OpenOTP Credential Provider - Cannot login using OpenOTP

[Travis G]

I have WebAdm installed and working. I can access webadm from the test PC I've installed OpenOTP on. It can reach the SOAP URL: https://webadm.tg.local:8443/openotp/ 

Note the cert is not trusted... Not sure if this is an issue?

The PC is Windows 10 x64 and I installed the x64 OpenOTP.

I also have my user registered and my token setup on my phone and have tested it and it works.

My policy for users is to require just OTP, and so I tried to set, per the docs, the custom string LoginMode=LDAPOTP when installing OpenOTP. 

Per the docs, I checked the PC's Event Viewer, nothing is logged when I try to login via OpenOTP.

Also I tried checking on WebAdm server at /opt/webadm/log/ and there is no file named soap.log.

The error on the OpenOTP screen I get is "Endpoint cannot be initialized". I am also not getting both a Password and OTP field, just a username and password field shown below. 

The documentation said nothing about the CA cert, but the installer required it. So I tried removing that in the config (in registry) and tried again. Now it says "Calling Endpoint" and then sends me back to the login screen.

Thoughts? I'm at a loss.

Note: For anyone working on a test PC and setting up OpenOTP, the settings are stored at: HKEY_LOCAL_MACHINE\SOFTWARE\RCDevs\OpenOTP-CP 

Editing them and rebooting is much faster than re-running the installer...

[francois...@rcdevs.com]

Hi travis,

Webadm certificate is only trusted by the CA installed on the same server. CA certificate is available at this address : http://<my_ebadm_server>/cacert

You need to download it and add it in the credential provider configuration.

[Travis G]

I put the CA cert on the PC and fixed the credential provider's config to point to it. I even tried re-running the installer with modify in case I typoed in the registry and rebooted. Same issue, no change at all. 

I then changed the display from Simple to Normal so I would get both password and OTP fields and rebooted. I do get both fields now, but login outcome is same as before: Sent back to login screen. 

Questions:

1) Why am I not showing any events in the Event Viewer?

2) Why is there no log at /opt/webadm/log/soap.log on the WebAdm server?

3) What should I get if I manually go to https://webadm.tg.local:8443/openotp/ in a browser? I ask because I am just getting a blank file.

Thanks!

[Yoann Traut (RCDevs)]

Hello, 

Please see inline : 

 

Questions:

1) Why am I not showing any events in the Event Viewer?

This is normal, we have not create yet an event viewer for our CP.  

2) Why is there no log at /opt/webadm/log/soap.log on the WebAdm server?

Which version of WebADM do you use ? Could you check in /opt/webadm/logs/webadm.logs ? 

 

3) What should I get if I manually go to https://webadm.tg.local:8443/openotp/ in a browser? I ask because I am just getting a blank file.

This is normal. Service is up.  

Regards 

[Travis G]

Yoann,

/opt/webadm/logs/webadm.logs works, thanks. So I see why it's failing, it thinks mydomain and mydomain.local are invalid. How do I fix this?

[2017-10-24 19:55:20] [192.168.1.21] [OpenOTP:IT93CODN] New openotpNormalLogin SOAP request

[2017-10-24 19:55:20] [192.168.1.21] [OpenOTP:IT93CODN] > Username: myadmin

[2017-10-24 19:55:20] [192.168.1.21] [OpenOTP:IT93CODN] > Domain: mydomain

[2017-10-24 19:55:20] [192.168.1.21] [OpenOTP:IT93CODN] > LDAP Password: xxxxxxxxxxx

[2017-10-24 19:55:20] [192.168.1.21] [OpenOTP:IT93CODN] > OTP Password: xxxxxx

[2017-10-24 19:55:20] [192.168.1.21] [OpenOTP:IT93CODN] > Source IP: 192.168.1.21

[2017-10-24 19:55:20] [192.168.1.21] [OpenOTP:IT93CODN] > Settings: OpenOTP.LoginMode=LDAPOTP

[2017-10-24 19:55:20] [192.168.1.21] [OpenOTP:IT93CODN] Registered openotpNormalLogin request

[2017-10-24 19:55:20] [192.168.1.21] [OpenOTP:IT93CODN] Domain 'mydomain' not existing or disabled

[2017-10-24 19:55:20] [192.168.1.21] [OpenOTP:IT93CODN] User invalid or not found

[2017-10-24 19:55:21] [192.168.1.21] [OpenOTP:IT93CODN] Sent failure response

[2017-10-25 19:19:34] [192.168.1.21] [OpenOTP:AEQG6ARE] New openotpNormalLogin SOAP request

[2017-10-25 19:19:34] [192.168.1.21] [OpenOTP:AEQG6ARE] > Username: myadmin

[2017-10-25 19:19:34] [192.168.1.21] [OpenOTP:AEQG6ARE] > Domain: mydomain.local

[2017-10-25 19:19:34] [192.168.1.21] [OpenOTP:AEQG6ARE] > LDAP Password: xxxxxxxxxxx

[2017-10-25 19:19:34] [192.168.1.21] [OpenOTP:AEQG6ARE] > OTP Password: xxxxxx

[2017-10-25 19:19:34] [192.168.1.21] [OpenOTP:AEQG6ARE] > Source IP: 192.168.1.21

[2017-10-25 19:19:34] [192.168.1.21] [OpenOTP:AEQG6ARE] > Settings: OpenOTP.LoginMode=LDAPOTP

[2017-10-25 19:19:34] [192.168.1.21] [OpenOTP:AEQG6ARE] Registered openotpNormalLogin request

[2017-10-25 19:19:34] [192.168.1.21] [OpenOTP:AEQG6ARE] Domain 'mydomain.local' not existing or disabled

[2017-10-25 19:19:34] [192.168.1.21] [OpenOTP:AEQG6ARE] User invalid or not found

[2017-10-25 19:19:35] [192.168.1.21] [OpenOTP:AEQG6ARE] Sent failure response

[Yoann Traut (RCDevs)]

 Hello,

You have to edit your local domain in WebADM and add the 'mydomain' name in the alias setting. 

Go on WebADM GUI > Admin > Local Domain. You should have a domain here, so click on CONFIGURE. In the local domain configuration you will find a setting named : Domain names Alias. 

Put the 'mydomain' found in your logs here.

Regards  

 

[Travis G]

Thank you, that worked!

[RNAO Communications]

The alias tip is what I needed too. Thanks!