ZDEW: Creating a MFA enabled ID does not prompt user to configure MFA upon installation of the ID, or prior to first use

[gooseleggs]

Hello

Unable to enroll into MFA as the client thinks it has already and prompts for TOTP code when adding a new identity into ZDEW

Steps to reproduce

1. Install Windows 2.3.1 ZDEW client / or have it installed.
2. Create an identity with MFA required, or add MFA requirement policy to an identity.
3. Import into ZDEW
4. It will display with an Authenticate button (like it has already enrolled).
5. When clicking the button it will prompt for the TOTP code window although never prompted to enroll

Workaround:

1. Revert client back to 2.1.16
2. Now prompts to enroll and works correctly
3. Upgrade client back to 2.3.1

[dovholuknf]

Thanks @gooseleggs, for the steps to reproduce. I'll try to reproduce this tomorrow.

[dovholuknf]

can you expand on exactly what this means:

Create an identity with MFA required, or add MFA requirement policy to an identity.

I tried this but cannot reproduce. Here's a small gif demonstration:

Here are the exact ziti CLI commands I ran from powershell. I used ziti edge quickstart to make a ziti instance that is fresh and clean and then ran invoke-webrequest (iwr) to pull down the version json from the controller. I ran the commands quickly to keep the gif size as small as i could:

# in the top window
ziti edge quickstart 

# ---- divider ----

ziti edge login -u admin -p admin -y

$interceptJson = @{ protocols = @("tcp"); addresses = @("ziti.controller"); portRanges = @( @{low = 1280; high = 1280; } ) } | ConvertTo-Json
ziti edge create config mfatest-intercept.v1 intercept.v1 $interceptJson

$hostJson = @{protocol = "tcp"; address = "localhost"; port = 1280; } | ConvertTo-Json
ziti edge create config mfatest-host.v1 host.v1 $hostJson

ziti edge create service mfatest --configs "mfatest-intercept.v1,mfatest-host.v1" --role-attributes "mfa-needed-services"
ziti edge create service-policy mfatest.bind Bind --service-roles "@mfatest" --identity-roles "@quickstart-router"
ziti edge create service-policy mfatest.dial Dial --posture-check-roles '#mfa-needed' --identity-roles "#mfa-needed-users" --service-roles "#mfa-needed-services"
ziti edge create posture-check mfa mfa-required --role-attributes "mfa-needed"
ziti edge create identity mfatest --role-attributes "mfa-needed-users" -o c:\temp\mfatest.jwt

# if powershell 5:
$PSVersionTable

add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

(iwr https://ziti.controller:1280).RawContent

# if powershell 6+
(iwr https://ziti.controller:1280 -SkipCertificateCheck).RawContent

[gooseleggs]

Thanks @dovholuknf
Here is a GIF for showing the issue. Hopefully I have captured all the settings that you need. I did think that it could be related to the version of the controller. It is VERY old (v0.28.1). However, a person with mac client had a flawless experience, so I think that rules out the controller?

Note that I did not apply any services to the identity. This does not change the fault, ie even if I associate a service I still get the issue. This has happened on two windows clients.

[dovholuknf]

Thanks. I'll see if I can try to use the zac and an old controller. Is the zac equally as old? Would you be willing to send me one or a few identities which I could test with? Could you capture a feedback zip file and somehow get it to me so I could look at the logs? (Ideally with trace mode enabled)

[dovholuknf]

i ran the ziti-edge-tunnel that comes with ZDEW 2.1.16 and it for me, it has the same behavior as the latest ZDEW does. You were able to get the 2.1.16 version of ZDEW to behave correctly, per your initial post but I could not. Could you perhaps have created the identity with the default or NON-mfa-required auth policy, enrolled it, then updated the identity to use that mfa-enforced policy?

It looks to me that the issue here is that the auth policy as you show ends up getting TOTP as required for secondary auth. That means it's a bit of a chicken/egg issue going on. I personally do think this is a flow we should support though, but I don't know if it's ever actually been used. I see most people using posture checks for TOTP, not as part of the authentication policy, but it makes to me that this flow should be supported.

Can you review my gif and steps and make sure I'm doing it how you're doing it? In it I do the following:

• create the MFA_enforced auth policy
• create an identity 'a' and force it to use the MFA_enforced auth policy
• download the a.jwt
• attempt to enroll a.jwt
• the identity shows up as disabled and the lock icon required and i cannot enable MFA

[dovholuknf]

BTW that's the relatively trivial workaround to this too. Make the identity, enroll it, ensure it has TOTP enabled, THEN move the identity's auth policy to the MFA_enforced policy. But that's a bigger pain on the ziti operator. I'd still like to know if you could reproduce how it worked before though, it feels like this might just be a long-standing bug?

[gooseleggs]

So, I went through all permutations of this.

• MFA Enabled ID imported into 2.3.1 - FAILED - issue as per this issue
• Default ID imported into 2.3.1 - then MFA enabled (without enabling on client first) - FAILED
• Downgrade 2.3.1 client with MFA enabled ID installed - FAILED - same issue
• Create new MFA enabled ID and import into 2.1.16 client - FAILED
• Create new default ID, install into 2.1.16, then change to MFA_ENFORCED - FAILED

Then, as you described - create a default ID - import into client...manually enable MFA, then enable MFA enforcement onto the identity and it works.
Sorry - I had a remote engineer working on the client side, so I ASS-U-ME that this is the action that he took, and he completed that before I forced the MFA capability.

So, I will change the title of this Issue to be reflective of the issue. That is creating a MFA enabled ID does not prompt user to configure MFA upon installation of the ID, or prior to first use".

[dovholuknf]

Thanks for confirming, that makes me feel better in some ways. This appears to be a codepath nobody has excercised until now but it's proving tricky to find and fix. I am hoping to get it sorted soon so that it'll work like the Mac ZDEM does (I DID confirm the ZDEM works properly).

[gooseleggs]

Thanks - Just tried it with my Sons MacBook, and it correct - it works as expected.

[dovholuknf]

I have two pr's up to fix this . one for the UI: #686

and one for ziti-edge-tunnel: openziti/ziti-tunnel-sdk-c#882

I'll try to get a beta build out here tomorrow or monday

[dovholuknf]

The 2.4.0.0 build of the ZDEW should resolve this issue. If you want to automatically upgrade now, you can change over to the beta url. https://get.openziti.io/zdew/beta.json

Alternatively, you can choose to install it manually by downloading from:
https://github.com/openziti/desktop-edge-win/releases/download/2.4.0.0/Ziti.Desktop.Edge.Client-2.4.0.0.exe

Current plan, assuming no big bugs are discovered:

• move 2.4.0.0 from beta to latest in 8 days, at 11:25AM Thursday, July 11th
• move 2.4.0.0 from latest to stable in 21 days at 11:25AM Wednesday, July 24th.