OpenOTP Credential Provider - Accept RDP supplied username password...?

[Travis G]

Is there any way for the Credential Provider to accept the RDP supplied username and password so it then only prompts the user for the OTP token?

I ask because the way it works now is incompatible with numerous RDP management utilities, such as mRemoteNG. It fails to even connect to show the OTP login screen at all since I've set the Credential provider as the default CP. The only way I can login is to use normal remote desktop, enter my domain credentials, then reenter them a second time in OpenOTP.

Thanks!

[Yoann Traut (RCDevs)]

Hello, 

Could you say me on which client do you use the RDP client ? And which host are you trying to connect in remote ? (win10, 2012, x64, x86...) 

Which version of our CP do you use ? 

Because on my environment, I don't have to use my credentials twice to be logged. 

If the CP is installed on both hosts, you have to enter your credentials and the OTP through the RDP client. 

If CP is not install on the host where you use the RDP tool, you will just enter your LDAP credentials, RDP session will start and normally, your just have to enter your OTP and you are logged.   

Regards 

[Travis G]

Client 1 = Win 10 x64, NO CP installed

Client 2 = Server 2012 x64, NO CP installed

RDP application used on both above clients: mRemoteNG and mstsc

Host: Win 10 x64 with CP installed, version 1.2.0-x64

Client 1 or 2 using mRemoteNG to Host Results: 

It was previously not connecting, now it is connecting. That seems to be the result of every test after waiting about an hour - the first time it will not connect. Second attempt connects. 

In any event it doesn't take the LDAP credentials that are saved in mRemoteNG and passed to it. Screenshot showing it asking for LDAP again:

Client 1 or 2 using mstsc to Host Results: 

Have to enter credentials in RDP window and then also in Login Screen. Screenshot showing first password prompt and second password prompt:

First:Second:

Could this be due to the fact that I have the Login Type set to Normal instead of Simple?

Thanks!

[Travis G]

Added some more info... Inline below.

 

Client 1 = Win 10 x64, NO CP installed

Client 2 = Server 2012 x64, NO CP installed

RDP application used on both above clients: mRemoteNG and mstsc

Host: Win 10 x64 with CP installed, version 1.2.0-x64

Client 1 or 2 using mRemoteNG to Host Results: 

It was previously not connecting, now it is connecting. That seems to be the result of every test after waiting about an hour - the first time it will not connect. Second attempt connects. 

In any event it doesn't take the LDAP credentials that are saved in mRemoteNG and passed to it. Screenshot showing it asking for LDAP again:

Client 1 or 2 using mstsc to Host Results: 

Have to enter credentials in RDP window and then also in Login Screen. Screenshot showing first password prompt and second password prompt:

First:Second:

Questions:

1) Could this be due to the fact that I have the Login Type set to Normal instead of Simple? 

2) I tested with Login type set to Simple. With it at Simple I cannot login; I suspect because in WebAdm I have the default settings to OTP only due to the fact that I'm also using this with a NetScaler with Radius and that device has it's own LDAP settings which have to be managed separately, so it can only send WebAdm the OTP. Question: Can I have a different default group of settings for specific parameters in WebAdm? For example: My NetScaler IP addresses - could WebAdm have a profile for those IPs set with a default of OTP only, and the for everything else use global defaults of LDAP + OTP? 

3) Why is OpenOTP CP not responding to mRemoteNG the first time it tries to connect? It did not happen before OpenOTP was installed, and stopped happening once I uninstalled OpenOTP. The computer with the CP and the connecting computer are on the same subnet and firewalls are disabled. I can take a Wireshark trace if that helps you.

4) Have you tested the CP with Win 10? Do you get the double prompts for LDAP on that OS? 

[francois...@rcdevs.com]

Hi Travis,

The dev team has changed the cp. The connexion should be simplified in the next release. It should be available within a week.

[Travis G]

I don't see the new CP yet on the website; was their a delay releasing it?

Thanks!

[francois...@rcdevs.com]

Hi Travis, it should be available this week

[Travis G]

I just installed and set it as my default provider. I now cannot login over RDP. It never prompts for the PIN.... 

Here's my config of the user's group in WebADM and the settings in the app. 

Remember I said before I have to have "Login mode" in WebAdm set to OTP as I also have a device connecting using Radius and it is just sending the OTP, so I am using the user-setting string to try to override that in the CP on the test PC:

[francois...@rcdevs.com]

Hi Travis,

The credential provider should ask your password and your OTP, where is the problem exactly? Do you have a log in webadm.log

FYI, you can also use client policies, then you can choose the login mode per client (windows, VPN, ...)  in webadm.

[Travis G]

It does not ask for the OTP when I login via RDP using the settings I have used.

Can you explain to me about where I set the login mode per client in WebAdm or where I can get details on this so I can read up on it?

--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/GTkNl5c4xr8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technical+unsubscribe@googlegroups.com.
To post to this group, send email to rcdevs-technical@googlegroups.com.
Visit this group at https://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

[francois...@rcdevs.com]

Could you send the log from webadm.conf for that authentication?

For the client policy, you cab create it in webadm -> admin -> client policies -> add client. its name should correspond to the client id. you can define the client id for the credential provider during the setup, for radius it corresponds to the NAS-identifier by default. you can see it in the log of the authentication in webadm.conf.

Once the client policy is created, you can define the login mode in webadm -> admin -> client policies -> configure -> Forced Application Policies -> edit -> openotp -> loginmode

To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.