Windows Credential Provider doesn't work

[Zorian Lee]

Hi,

I'm testing windows credential provider and installed it on both remote windows system and local windows system. And configure it correctly I think. Please see the snapshot below, I only changed the setting in red rectangles.

The problem is it when I use OpenOTP Login it never connect to webadm service and after 30 sec it cleaned the password in the text box and seems something finished. I checked both my http server log and webadm log, nothing there. It looks like it never try to connect to webadm service. 

Can anyone know what happened? And how to make it work?

[francois...@rcdevs.com]

Hello Zorian

Which version of Credential provider and Windows do you use ?

Could you also try the server URL in a web browser on the same computer ? Could you try without certificate ?

[Zorian Lee]

I'm using Windows 10 Enterprise and CP 1.1.3 64bit.

And I did try calling soap API using same url address and it works well. But unfortunately I cannot test non-SSL because that's not allowed.

[francois...@rcdevs.com]

I think you use the wrong port.

443 is for the web interface, you should use 8443 :

https://my.domaine.com:8443/openotp/

[Zorian Lee]

I do reserve proxy for port 8443. My web interface and service now use same port for simple. And I did test by call soap service using the url on the image, it works.

[francois...@rcdevs.com]

Hello Zorian,

It is not possible to use the same port for the web interface and for the SOAP interface.

You can see used port on webadm server like this :

[root@webadm1 ~]# netstat -lpn | grep webadm-httpd

tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      26093/webadm-httpd  

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      26093/webadm-httpd  

tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      26093/webadm-httpd  

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      26093/webadm-httpd 

80 and 443 are for web interface in http and https

8080 and 8443 are for SOAP interface in http and https

You can change these ports by creating /opt/webadm/conf/webadm.env but you can not use the same ports fort the web interface and the SOAP interface. Did you change it ? Could you check listening ports with netstat ?

When you access to https://my.domaine.com:8443/openotp/ with a web browser, you should download an empty file called openotp. Can you download it ?

[Zorian Lee]

OK, so my topology is I have a separate Apache server which host domain my.domain.com and it reserve proxy to web interface and soap which is hosted in internal network with domain internal.domain.com. This is why they can using same port, just because of reserve proxy.

And I did do using web browser to access https://my.domain.com/openotp/ and yes I can download a empty file, the behavior is exactly same as access internal url with port 8443. 

And also please note, I tried using https://my.domain.com/openotp/ to call soap API and it does work.

[Zorian Lee]

OK, finally I setup a new internal environment and tested non-SSL and it works so this should be a certificate issue. But from the second image I attached above, the step 3/4, I have configured the CA file(pem format, including intermediate and root CA) path, why does it not work? And from a new machine when I test SSL url it hanged at least 5 min until I killed the RDP. 

Can you share me how to make SSL working? 

[Administrators]

Check the WebADM Manual and look for custom certificates in WebADM.

You can use a custom cert by creating a pki/custom.crt & pki/custom.key.

But you must not update the webadm.crt and webadm.key.

In WebADM, the custom cert is used only for admin and webapps. The services should run under the self-geneated cert (issued by the local CA). 

So if this is done this ways - you just download the CA cert file in WebADM admin menu. 

This cert is the one you need to trust in the CP.

[Zorian Lee]

I did create custom.crt and custom.key, and my web interface is using certificate signed by StartSSL. And because I use apache to set up reserve proxy for soap service and my apache server is using same certificate signed by StartSSL so CP will not see the self-generated cert but the StartSSL cert. 

Anyway I did try using downloaded CA from web interface which is a self-generated local CA but still didn't work, same behavior. 

I'll try to access soap service using internal domain directly and to see if it works. I'm not sure if it doesn't support reverse proxy.

[Zorian Lee]

OK, i tried internal url and the ca downloaded from web interface, it works.

But why after reverse proxy it doesn't work?

[Zorian Lee]

Did another try. Directly map 8443 to 443 by using apache reverse proxy, using same self-generated certificate with the soap service. Got the same behavior, CP didn't access service url and hang. But without reverse proxy, just access server directly using port 8443, it works, no matter using what domain, internal or public.  

Base on my testing, it sounds like CP doesn't support reserve proxy, at least apache reverse proxy. 

Is reserve proxy not supported by CP? Or do I miss something here?

[Zorian Lee]

Port forward also doesn't work. Same as reverse proxy. Then how can I use CP from internet?

[Administrators]

We do not support this scenario for now. 

> CP is not intended to be used with laptops

> And OpenOTP API should not be exposed to the Internet.

We will provide a version of CP with offline mode (with U2F only) in the next versions.

[P.J. den Haan]

Just out of curiosity, is there any chance this might become a supported scenario?

It would be great to have logins to non-domain joined laptops secured this way...

[Yoann Traut (RCDevs)]

Hello,

If you are talking about publicly expose OpenOTP API through a reverse-proxy (WAProxy) it is now supported.

https://www.rcdevs.com/docs/howtos/waproxy/waproxy/

https://www.rcdevs.com/docs/howtos/waproxy/waproxy/#46-publishing-web-services

Note that the Windows clients must provide a valid certificate generated through WebADM internal PKI.

Regards