Webtop ver 5.4.1 - Setup of Google 2FA fails

markareait · 2018-11-07 18:53:32 UTC

Is anyone else been having issues with setup of Google OTP security? I have tested with a few user accounts with the same result. I receive at stage 3 of 4 in the OTP setup “Error in ManageOTP”

Notes -
Webtop ver 5.4.1
Email OTP is working fine.
I have checked the system time is correct.

Thank you in advance for any help…

webtop.log of the error:

2018-11-08 05:11:57 [ERROR] com.sonicle.webtop.core.Service - Error in ManageOTP
com.sonicle.webtop.core.sdk.WTException: Invalid code
at com.sonicle.webtop.core.Service.processManageOTP(Service.java:1137)
at sun.reflect.GeneratedMethodAccessor286.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sonicle.webtop.core.app.servlet.BaseRequest.invokeMethod(BaseRequest.java:109)
at com.sonicle.webtop.core.app.servlet.PrivateRequest.processRequest(PrivateRequest.java:85)
at com.sonicle.webtop.core.app.servlet.PrivateRequest.doPost(PrivateRequest.java:116)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at com.sonicle.webtop.core.app.shiro.filter.GZip.doFilterInternal(GZip.java:60)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1770)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1729)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

m.traeumner · 2018-11-08 11:42:44 UTC

@webtop_team @support_team Can somebody help here?

mrmarkuz · 2018-11-08 14:14:20 UTC

I tried to reproduce but it’s working. I used Google Authenticator on an Android mobile device.

I saw the code changes after webmin user/password login so maybe you were too fast with entering and entered a wrong one?

My webtop config to compare, maybe the error is about DefaultTimezone? EDIT: no, it’s not, I changed the timezone and it still works.

[root@server2 ~]# config show webtop
webtop=configuration
    ActiveSync=disabled
    ActiveSyncLog=LOGLEVEL_ERROR
    DavServerLog=ERROR
    DavServerUrl=
    Debug=false
    DefaultLocale=en_US
    DefaultTimezone=Etc/UTC
    DefaultToolbarIconsSize=medium
    MaxMemory=1024
    MinMemory=512
    PbxProvider=
    PbxProviderNethvoiceWebrestUrl=
    PublicUrl=
    RemoteCalendarAutosync=enabled
    RemoteCalendarAutosyncOnlywhenonline=disabled
    RemoteCategoryAutosync=enabled
    RemoteCategoryAutosyncOnlywhenonline=disabled
    SmtpAuth=disabled
    SmtpStarttls=disabled

lucag · 2018-11-08 14:56:37 UTC

Also I’ve just tried to replicate the problem but 2-factor authentication is working with Google Auth

transocean · 2018-11-08 14:59:54 UTC

Here also. No problems via email and google auth.

Regards

Uwe

giacomo · 2018-11-08 15:11:35 UTC

Please make sure your server has correct date and time, since 2FA uses also time synchronization to validate the token.

markareait · 2018-11-08 22:42:12 UTC

I suspected I might have a local issue.

RE “I saw the code changes after webmin user/password login so maybe you were too fast with entering and entered a wrong one?” I suspected the same as well, so before I posted I had tried grabbing the very first code and then then secondary codes…

My Config is the same as yours and I have been testing with Android here as well with a few different software packages.

I think my next step I would like to try is to default Webtop, I have been looking for documentation to do this but I have been unable to find any so far, do you know if there is any documentation on how to backup Webtop, default Webtop and do a Webtop restore?

Thanks Markus

markareait · 2018-11-08 22:45:43 UTC

Thank you for confirming.

I think my next step I would like to try is to default Webtop, I have been looking for documentation to do this but I have been unable to find any so far, do you know if there is any documentation on how to backup Webtop, default Webtop and do a Webtop restore?

Thank you Luca

markareait · 2018-11-08 22:46:02 UTC

Thank you for confirming.

I think my next step I would like to try is to default Webtop, I have been looking for documentation to do this but I have been unable to find any so far, do you know if there is any documentation on how to backup Webtop, default Webtop and do a Webtop restore?

Thank you Uwe

markareait · 2018-11-08 22:52:29 UTC

I have checked the Server time and is correct with our time zone.

I think my next step I would like to try is to default Webtop, I have been looking for documentation to do this but I have been unable to find any so far, do you know if there is any documentation on how to backup Webtop, default Webtop and do a Webtop restore?

Thank you Giacome

giacomo · 2018-11-09 08:02:24 UTC

There is no specific documentation about webtop backup and restore, you need to do a full backup/restore.
Otherwise you should take a look at the code. I can’t tell myself what are all the needed steps without digging a bit, but the procedure should be something like:

execute pre-backup-data action for webtop
stop the tomcat instance, destroy the database
restore the database
restart the tomcat instance

gabriele_bulfon · 2018-11-09 17:52:34 UTC

backup and restore of the database is ok, you may also want to backup all folders under the webtop home (where mailcards and cloud files are stored, can’t remember now where it is in NS7, it’s specified in settings).

lucag · 2018-11-10 08:48:46 UTC

The path where all other data on Nethserver is saved is this:

/var/lib/nethserver/webtop/domains/NethServer/

markareait · 2018-11-15 02:49:30 UTC

Hi all,

An update,

I ran up a new Neth server - Setup new VM > completed new clean install of Neth > updated Neth > Installed Webtop (and some other packages) > Setup Active Directory > Setup User Account > Setup OTP > Google Authenticator

Time on Neth is correct. We are in Sydney Time Zone which has Daylight savings at the moment. Maybe an issue?

Received the same error.

2018-11-15 13:38:36 [ERROR] com.sonicle.webtop.core.Service - Error in ManageOTP
com.sonicle.webtop.core.sdk.WTException: Invalid code
at com.sonicle.webtop.core.Service.processManageOTP(Service.java:1137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sonicle.webtop.core.app.servlet.BaseRequest.invokeMethod(BaseRequest.java:109)
at com.sonicle.webtop.core.app.servlet.PrivateRequest.processRequest(PrivateRequest.java:85)
at com.sonicle.webtop.core.app.servlet.PrivateRequest.doPost(PrivateRequest.java:116)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at com.sonicle.webtop.core.app.shiro.filter.GZip.doFilterInternal(GZip.java:60)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1770)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1729)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

giacomo · 2018-11-16 08:52:46 UTC

@webtop_team could you try to reproduce it using Sydney time zone?

Amygos · 2018-11-16 10:01:09 UTC

I have try to reproduce the issue with following steps from a fresh Netserver installation:

System Update
From Date and Time, set time zone to Sydney
Install Webtop5 from Software center
Setup local Active Directory as accounts provider
Create a test user
Login on webtop as test user
Follow the instruction for setup Google 2FA http://docs.nethserver.org/en/v7/webtop5.html#two-factor-authentication-2fa
Logout and login

The Google 2FA seem to work.

markareait · 2018-11-18 02:04:52 UTC

Thank you Giacomo and Matteo for helping me isolate the issue,

I have isolated the issue to the phones I was testing with.

We have network time “Automatic date and time” turned off living near to another time zone the phones would change by an hour depending on which cell tower the phone is connected to, so we have manual time set.

When I turned on the “Automatic date and time” there was no more errors. Please note the time was only out by seconds not minutes.

Anyway I hope this helps if anyone else finds the same error.