Redmine

There are many things that might go wrong here. The most common issues are:

• The user's device (which generates the 2FA codes) is running with an inaccurate clock (e.g. wrong time or wrong timezone on the device)
• The server running Redmine has an inaccurate clock (e.g. wrong time or wrong timezone on the server). Check that the time printed when running the date command on your server returns the correct wall clock time for the selected timezone.
• The user tries to re-use codes. Redmine remembers the last used code for a user so that it can't be re-used. Once a code was successfully used, the user has to wait for a new code to be generated before they can use it.

Is your user stuck on setting up their device or have they already managed that (and thus have entered a valid code at least once)?

Can anyone help with this - anyone else have this? How do I diagnose what's wrong with this one user? Where do I go with logs to see what's wrong?

As for diagnosing it, unfortunately, there is not much to diagnose here. The 2FA mechanism works by using a shared secret between the server and the client device (which is initially transferred with the QR code or secret code string when setting up). Both the server and the client then generate a new code based on the secret and the current time. On the server, Redmine just compares if the code received from the client matches the code it has generated on its own based again in the secret and the server's time. If the codes don't match, the error your user sees is returned.

(And you should definitely update your Redmine. There were multiple security fixes since Redmine 5.0.1. The current 5.0.x version is 5.0.7)

Thanks for the prompt reply Holger.

The user - like all our users - are working off a domain-joined virtual desktop, so all the users have the exact same desktop settings; clock synced with AD. As a test, I even had a shared session with the user onto my desktop, logging into Redmine from my browser; same result. The RedMine server is set to GMT and at least 30 other users have setup 2FA without issue.
They've deleted the DUO application (the RedMine instance within DUO, not the actual app) each time they tried this and tried Google Authenticator too, on two different phones.

The server and desktop times are on the attached image.

We have a test system - a few months old copy of live - and it's the same result for just that one user.

Holger Just wrote in RE: 2FA issues with one user:

(And you should definitely update your Redmine. There were multiple security fixes since Redmine 5.0.1. The current 5.0.x version is 5.0.7)

Cheers, I'll get onto that.

Let me re-iterate my question:

Holger Just wrote in RE: 2FA issues with one user:

Is your user stuck on setting up their device or have they already managed that (and thus have entered a valid code at least once)?

You wrote that the user deleted their 2FA application multiple times. This generally also deleted the shared secret from their end. In order to setup 2FA for the user again, they would have to disable 2FA from their user first (or ask an administrator for that).

In general, it might be a good idea to start anew for the user, i.e. to disable 2FA for them in Redmine and to start anew with registering their 2FA app from scratch.

Holger Just wrote in RE: 2FA issues with one user:

Let me re-iterate my question:

Holger Just wrote in RE: 2FA issues with one user:

Is your user stuck on setting up their device or have they already managed that (and thus have entered a valid code at least once)?

You wrote that the user deleted their 2FA application multiple times. This generally also deleted the shared secret from their end. In order to setup 2FA for the user again, they would have to disable 2FA from their user first (or ask an administrator for that).

In general, it might be a good idea to start anew for the user, i.e. to disable 2FA for them in Redmine and to start anew with registering their 2FA app from scratch.

Sorry Holger, no, they've never managed to setup their device. They scan the QR code, it sets up the 'app' in DUO but when they try complete the process, they get the 'outdated' message.

I don't think I can disable 2FA for just one user, or can I? It's set as Required - what happens if I change that global setting - will all existing users 2FA setup be invalidated?

Any update? My friend also faced this but now everything is solved. Exploring Academized's samples on Capital Budgeting and what is behind this theory was https://academized.com/samples/capital-budgeting-theory-and-practice enlightening. The depth of analysis and clarity of presentation showcased their commitment to academic excellence. It's not just a sample; it's a learning resource. Kudos to Academized for setting the bar high.

FRankr Byrne wrote in RE: 2FA issues with one user:

I don't think I can disable 2FA for just one user, or can I?

As an administrator, you can remove the 2FA pairing for a single user in Administration -> Users -> [User] -> Deactivate (i.e. the Deactivate link at 2FA section there). Afterwards, the user will be prompted to re-pair their 2FA device on their next login. As you have required 2FA, they will not be able to full login until they have successfully paired their 2FA app.

It's set as Required - what happens if I change that global setting - will all existing users 2FA setup be invalidated?

Existing 2FA pairings will still work as before and will be required for the users that have them setup. New users can pair their 2FA apps on their My Account page voluntarily. The only thing that's changing is that users will no longer be strictly required to have an active 2FA paring.

However, if the user never managed to successfully pair their 2FA app, this won't help much though. In that case, unfortunately things may become a bit more complicated. The most likely cause of errors still is a wrong time or timezone on either the server or the client. As things appear to work for other users, it's likely that the timezone settings for the user or their device are broken / inconsistent. Maybe they can try some other device for 2FA pairing, e.g. a mobile phone, or another 2FA app?

OK, an update.

I have RedMine behind a HAProxy load balancer and a 'nice' URL for it, like redmine.company.com

The users - turned out to be two so far - no matter what I did (field updates in the database directly for example) they couldn't properly setup 2FA.

I asked one of them to browse directly to the RedMine server (notsoniceservername.company.com) and strangely, they could setup 2FA.
Even more strangely, when the browsed back to the 'nice' URL, 2FA still worked.

So, as of now, I have all happy users. I just can't explain why this happened for those couple of users.

Thanks for the help and engagement guys!

Thanks for the prompt reply Holger.