OpenOTP Plugin for Windows Login
1,170 views
Skip to first unread message
Jibé
Feb 5, 2013, 12:26:40 PM2/5/13
to rcdevs-t...@googlegroups.com
Is there any documentation about how install, configure and debug this awesome plugin !!! => OpenOTP Plugin for Windows Login ??
Administrators
Feb 5, 2013, 1:21:35 PM2/5/13
to RCDevs Security Solutions - Technical
It's not released yet. It's beta for testing.
See below for comments on the setup steps.
To make it work, simply set the server URL with http://yourserver:8080/opentop/
Do not use SSL unless you add the server CA certificate to the Windows
certificate trust store.
Configuration 1/1:
Server URL(s): (mandatory)
This is the OpenOTP SOAP service URL.
You can set two URLs (for server redundancy) with a comma separator.
Example: http://openotpserver:8080/openotp/
Default Domain: (optional)
You can set the default Domain to be sent to OpenOTP when the user
does not specify a login Domain in the login form.
User may specify the login Domain by entering a username in the form
'domain\username' when they login.
Note: Default Domain is generally set in the OpenOTP Server
configuration in WebADM.
Login Text: (optional)
This is the Welcome text to be displayed in the Windows login page.
Let it empty to keep the default message.
Client ID: (optional)
This is the client ID which is sent to OpenOTP in the login requests.
This client ID will appear in the WebADM audit database.
Configuration 2/3
The following settings are generally not required.
They are applicable only if you have set the Server URL with HTTPS in
the previous step.
Important: If you use OpenOTP with HTTPS, you MUST add the WebADM CA
certificate to your windows system certificate trust store!
Without it the Windows system will refuse communicating with the
OpenOTP server.
Certificate Authority File: (optional)
You can use this feature if you need to authenticate the OpenOTP
server based in its SSL certificate.
This is the local path of the WebADM CA certificate file in PEM
format.
You can get the WebADM CA certificate from your WebADM Administration
Portal.
Certificate File: (optional)
You can provide a SSL client certificate for the OpenOTP connection.
Client certificate check is currently not implemented at the OpenOTP
server side.
Certificate Password: (optional)
If the client certificate is encrypted, you can provide the decryption
password here.
Configuration 3/3
The following settings are for advanced configurations.
You should keep the default values here.
Setting String: (optional)
You can pass some OpenOTP configurations from the client requests by
setting a comma-separated list of settings here.
These settings will override any server or user settings.
Example: OpenOTP.LoginMode=LDAPOTP,OpenOTP.OTPType=TOKEN
SOAP Timeout: (optional)
This is the SOAP request timeout when connecting to the OpenOTP Server
URL.
The default value is 15 seconds.
See below for comments on the setup steps.
To make it work, simply set the server URL with http://yourserver:8080/opentop/
Do not use SSL unless you add the server CA certificate to the Windows
certificate trust store.
Configuration 1/1:
Server URL(s): (mandatory)
This is the OpenOTP SOAP service URL.
You can set two URLs (for server redundancy) with a comma separator.
Example: http://openotpserver:8080/openotp/
Default Domain: (optional)
You can set the default Domain to be sent to OpenOTP when the user
does not specify a login Domain in the login form.
User may specify the login Domain by entering a username in the form
'domain\username' when they login.
Note: Default Domain is generally set in the OpenOTP Server
configuration in WebADM.
Login Text: (optional)
This is the Welcome text to be displayed in the Windows login page.
Let it empty to keep the default message.
Client ID: (optional)
This is the client ID which is sent to OpenOTP in the login requests.
This client ID will appear in the WebADM audit database.
Configuration 2/3
The following settings are generally not required.
They are applicable only if you have set the Server URL with HTTPS in
the previous step.
Important: If you use OpenOTP with HTTPS, you MUST add the WebADM CA
certificate to your windows system certificate trust store!
Without it the Windows system will refuse communicating with the
OpenOTP server.
Certificate Authority File: (optional)
You can use this feature if you need to authenticate the OpenOTP
server based in its SSL certificate.
This is the local path of the WebADM CA certificate file in PEM
format.
You can get the WebADM CA certificate from your WebADM Administration
Portal.
Certificate File: (optional)
You can provide a SSL client certificate for the OpenOTP connection.
Client certificate check is currently not implemented at the OpenOTP
server side.
Certificate Password: (optional)
If the client certificate is encrypted, you can provide the decryption
password here.
Configuration 3/3
The following settings are for advanced configurations.
You should keep the default values here.
Setting String: (optional)
You can pass some OpenOTP configurations from the client requests by
setting a comma-separated list of settings here.
These settings will override any server or user settings.
Example: OpenOTP.LoginMode=LDAPOTP,OpenOTP.OTPType=TOKEN
SOAP Timeout: (optional)
This is the SOAP request timeout when connecting to the OpenOTP Server
URL.
The default value is 15 seconds.
Jibé
Feb 7, 2013, 5:57:46 AM2/7/13
to rcdevs-t...@googlegroups.com
Thanks for these explanation.
I have test the plugin on Windows 2008 R2 SP1 and it works great when I use HTTP web-service URL but it failed with HTTPS (I have add Webadm CA certificate in trusted root of the computer certificate store without success.
No data are send to OpenOTP server so it is Windows which block access. The error message on the gina page is the following:
I have test the plugin on Windows 2008 R2 SP1 and it works great when I use HTTP web-service URL but it failed with HTTPS (I have add Webadm CA certificate in trusted root of the computer certificate store without success.
No data are send to OpenOTP server so it is Windows which block access. The error message on the gina page is the following:
Administrators
Feb 7, 2013, 1:20:48 PM2/7/13
to RCDevs Security Solutions - Technical
Yes we know. We still have to fix this...
On Feb 7, 11:57 am, Jibé <jb.charpent...@gmail.com> wrote:
> Thanks for these explanation.
>
> I have test the plugin on Windows 2008 R2 SP1 and it works great when I use
> HTTP web-service URL but it failed with HTTPS (I have add Webadm CA
> certificate in trusted root of the computer certificate store without
> success.
>
> No data are send to OpenOTP server so it is Windows which block access. The
> error message on the gina page is the following:
>
> <https://lh3.googleusercontent.com/-uualVWGtRT8/UROIcxo8jzI/AAAAAAAAAL...>
On Feb 7, 11:57 am, Jibé <jb.charpent...@gmail.com> wrote:
> Thanks for these explanation.
>
> I have test the plugin on Windows 2008 R2 SP1 and it works great when I use
> HTTP web-service URL but it failed with HTTPS (I have add Webadm CA
> certificate in trusted root of the computer certificate store without
> success.
>
> No data are send to OpenOTP server so it is Windows which block access. The
> error message on the gina page is the following:
>
François S.
Feb 14, 2013, 10:01:42 AM2/14/13
to rcdevs-t...@googlegroups.com
Hi,
Thanks to this thread we were able to make it works as well (client Windows 2008 SP2 x64).
Nevertheless, the plugin' x86 version seems not to work at all (even after rebooting, the GINA interface is still unmodified).
As Jibé said, it doesn't work as well with HTTPS.
We are now looking for additional informations :
- Can we use the OTP authentication without having to manage local passwords on the server ?
I mean we're not using an Active Directory domain and we just want to authenticate our users based on the OTP. Is this possible ?
Thanks in advance,
Regards,
François S.
Administrators
Feb 14, 2013, 10:56:43 AM2/14/13
to RCDevs Security Solutions - Technical
Thanks for reporting the issues.
SSL problem should be corrected very soon.
I'll post to this thread when ready...
SSL problem should be corrected very soon.
I'll post to this thread when ready...
Alessio Vigilante
Jul 26, 2013, 7:11:41 AM7/26/13
to rcdevs-t...@googlegroups.com
Hi All,
i've the same problem with the x86 client too...how can i solve?
Alessio Vigilante
Jul 26, 2013, 7:14:56 AM7/26/13
to rcdevs-t...@googlegroups.com
sorry...i mean with x64 and http protocol too... :(
Reply all
Reply to author
Forward
0 new messages