How to do an analyses in case of Push authentication with OpenOTP Credential Provider

[Petr Prochazka]

We are facing with incident of not function a Push authentication with OpenOTP Credential Provider. Compare to On-line authentication where I can see details logs inside of WebAdm on the Push version I do not see any logs or records in WebAdm or WaProxy.

Could you please help where I should find any logs which helps me investigate why Push is not working sometimes. Or what I have to set-up to start collecting logs. 

Thank you.

[Yoann Traut (RCDevs)]

Hello,  

First, check the WebADM/OpenOTP logs to ensure that the push request was sent successfully. You should see entries like the following in the logs:  

```
[2025-01-16 18:05:52] [127.0.0.1:46646] [OpenOTP:HH36GRIO] Sent push notification for token #1  

[2025-01-16 18:05:52] [127.0.0.1:46646] [OpenOTP:HH36GRIO] Sent push notification for token #1 (session yEsJozXaNtS6YV1F)  
```

If these logs are present, it means:  

- OpenOTP successfully sent the push request.  
- The request was received by our push services.  
- The request was forwarded to Google/Apple push services, and we received confirmation that it was taken into account.  

At this point, we cannot guarantee that the push notification will be delivered, as it depends on:  

- The mobile device’s internet connectivity.  
- Network and routing conditions for the push message.  

If the push notification is delivered successfully, it should appear on the mobile device.  

On some devices, features like Focus Mode, Do Not Disturb, or Sleep Mode may prevent notifications from appearing on the lock screen. To rule this out, open the app before the push is sent by OpenOTP and check if the notification appears.  

If it appears and you have an error when you approve, it is an issue related to the Mobile Endpoint URL configured in OpenOTP or the SSL certificate presented on this endpoint is not publicly trusted (Requirement for iOS devices)

Regards,

[Petr Prochazka]

Hello

I am sorry I did not explain my incident exactly.

User is requested for username and password. Afterwards pop-up QR code. The QR code is scan by mobile application OpenOTP Token and user will get PUSH code. The code fills in to the last login filed. Result is "You could not be authenticate.  Wrong username or password."

There is no record is log /opt/webadm/logs/webadm.log or in GUI WebAdm Server Log File. 

Unfortunately I do not now where to find "WebADM/OpenOTP logs" as well. If it can help for analysis.

Thank you for your support.

Petr

Dne středa 5. února 2025 v 12:49:22 UTC+1 uživatel Yoann Traut (RCDevs) napsal:

[Spyridon Gouliarmis (RCDevs)]

That looks like offline authentication, and the plugin must have failed to contact the OpenOTP service. No push notification can happen here.

[Petr Prochazka]

OK and where I can start with analyses if I do not see any logs. But the way I do not see any logs from offline authentication even if it pass login successfully.

Dne středa 5. února 2025 v 15:56:18 UTC+1 uživatel Spyridon Gouliarmis (RCDevs) napsal:

[Spyridon Gouliarmis (RCDevs)]

Have you tried setting debug_mode to 4 in the CP registry key? Look at https://docs.rcdevs.com/openotp-credential-provider-for-windows/#endpoint-could-not-be-initialized if you don't know what that is.

This should give you the logs of the CP itself.

[Petr Prochazka]

I suppose it will generate logs on client (PC) site but I am asking if there is any log on server site available. I hope that yes but I do not know where. If user is connection via on-line authentication then I can see enough logs to understand if user used a wrong password or another issue. For offline authentication I am blind now.

Dne středa 5. února 2025 v 16:56:18 UTC+1 uživatel Spyridon Gouliarmis (RCDevs) napsal:

[Spyridon Gouliarmis (RCDevs)]

I would not hope for any log on the server, because the offline mode that you described happens when the plugin tries to contact the OpenOTP server, and fails. Usually that means no network connection at all, so the server can never suspect something wrong happened.

Has the user logged in successfully recently using the plugin on that specific workstation? If so, the offline login should let them in.

[Petr Prochazka]

Everything started since we upgraded OpenOTP Credential Provider from version 1.2.0.14 to 3.0.11.0. As long as we had version 1.2.0.14 ( several years) we never had such incidents.

Nowadays: All users are complaining about "Wrong user name or password" error on all computers. The situations is so often that we had to find a workaround solution but it is a technically limited.

Unfortunately we are not able to analyze on server any logs from offline authentication because there is no log at all. Does not matter if offline authentication pass or not. Simple no logs. Only logs we can see are from online authentication. Because of this I am not able to check if users puts a wrong password or it does not work from some other reason. 

From the beginning of this request I am asking for help where I can find logs on server site for offline authentication or what I should fix to start collecting such logs.

I don't want to bother you, so I'm trying to find a way to solve it.

Thank you

Dne středa 5. února 2025 v 17:20:29 UTC+1 uživatel Spyridon Gouliarmis (RCDevs) napsal:

[Spyridon Gouliarmis (RCDevs)]

Offline authentication normally happens when your user has disconnected his workstation/laptop from your network. Your OpenOTP server and your directory controllers have no idea where the workstation is and what is happening on it, and therefore cannot write any log about it. This is obvious, yet you seem to expect the opposite, so what I am missing?

Offline authentication appeared in 1.2.0, so you should already have had it before your upgrade (if you activated it).

[Petr Prochazka]

Maybe I am wrong but I would expect that somewhere should be verified username and password and then somewhere should be verified the sent OTP. I do not know were and I thought it could be in WebAdm logs. If not there then somewhere else. It would also be useful for control purposes how many failed attempts I have from different sources.

Petr

Dne čtvrtek 6. února 2025 v 11:33:02 UTC+1 uživatel Spyridon Gouliarmis (RCDevs) napsal:

[Spyridon Gouliarmis (RCDevs)]

The SAM database, stored on the computer itself, is what Windows uses to check the username and password. Our credential provider just passes the username/password pair to Windows, and Windows checks locally, and the database should have the necessary information for the last few people who logged in while the computer was connected to the domain. How many is "last few" is set by a GPO. Random people who never logged in, or logged in a long time ago, will not be able to log in offline because their information is not on the computer anymore.

Our credential provider also uses the QR code dance to verify that the user has the right token (more precisely, the token secret), without storing the token secret itself like the OpenOTP server does. The credential provider (and Windows) cannot store secrets, only hashes of secrets and other derived information, because once the computer is physically away from your office, we assume a hacker can read its hard drive and memory.

Offline mode really means offline. It is meant to work without any network communication.

[Petr Prochazka]

Thank you very much for the information. So I understood that I can not find any logs on server site. If user is announcing "wrong username or password" the only way how to investigate is go to affected computer and  switch debug_mode to 4 and do analyses inside local log.

 

Dne čtvrtek 6. února 2025 v 14:02:07 UTC+1 uživatel Spyridon Gouliarmis (RCDevs) napsal: