Skip to main content
Solved

Multi Factor Authentication Commvault


Hello Commvault Community!

 

I would like to ask you about the topic of Multi-factor authentication Commvault.

 

First Question: 

Is it possible in MFA to block the sending of e-mails with one-time codes, apart from sending the first e-mail with the code to the authentication application?

 

I guess the solution to the problem should be to disable MFA for specific users, but then that user won't be protected anymore, right? In the case of MFA, it is not possible to send the authentication code once, and then it would not be needed again to log in correctly, I think right?

https://documentation.commvault.com/11.24/expert/7910_disabling_two_factor_authentication_administrator.html

 

Second Question: 

 

The client has two accounts in Active Directory:
- One - regular user, with a mailbox (adam_johnson@abc.com.pl) - logging in via MFA works fine

- The second - which has administrator permissions (also in Commvault) - this account hasn’t mailbox (however, it has the email address adm.ajohson@abc.com.pl). An alias has been set up in Exchange and e-mails sent to adm.ajohnson@abc.com.pl are forwarded to adam.johnson@abc.com.pl. The test e-mail sent from Commvault to the address adm.ajohnson@abc.com.pl reaches correctly to the e-mail adam_johnson@abc.com.pl. After enabling MFA in CommCell and trying to log in to the account with the alias adm.ajohnson@abc.com.pl, I have an error as in the attachment.

If there is an e-mail address in the usera field (e.g. xxx@abc.pl), everything is fine. However, when the User Mail field contains an address that is an alias to the mailbox (i.e. the address alias.xxx@abc.pl, which is forwarded to xxx@abc.pl), Commvault throws an error message when sending an email with authentication codes. I would like to add that messages delivered to an alias address work without any problems.

I am asking for help and for information whether this is the correct behavior or should give MFA access to the account with the alias without any problems.

 

Thanks&Regards,
Kamil

Best answer by Kamil

Hi @Mike Struening 

 

It turned out that the problem was in the configuration on the client's side. They are to sit down with AD Administrators and check where the problem lies.

 

In this situation, there isn’t need to continue for now, but thanks for your help.

 

Regards,
Kamil

View original
Did this answer your question?

15 replies

Mike Struening
Vaulter
Forum|alt.badge.img+23

Hi @Kamil !

Regarding the first question, if I understand you correctly, you’d essentially not really have MFA in place (other than the first time).  MFA has to be satisfied each time you login, otherwise it’s really a temporary MFA.

For the second question, you likely are correct, though if this is by design or not, I’ll have to find out.

I’ll be in touch!


  • Author
  • 143 replies
  • December 3, 2021

Hi @Mike Struening 

 

Thank you for your answer for first question. Did you find out anything about MFA and aliases?

I will be grateful for your response.

 

Regards,
Kamil


Mike Struening
Vaulter
Forum|alt.badge.img+23

I haven’t yet, my apologies.

Appreciate the reminder.  I’ll chase this down!

Edit: I created a doc MR in your name in advance :-)


Mike Struening
Vaulter
Forum|alt.badge.img+23

Just heard back from some of our devs, and they suggested opening a case, and providing the incident with the smtpmanager logs from CS.

I expected a response of ‘this is not supported’, but there’s more potentially going on.

Once created, can you share the case number with me?


  • Author
  • 143 replies
  • December 9, 2021

Hi @Mike Struening 

 

I thought that I would find something in "smtpmanager.log" myself and found something, but it didn't direct me to anything.

 

7304  264   11/25 09:21:53 ### ### cvSMTPMgr::sendEmailBySMTPClient - Exception Message [A recipient must be specified.]

7304  264   11/25 09:21:53 ### ### cvSMTPMgr::sendEmailBySMTPClient - Exception Source [System]

7304  264   11/25 09:21:53 ### ### cvSMTPMgr::sendEmailBySMTPClient - Exception StackTrace [   at System.Net.Mail.SmtpClient.Send(MailMessage message)

   at CvSMTP.CvSMTPMgr.sendEmailBySMTPClient(Int32& errorCode)]

7304  264   11/25 09:21:53 ### ### cvSMTPMgr::SendSMTPMail - Failed to send mail with Error Code[-1], Error Message[By SMTPClient: A recipient must be specified.]

 

I consult it internally with the rest of my colleagues, if I don't think of anything, I escalate the thread to the Commvault support, unless someone in the meantime from the Commvault Community has an idea what the problem may be …

 

Regards,
Kamil


Mike Struening
Vaulter
Forum|alt.badge.img+23

That’s definitely a log message that needs improvement!

Can you share the case number so I can follow up?


  • Author
  • 143 replies
  • December 14, 2021

Hi @Mike Struening 

 

The client decided to update the environment version to FR 24. If that does not solve the problem, he will make a request in Commvault support. Give us a moment please :)

 

Regards,
Kamil


Mike Struening
Vaulter
Forum|alt.badge.img+23

Take all the time you need!


Mike Struening
Vaulter
Forum|alt.badge.img+23

Hey @Kamil , gentle New Year’s follow up :grinning:

any chance you have a case opened for this yet?  The developer who advised to create an incident was asking.


  • Author
  • 143 replies
  • January 10, 2022

Hi @Mike Struening,

 

I managed to ask the Customer 3 times if he test the MFA after update the MR version, but he says that he didn’t have time to test it. As soon as I know more, I will inform you here immediately.

 

Forgive me for delay.

 

Regards,
Kamil


Mike Struening
Vaulter
Forum|alt.badge.img+23

Nothing to forgive, my friend!  I’ll keep an eye out.


  • Author
  • 143 replies
  • January 11, 2022

Hi @Mike Struening 

I escalated the case to Commvault support, here is the case number: Incident 220111-329

 

Regards,
Kamil


Mike Struening
Vaulter
Forum|alt.badge.img+23

You are the best @Kamil , thank you!!!


  • Author
  • 143 replies
  • Answer
  • January 31, 2022

Hi @Mike Struening 

 

It turned out that the problem was in the configuration on the client's side. They are to sit down with AD Administrators and check where the problem lies.

 

In this situation, there isn’t need to continue for now, but thanks for your help.

 

Regards,
Kamil


Mike Struening
Vaulter
Forum|alt.badge.img+23

As always, appreciate you coming back to share!!


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings