Yubikey Enrollment and validation fails

Follow

Version Affected: 9.1 9.2 9.3 19.07

Description:  When attempting to enroll a Yubikey device, the enrollment fails with the error verification failed. 

Error Logs show

LogChannel="SA_ERROR" FormatVersion="0.0.1" EventID="-1" Timestamp="2019-10-17T17:32:52.140Z" CompanyID="" ApplianceID="" Realm="SecureAuth10" UserID="" BrowserSession="3552d30a-0b29-424d-82a0-278dd058cc1b" RequestID="573ecb61-a10b-4680-9569-388e43d97bec" UserHostAddress="10.10.12.79" Message="SecureAuth.Integration.YubiKey.YubiKeyHelper.GetResponse exception: Unable to connect to the remote server"

This problem can also stop previously enrolled devices from successfully working as a MFA method. 

Cause:  

IdP cannot access the Yubico endpoints which are currently 

 "https://api.yubico.com/wsapi/verify?id="
"https://api2.yubico.com/wsapi/verify?id="
"https://api3.yubico.com/wsapi/verify?id="
"https://api4.yubico.com/wsapi/verify?id="
"https://api5.yubico.com/wsapi/verify?id="

Make sure your IdP can reach these endpoints. If it needs to reach them via a Proxy, follow the steps below.

Resolution:  

The Yubikey enrollment and Yubikey MFA validation ignores the realm proxy settings and try to go directly to the Yubico endpoints. In order to force Yubikey to use your proxy settings, please complete the following steps

1. Take a backup of your web.config

2. Open the WebAdmin console in Classic View and navigate to the System Info tab of the realm in question.

3. Click the Decrypt button

4. Edit your Web.config in your favourite text editor

5. Search for

6. Directly below <System.Net>  add the following (I don't recommend copy + paste from here as you might get illegal characters)

<defaultProxy>
      <proxy
        proxyaddress="http://12.34.56.78:8080"
        bypassonlocal="true"
      />

</defaultProxy>

 

 yubiprox.PNG

7. Perform the same on any realm that uses Yubikey for MFA. 

Special Considerations:  It is not possible to directly add credentials to this section. If your Proxy requires authentication, as long as this is set correctly on the System Info tab, you should be fine as you'll already be authenticated to the proxy when the Yubikey uses it. 

 

 

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.