Ad Widget

**Witosław Szpecht** · 02-11-2024, 04:24

Have you managed to find a solution to this problem? I have exactly the same issue."

**Maxburn** · 05-03-2025, 23:23

I am now running into this as well. Works with 2FAS and Google Authenticator, but does not work with Microsoft Authenticator. All apps are on the same iphone and the original user reporting it is on android.

EDIT 2; Microsoft Authenticator does not support SHA-256 and SHA-512, only SHA-1. https://support.zabbix.com/browse/ZB...thenticator%22

EDIT; the docs specifically mention Google Authenticator and nothing else. https://www.zabbix.com/documentation...entication/mfa

**MRedbourne** · 06-03-2025, 02:49

Originally posted by Maxburn

I am now running into this as well. Works with 2FAS and Google Authenticator, but does not work with Microsoft Authenticator. All apps are on the same iphone and the original user reporting it is on android.

EDIT 2; Microsoft Authenticator does not support SHA-256 and SHA-512, only SHA-1. https://support.zabbix.com/browse/ZB...thenticator%22

EDIT; the docs specifically mention Google Authenticator and nothing else. https://www.zabbix.com/documentation...entication/mfa

If you're using MS's Auth app, I'm assuming you have Entra ID? Tie Zabbix into SAML/SSO/SCIM and use MFA via conditional access. You'll get the occasional session initialization error, but otherwise it works fine.

**Maxburn** · 06-03-2025, 15:07

Originally posted by MRedbourne

If you're using MS's Auth app, I'm assuming you have Entra ID? Tie Zabbix into SAML/SSO/SCIM and use MFA via conditional access. You'll get the occasional session initialization error, but otherwise it works fine.

This is an excellent point.

Personally I'm using 2FAS and I told users they can use practically any 2FA app they want or already use (2FAS, Authy, Microsoft Authenticator, Google Authenticator, and others). I'm hoping to not rock the boat and get user acceptance.
I've considered SSO but at the moment I struck it down as I don't want to have the connectivity monitoring/alerting solution potentially impacted by an outage right when we need it.

**MRedbourne** · 07-03-2025, 02:15

Originally posted by Maxburn

This is an excellent point.

Personally I'm using 2FAS and I told users they can use practically any 2FA app they want or already use (2FAS, Authy, Microsoft Authenticator, Google Authenticator, and others). I'm hoping to not rock the boat and get user acceptance.
I've considered SSO but at the moment I struck it down as I don't want to have the connectivity monitoring/alerting solution potentially impacted by an outage right when we need it.

Ah - the users bit I can understand. Users can be... interesting characters... to deal with. Unfortunately, I don't really have any guidance for the MS auth without SSO.

Re: your second point though - Zabbix authentication can work in multi-mode. We use SSO as our primary means of authentication for every service we onboard. However, each service also maintains a local "emergency access account" in the event that an emergency happens that cannot otherwise be dealt with. Eg: (External) Network outage, IdP outage, Sys. Admin. unexpectedly gets hit by a bus... Is it the best solution? Probably not. But it certainly works well.

**Maxburn** · 07-03-2025, 18:17

I switched to SHA1 and I was able to get a test user onboard with Microsoft Authenticator, no problem, previously impossible under SHA256. The user in particular that brought this up had trouble deleting his zabbix account in MSA and jumped to Google Authenticator I think and announced he was ok. I offered to assist in deleting form MSA, let me know, but problem with zabbix solved.

For those questioning the lowered security of SHA1, when GitHub moves their TOTP from SHA1 that’s when I will be concerned and do the same.

Dual would accomplish that, yes. We aren’t really up on the ease of operation SSO enables, we use it more along the lines of flattening the checklist and disconnecting employees when terminated. So under that premise SSO would have no benefit to us, might actually be a liability as we could forget about it.

**zabbixuser39393** · 27-03-2025, 11:18

Didn't get Microsoft Authenticator work with Zabbix 7.0.10 sha-1 or other. MS A didn't regognize QR codes for Sha-1, sha-256 and manually added key doesn't give right codes. SHA-512 was readable with QR-code, but response was wrong for authentication. Google Authenticator and Bitwarden Authenticator works fine.

**zabbixuser39393** · 16-09-2025, 07:51

Old post but... I also found that if You use dark theme as main theme (affects to login page). QR code does now work. But with light themes it is ok...

**Maxburn** · 16-09-2025, 18:45

Originally posted by zabbixuser39393

Old post but... I also found that if You use dark theme as main theme (affects to login page). QR code does now work. But with light themes it is ok...

You mean does NOT work?
I'm using dark theme inside Zabbix and it works fine on Zabbix 7.0.18 and a bunch of previous point releases.
BUT if you are doing something in the browser / OS that changes light to dark and maybe inverts pictures, yes I could see that messing up a QR code image.

**zabbixuser39393** · 19-09-2025, 15:33

Anyway... QR code reading with phone didn't work at dark theme. When changed it to light, phone did read QR code and did give working Verication codes after that.

Ad Widget

2FA in Zabbix 7.0.3 not working

2FA in Zabbix 7.0.3 not working

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment