OpenOTP problem with active directory domain accounts

[azpis...@gmail.com]

Hi! We are considering to use OpenOTP solution in our environment where we have Linux (through SSH) and Windows (interactive login or RDP) machines.

Test installation of All-in-one VM (RCVM_OpenLDAP_OVF-1.2.6-1.zip) and integration with Windows AD went smoothly.

 

SSH implementation went smoothly as well (I created user with the same UID on Linux machine and in WebADM console) (for testing purposes I used mail transport to get OTP password).

 

But there is a problem with using OpenOTP solution with computers in domain environment (when I log in with domain account, not the local one).

 

Here are some configuration details:

 

First of all “Registered WebADM Domains” field gives the following info:

cn=users,dc=test-net2,dc=yyyyyyyy,dc=com

 

So I presume default container for upgraded user accounts, according to user manual is correct.

 

And the “Default Domain” option in OTP Authentication Server (v1.1.2) settings is activated and pointing to the only available Default field near it.

 

Here are some details of testing process.

 

For Windows machines (Windows 7) I used credential provider (OpenOTPCredentialProvider-1.0.3-x64.msi). Since I need to implement OTP solution as mandatory I installed this software with the default provider option enabled (besides this mode enables us to use RDP with mandatory OTP).

 

At first I tested solution for local users on Windows computer. For this to work I created user with the same username (say admin2) both locally on Windows computer and using WebADM console through ->Create -> User / Administrator (Level 1) Administrator or Domain user

 

In this situation everything works well – in credential provider I entered:

login: admin2

LDAP password

and then the received by mail OTP password.

 

(here is a fragment from SOAP Server log file):

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] New openotpLogin SOAP request

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] > Username: admin2

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] > LDAP Password: xxxxxxxxxxxxxx

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] > Source IP: 172.19.40.66

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] Registered openotpLogin request

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] Resolved LDAP user: CN=admin2,CN=Users,DC=test-net2,DC=yyyyyyyy,DC=com

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] Started transaction lock for user

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] Found 1 user emails: adm...@test-net2.yyyyyyyy.com

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] Found 25 user settings: LoginMode=LDAPOTP,LockTimer=10,OTPType=MAIL,OTPLength=6,ChallengeMode=1,ChallengeTimeout=90,ChallengeLock=,OTPPrefix=,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] Found 2 user data: LoginCount,MailCount

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] LDAP password Ok

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] OTP challenge required

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] Sent Mail password to adm...@test-net2.yyyyyyyy.com

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] Updated user data

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] Started challenge session of ID 3a00a16cde8d721f valid for 90 seconds

[2013-11-15 16:19:32] [172.19.40.66] [OpenOTP_E12F5973] Sent challenge response

[2013-11-15 16:19:42] [172.19.40.66] [OpenOTP_E12F5973] New openotpChallenge SOAP request

[2013-11-15 16:19:42] [172.19.40.66] [OpenOTP_E12F5973] > Username: admin2

[2013-11-15 16:19:42] [172.19.40.66] [OpenOTP_E12F5973] > Session: 3a00a16cde8d721f

[2013-11-15 16:19:42] [172.19.40.66] [OpenOTP_E12F5973] > OTP Password: xxxxxx

[2013-11-15 16:19:42] [172.19.40.66] [OpenOTP_E12F5973] Registered openotpChallenge request

[2013-11-15 16:19:42] [172.19.40.66] [OpenOTP_E12F5973] Found challenge session started 2013-11-15 16:19:32

[2013-11-15 16:19:42] [172.19.40.66] [OpenOTP_E12F5973] Started transaction lock for user

[2013-11-15 16:19:42] [172.19.40.66] [OpenOTP_E12F5973] Mail password Ok

[2013-11-15 16:19:42] [172.19.40.66] [OpenOTP_E12F5973] Updated user data

[2013-11-15 16:19:42] [172.19.40.66] [OpenOTP_E12F5973] Sent success response

 

Then we tested solution for domain users’ accounts on Windows computer (which is member of this domain). For this to work I created user (say admin) with help of Active Directory Users and Computers on AD Windows controller (refreshing AD using WebADM console I saw this user). (Pay attention: there is no such user admin on local Windows computer). So till now everything was OK.

 

And here comes the problem:

I entered

login: admin,

LDAP password

and then the received by mail OTP password

 

And at the end received the screen: “Logon failure: unknown user or bad password”

 

But when I looked at log, I saw that everything was OK:

 [2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] New openotpLogin SOAP request

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] > Username: admin

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] > LDAP Password: xxxxxxxxxxxxxx

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] > Source IP: 172.19.40.66

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] Registered openotpLogin request

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] Ignoring group 'cn=administrators,cn=builtin,dc=test-net2,dc=yyyyyyyy,dc=com' (out of domain group search base)

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] Resolved LDAP user: CN=admin,CN=Users,DC=test-net2,DC=yyyyyyyy,DC=com

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] Resolved LDAP groups: domain users

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] Started transaction lock for user

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] Found 1 user mobiles: +38 0672661254

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] Found 1 user emails: ad...@test-net2.yyyyyyyy.com

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] Found 25 user settings: LoginMode=LDAPOTP,LockTimer=10,OTPType=MAIL,OTPLength=6,ChallengeMode=1,ChallengeTimeout=90,ChallengeLock=,OTPPrefix=,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] Found 2 user data: LoginCount,MailCount

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] LDAP password Ok

[2013-11-15 16:58:38] [172.19.40.66] [OpenOTP_DB9CA335] OTP challenge required

[2013-11-15 16:58:39] [172.19.40.66] [OpenOTP_DB9CA335] Sent Mail password to ad...@test-net2.yyyyyyyy.com

[2013-11-15 16:58:39] [172.19.40.66] [OpenOTP_DB9CA335] Updated user data

[2013-11-15 16:58:39] [172.19.40.66] [OpenOTP_DB9CA335] Started challenge session of ID 84d4adce9ed00585 valid for 90 seconds

[2013-11-15 16:58:39] [172.19.40.66] [OpenOTP_DB9CA335] Sent challenge response

[2013-11-15 16:59:21] [172.19.40.66] [OpenOTP_DB9CA335] New openotpChallenge SOAP request

[2013-11-15 16:59:21] [172.19.40.66] [OpenOTP_DB9CA335] > Username: admin

[2013-11-15 16:59:21] [172.19.40.66] [OpenOTP_DB9CA335] > Session: 84d4adce9ed00585

[2013-11-15 16:59:21] [172.19.40.66] [OpenOTP_DB9CA335] > OTP Password: xxxxxx

[2013-11-15 16:59:21] [172.19.40.66] [OpenOTP_DB9CA335] Registered openotpChallenge request

[2013-11-15 16:59:21] [172.19.40.66] [OpenOTP_DB9CA335] Found challenge session started 2013-11-15 16:58:39

[2013-11-15 16:59:21] [172.19.40.66] [OpenOTP_DB9CA335] Started transaction lock for user

[2013-11-15 16:59:21] [172.19.40.66] [OpenOTP_DB9CA335] Mail password Ok

[2013-11-15 16:59:21] [172.19.40.66] [OpenOTP_DB9CA335] Updated user data

[2013-11-15 16:59:21] [172.19.40.66] [OpenOTP_DB9CA335] Sent success response

 

At first I didn’t get it. But later I understood that problem lies in interpreting login “admin” as local (not domain) user on Windows machine. And despite of successful OTP process, Windows computer rejected my login.

So I decided to enter a kind of DOMAIN\user login on OTP credential provider.

 

I entered

login: TEST-NET2\admin,

LDAP password

and then received:

Windows Security: Invalid username or password

 

For debugging I looked into SOAP Server log file:

2013-11-15 17:18:45] [172.19.40.66] [OpenOTP_E304B80D] New openotpLogin SOAP request

[2013-11-15 17:18:45] [172.19.40.66] [OpenOTP_E304B80D] > Username: admin

[2013-11-15 17:18:45] [172.19.40.66] [OpenOTP_E304B80D] > Domain: TEST-NET2

[2013-11-15 17:18:45] [172.19.40.66] [OpenOTP_E304B80D] > LDAP Password: xxxxxxxxxxxxxx

[2013-11-15 17:18:45] [172.19.40.66] [OpenOTP_E304B80D] > Source IP: 172.19.40.66

[2013-11-15 17:18:45] [172.19.40.66] [OpenOTP_E304B80D] Registered openotpLogin request

[2013-11-15 17:18:45] [172.19.40.66] [OpenOTP_E304B80D] Domain 'TEST-NET2' not existing or disabled

[2013-11-15 17:18:45] [172.19.40.66] [OpenOTP_E304B80D] User invalid or not found

[2013-11-15 17:18:47] [172.19.40.66] [OpenOTP_E304B80D] Sent failure response

 

Well, looking through this forum I decided to test further and to play around domain settings.

So the “Default Domain” option in OTP Authentication Server settings was deactivated.

 

Now I tried again to log in with a kind of DOMAIN\user login on OTP credential provider.

 

I entered

login: TEST-NET2\admin,

LDAP password

and unfortunately again received:

Windows Security: Invalid username or password

 

Looking into logs we’ve got the same dialog:

2013-11-15 17:29:28] [172.19.40.66] [OpenOTP_13AD3598] New openotpLogin SOAP request

[2013-11-15 17:29:28] [172.19.40.66] [OpenOTP_13AD3598] > Username: admin

[2013-11-15 17:29:28] [172.19.40.66] [OpenOTP_13AD3598] > Domain: TEST-NET2

[2013-11-15 17:29:28] [172.19.40.66] [OpenOTP_13AD3598] > LDAP Password: xxxxxxxxxxxxxx

[2013-11-15 17:29:28] [172.19.40.66] [OpenOTP_13AD3598] > Source IP: 172.19.40.66

[2013-11-15 17:29:28] [172.19.40.66] [OpenOTP_13AD3598] Registered openotpLogin request

[2013-11-15 17:29:28] [172.19.40.66] [OpenOTP_13AD3598] Domain 'TEST-NET2' not existing or disabled

[2013-11-15 17:29:28] [172.19.40.66] [OpenOTP_13AD3598] User invalid or not found

[2013-11-15 17:29:30] [172.19.40.66] [OpenOTP_13AD3598] Sent failure response

 

I even tried in this configuration to log in with the user TEST-NET2\admin2 (presented locally on Windows machine as well):

 

[2013-11-15 17:36:06] [172.19.40.66] [OpenOTP_73045A43] New openotpLogin SOAP request

[2013-11-15 17:36:06] [172.19.40.66] [OpenOTP_73045A43] > Username: admin2

[2013-11-15 17:36:06] [172.19.40.66] [OpenOTP_73045A43] > Domain: TEST-NET2

[2013-11-15 17:36:06] [172.19.40.66] [OpenOTP_73045A43] > LDAP Password: xxxxxxxxxxxxxx

[2013-11-15 17:36:06] [172.19.40.66] [OpenOTP_73045A43] > Source IP: 172.19.40.66

[2013-11-15 17:36:06] [172.19.40.66] [OpenOTP_73045A43] Registered openotpLogin request

[2013-11-15 17:36:06] [172.19.40.66] [OpenOTP_73045A43] Domain 'TEST-NET2' not existing or disabled

[2013-11-15 17:36:06] [172.19.40.66] [OpenOTP_73045A43] User invalid or not found

[2013-11-15 17:36:08] [172.19.40.66] [OpenOTP_73045A43] Sent failure response

 

It looks like without activated “Default Domain” option in OTP Authentication Server it cannot find any user.

 

Maybe I am missing something here?

 

As a workaround so far I see only the possibility to create users with the same username locally both on Windows computers and using WebADM console with activated “Default Domain” option in OTP Authentication Server. But this solution can only be considered as a temporary one.

 

I would be grateful for any help.

 

Thanks in advance

[Administrators]

You need a WebADM Domain (at least to define the user search base for OpenOTP users).

Now you can rename your "Default" WebADM domain and name it "TEST-NET2" like your AD domain.

Then user IDs like TEST-NET2\admin will work in both OpenOTP and AD. That's what is recommended.

Note: For SSH, you can use the AD instead of the /etc/passwd users with a pam-LDAP configuration on the Linux.

In WebADM you can add the posixAccount extension to your AD users - to make them usable in Linux pam-LDAP.

[azpis...@gmail.com]

Thank you very much for the quick response!
Could you please provide a clue where I can rename "Default" WebADM domain and name it "TEST-NET2" like our AD domain?

Regards

Пʼятниця, 15 листопада 2013 р. 18:18:16 UTC+2 користувач Administrators написав:

[Administrators]

The domain is a LDAP object in the dc=Domains,dc=WebADM container in your LDAP tree.

Click the domain object and you can rename it like any other object.

[azpis...@gmail.com]

It works great!

Thank You very much again!

Пʼятниця, 15 листопада 2013 р. 18:32:39 UTC+2 користувач Administrators написав: