chose the user MFA settings, clicked the dropdown and located the ID in the list and chose that ID and then clicked the "disable 2FA" button and saved. Then I attempted to login again with that ID and this time it started the TOTP setup process. Once that was complete it seems to be working correctly.
So there seems to be a failure to validate whether DUO is enabled (still the MFA tool of choice) or not once an MFA enabled ID has successfully authenticated using DUO.
-
Hello, William.
I think what you are seeing is the correct behavior. I'm going to reach out to our internal teams for additional feedback on this.
We will get back to you ASAP.
0 -
Hi, William.
Switching between the two modes is a situation that we haven't accounted for when we added support for DUO.
The current workaround as you described is to disable 2FA for each user. However if you have a large amount of users updating each one could take ahwile.
My suggestion if necessary is to update the "user custom settings" XML file directly. (C:\ProgramData\Cerberus LLC\Cerberus FTP Server)
Before making any changes, you should shut down the Cerberus service and I would also backup this file up before making any changes.
The "user custom settings.xml" file will allow you to manually set the multifactor authentication settings.
For example, this was the original XML for a user configured with DUO:
<ns1:multiFactor type="duoWeb" status="enabled">
<ns1:value format="none" prot="none" key=""></ns1:value>
</ns1:multiFactor>
This is the new XML when disabled by updating status to be "disabled"
<ns1:multiFactor type="duoWeb" status="disabled">
<ns1:value format="none" prot="none" key=""></ns1:value>
</ns1:multiFactor>
After restarting the service, and assuming that the user is required to have 2FA for HTTP/S, the next time they attempt to log in, they will be prompted to set up 2FA with TOTP.
I don't have a timeline at moment as this will require some heavy lifting on the back end but we will address this in a future release.
0 -
I realize this is an old post but it's top in the search results. In v.2024.2, I tried to switch from TOTP to DUO and it fails to work. This truly seems to be a bug. I have tried everything that I could find including adding the DUO intermediate cert to the server, restarting the Cerberus service after changes, manually editing user_custom_settings_5.0.xml and creating new user accounts.
Everything seems to work until I get a "code did not match" error.
To reproduce the error above, 1) I tick the box to use DUO in the admin. It doesn't matter if I disable 2FA, per user account, before or after nor does it matter if I restart the Cerberus service. I get the same results. 2) From a PC, I login to the Cerberus user account and disable 2FA and then re-enable it and login. I get the DUO push notification on my phone, I select allow and then I get the DUO success message on the PC as depicted below:
I still get logged into the account but like I said, I get that error depicted in the first image above.
This is what I see in the admin and in the client:
This is what's in user_custom_settings_5.0.xml for 2FA for the user with DUO enabled in the admin and after I attempt to login as a user:
I have tried changing the status to enabled but it doesn't seem to have any effect even if I make the change with the Cerberus service stopped.
Can you folks in Cerberus Support reproduce this issue with v.2024.2?
0 -
Hello Jeff,
I've gone ahead and created a support ticket regarding your request, as this may be something we need to investigate and communicate directly with you to resolve. We'll pick up communication there, and our team will begin taking a look into this.
0
Please sign in to leave a comment.
Comments
4 comments