OpenOTP Windows Credential Provider - WebADM authentication succeeds, but Windows displays "The username or password is incorrect"
241 views
Skip to first unread message
Coury Caldwell
Oct 19, 2018, 12:05:00 PM10/19/18
to RCDevs Security Solutions - Technical
I have installed the latest version (1.2.0.7, released today) of the OpenOTP credential provider for Windows on non domain-joined Windows 10 Pro and Server 2016 VMs and am unable to complete a Windows login.
When logging in with my WebADM credentials, I receive the OpenOTP push token, approve it, and WebADM states:
[2018-10-19 15:49:52] [172.20.0.117] [OpenOTP:649YC8KW] Found mobile session started 2018-10-19 15:49:47
[2018-10-19 15:49:52] [172.20.0.194] [OpenOTP:649YC8KW] PUSH password Ok (token #1)
[2018-10-19 15:49:52] [172.20.0.194] [OpenOTP:649YC8KW] Updated user data
[2018-10-19 15:49:52] [172.20.0.194] [OpenOTP:649YC8KW] Sent success response
[2018-10-19 15:49:52] [172.20.0.194] [OpenOTP:649YC8KW] PUSH password Ok (token #1)
[2018-10-19 15:49:52] [172.20.0.194] [OpenOTP:649YC8KW] Updated user data
[2018-10-19 15:49:52] [172.20.0.194] [OpenOTP:649YC8KW] Sent success response
The user accounts do not already exist in Windows and I have configured it to create them automatically.
I've attached screenshots of the login window as well as my OpenOTP-CP registry entries. I couldn't find anything in any of the Windows Application, System, or Security logs - not even a failed login attempt.
I had this problem with the previous version and saw you just released this new one and gave it a try with no luck.
Coury Caldwell
Oct 19, 2018, 12:17:54 PM10/19/18
to RCDevs Security Solutions - Technical
While looking through the group I saw a suggestion to enable debug mode. I've attached a redacted version of my debug log during one of these failed logins.
Since this machine is not domain-joined, the domain shouldn't matter. I was unable to change what the credential provider sends as the domain without changing the name of the workgroup in Windows, so to get around this I added "WORKGROUP" as an alias for my domain in WebADM
Yoann Traut (RCDevs)
Oct 19, 2018, 12:31:21 PM10/19/18
to RCDevs Security Solutions - Technical
Hello,
We are not able at all to view/download the attached files for your both messages...
If you have a enterprise restriction, you can send us theses files by mail at _sup...@rcdevs.com
On my side, I have tried this morning the auto-create local account setting and it works well on Windows 10.
Regards
Coury Caldwell
Oct 19, 2018, 12:35:30 PM10/19/18
to RCDevs Security Solutions - Technical
I just emailed the attachments over to you.
Yoann Traut (RCDevs)
Oct 19, 2018, 12:43:50 PM10/19/18
to RCDevs Security Solutions - Technical
In your registry, the key auto_create is set to 0. can you change to 1 and retry ?
It should solve your issue.
Regards
Coury Caldwell
Oct 19, 2018, 1:53:27 PM10/19/18
to RCDevs Security Solutions - Technical
I made the change and it behaves the same way, even after a reboot.
Perttu
Oct 19, 2018, 2:59:29 PM10/19/18
to RCDevs Security Solutions - Technical
Hi,
Can you rerun the installer and make sure both create local accounts and check ldap password are on?
Coury Caldwell
Oct 19, 2018, 4:46:37 PM10/19/18
to RCDevs Security Solutions - Technical
I reverted the snapshot on my vm and started from scratch. I selected the same options as I did before, the ones you selected, and my registry looked exactly as it does in my first screenshot.
Perttu
Oct 21, 2018, 11:49:10 AM10/21/18
to RCDevs Security Solutions - Technical
Hi,
the settings seem to be correct, but for some reason it does not seem to succeed in creating the local account. One more thing you could try is to launch a command prompt or powershell with "Run as Administrator" and start the installer from there.
Reply all
Reply to author
Forward
0 new messages