A few months ago I had a customer reach out with an odd authentication scenario… several of their employees complained that their passwords failed to work whenever they were in church.
The afflicted…
There were a small group of people who would constantly complain about authentication with their smart phones, usually on the weekend. They would work fine all week, no extra prompts, no MFA challenge / response, just access email on their iPhone and BAM! instantly connected.
However, every Sunday, while they were in church, they would be checking their messages (I guess the sermon was boring) and they’d be prompted for MFA. Not a big deal, except if you were using the “call me” method.
Imagine their horror that first Sunday, dead silence while they listen to stories about the relevance of scripture in the modern age, maybe even something about managing distractions, when they decide to pop out their phone … clandestinely of course, maybe under cover of a hymnal … only to get prompted for MFA in the form of a nice loud ringtone.
Now nobody really told me what ringtone they were using, but in my imagination I could picture the scene… rows upon rows of fine folks in their sunday best, when suddenly, from nowhere, the theme from Mission Impossible would start playing, or maybe a verse from Sir Mix A Lot’s “Baby Got Back”. Either way …. AWKWARD
But why?
Now as we all know, login is a common occurrence, especially as we connect more and more things to the cloud. There’s certainly no lack of password prompts no matter what we do, and while we try to keep the to a minimum, we certainly don’t want to sacrifice security for convenience. But why, for this particular customer, did their iPhones hate organized religion?
Well, as we all know, there’s pretty much a good explanation for everything, even in the most of obscure cases.
Take, for example, the story of the car that hated ice cream
http://www.cgl.uwaterloo.ca/smann/IceCream/humor.html
Now, it’s obvious that the story is fabricated, Snopes tells us as much, but it does point out that despite the most interesting of situations, there’s usually a good answer.
The Answer…
So, looking to the bible didn’t really help here. What did help, however, was another book. “A brief history of time” by Stephen Hawking.
Ok, not really, but the answer was in the title…
Turns out that our friends at Contoso had a patching policy, that in addition to running every Saturday at midnight, also wreaked havoc on the use of time across the enterprise.
You see, the hypervisors, which hosted their ADFS farm, would reboot every Saturday night, whereas Domain controllers were on physical hardware and only rebooted on patch Tuesday… don’t ask why they patched every Saturday, never got a good answer.
The problem was, that the guest VMs would get their time from the hosts, and the hosts (not network joined) used a network router for NTP (network time protocol). The domain controllers, on the other hand, used a different source for NTP.
As a result, when the hypervisors were rebooted, they would pull time from the router, and the ADFS servers from the hosts, which would wind up with their clock being just a few seconds offset from the time that the rest of the servers on the domain (which used the domain controllers) were set to.
This time difference, sometimes as little as 10-15 seconds, would cause issues when the ADFS servers were re-authenticating the mobile users, and that pesky login prompt (along with MFA) would be presented.
Computer users on the domain never had an issue, because the workstations got their time from the domain controllers as well.
Fixing the NTP source for the hypervisors fixed the issue, and Sundays were safe once again from annoying technology …
So the moral of our story? Don’t take your phone to church? Nah…. just make sure your ringtone is something churchy.
Oh, and keep an eye on the time!