Sophos Connect Provisioning File Userauthentification error

In the Logs i find the folowing Entry for the login. Seems like the provisioning Process does 2 Login´s to different Services

Moin!
We stumbled across this as well. It's actually really straight forward what creates this problem but it's really annoying.

The client performs two logins in a row and if you don't use OTP it works fine. Without OTP enabled the SCC asks for username and password and uses those to log into the VPN portal to download the configuration. Next it installs the configuration and tries to establish the connection with the cached credentials. So the user is asked for credentials once but there are two authentications happening. Try it with a user without OTP and it just works. I assume this is done for convenience so the user doen't have to log in twice in a row.

With OTP however it's a mess. The SCC does not know or care if OTP is enabled for a user on the firewall. So you load the provisioning file and enter username and password followed by the OTP code. If these are correct the configuration is downloaded to the SCC and again the SCC tries to connect with the cached credentials but since the cached password is actually password+OTP it's no longer valid as OTP codes can only be used once - even within the timestep.

Login fails with correct passwords and incorrect OTP codes are handled like logins with incorrect passwords so there is no feedback to the SCC. It's just "wrong username or password". So the only way to solve this problem is to change the behaviour of the SCC regarding provisioning files and this means to ditch the automatic login with cached credentials.

Moin!
We stumbled across this as well. It's actually really straight forward what creates this problem but it's really annoying.

The client performs two logins in a row and if you don't use OTP it works fine. Without OTP enabled the SCC asks for username and password and uses those to log into the VPN portal to download the configuration. Next it installs the configuration and tries to establish the connection with the cached credentials. So the user is asked for credentials once but there are two authentications happening. Try it with a user without OTP and it just works. I assume this is done for convenience so the user doen't have to log in twice in a row.

With OTP however it's a mess. The SCC does not know or care if OTP is enabled for a user on the firewall. So you load the provisioning file and enter username and password followed by the OTP code. If these are correct the configuration is downloaded to the SCC and again the SCC tries to connect with the cached credentials but since the cached password is actually password+OTP it's no longer valid as OTP codes can only be used once - even within the timestep.

Login fails with correct passwords and incorrect OTP codes are handled like logins with incorrect passwords so there is no feedback to the SCC. It's just "wrong username or password". So the only way to solve this problem is to change the behaviour of the SCC regarding provisioning files and this means to ditch the automatic login with cached credentials.

Glück auf!

yes the behavior isn´t nice for the users. We cant´t disable OTP because of security purpose. Now we wrote a User "Walkthrough" how to do and how to check if it was successful. Hopefully there won´t come as much helpdesk calls when the certificate is changed the next time .
For the future i hope there will be a solution that the scc gives the correct feedback or does only the desired task(download config or login vpn).