[SOLVED] WebAuthn syncs URLs, cluster-usage not possible

simonostendorf

New Member
Feb 24, 2022
3
0
1
22
Hi there,

I'm new to this forum, so excuse any initial errors.

I have a question / problem with synchronization in a Mail Gateway Cluster:

About my setup:
2x Mail Gateway 7.1-2 with all current updates. Both together in an active-active cluster (LB through MX).

I want to use webauthn as two factor authentication. For this I used the autofill function in gateway 1 in the settings for WebAuthn to enter the URL, the ID and the issuer. Then I added my Yubikey as a second factor. This all works right away, since the correct URL is used here. If I now look at gateway 2, both the URL settings and my Webauthn devices are synchronized there. So if I want to add another WebAuthn device here or want to use the existing one for login, this doesn't work because of the error "SecurityError: The operation is insecure.".
It's also logical, since the URL of gateway 1 is specified in the WebAuthn settings.

Now my question: Is there a fix that the whole thing is not synchronized or do I just have to use TOTP until it is fixed?

Thank you for your answer.

Simon
 
should be possible if both domains are a subdomain of the relying party, e.g. pmg1.example.com and pmg2.example.com should use the relying party 'example.com'
 
should be possible if both domains are a subdomain of the relying party, e.g. pmg1.example.com and pmg2.example.com should use the relying party 'example.com'

Thank you for your quick reply.

Changing the relying party does not fix all errors. But its better now.

The problem is now the origin domain. If I enter example.com there instead of pmg1.example.com I get an error on pmg1 that WebAuthn is not possible with this domain. If I enter pmg1.example.com as the origin domain, then I get an error on PMG2 because the domain of PMG1 is there.

Hope there is also a fix for this error. Thank you
 
ok so thats possible, but not from the gui. you have to delete the 'origin' field and leave it empty (the it will be auto-filled when needed with the configured hostname + search domain)
Code:
pmgsh set /config/tfa/webauthn -delete origin

also note that the 'id' must also the id (same as the rp) so in my previous example 'example.com'
 
  • Like
Reactions: Stoiko Ivanov
ok so thats possible, but not from the gui. you have to delete the 'origin' field and leave it empty (the it will be auto-filled when needed with the configured hostname + search domain)
Code:
pmgsh set /config/tfa/webauthn -delete origin

also note that the 'id' must also the id (same as the rp) so in my previous example 'example.com'

Thank you so much!
Everything works well now.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!