UPN issues

[Imani Uerlings]

Hi Guys,

I've got 2fa working on the RDWeb side, all is fine, then a user get's the RDP file to download, types his UPN login + password, also works, but then windows login screen pops up with "other user" invalid user / password, then the login screen shows:

DOMAIN\username .... so it seems not to take the earlier filled in UPN with password, i cannot find the issue.

Anyone can assist here?

[Benoît Jager (RCDevs)]

Hello,

Can you provide related logs from /opt/webadm/logs/webadm.log file?

This is likely that OpenOTP cannot match UPN with your configured User domain.

[Imani Uerlings]

the upn issues got sorted, so far so good thanks.

Op donderdag 26 juni 2025 om 13:11:01 UTC+2 schreef Benoît Jager (RCDevs):

[Imani Uerlings]

I thought it's easier to connect my active directory, im almost done, but just struggle with this last part: 

Creating WebADM Domains container dc=Domains,dc=WebADM... Failed
Creating WebADM AdminRoles container dc=AdminRoles,dc=WebADM... Failed
Creating WebADM WebApps container dc=WebApps,dc=WebADM... Failed
Creating WebADM WebSrvs container dc=WebSrvs,dc=WebADM... Failed
Creating WebADM Clients container dc=Clients,dc=WebADM... Failed
Creating WebADM Reports container dc=Reports,dc=WebADM... Failed
Creating WebADM MountPoints container dc=MountPoints,dc=WebADM... Failed

im sure when I got this fixed, then im sorted :)

Op donderdag 26 juni 2025 om 13:11:01 UTC+2 schreef Benoît Jager (RCDevs):

Hello,

[Imani Uerlings]

[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Username: piet
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Domain: MJX
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Password: xxxxxxxxxx
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Client ID: RDWeb
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Context: XbJufcfSYljBNAdBmHovdxcouYgxOJSV
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Options: NOVOICE
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Virtual: preferredLanguage=EN
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] Registered openotpSimpleLogin request
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] Domain 'MJX' not existing
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] User invalid or not found
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] Sent failure response

Op donderdag 26 juni 2025 om 13:11:01 UTC+2 schreef Benoît Jager (RCDevs):

Hello,

[Imani Uerlings]

[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Username: piet
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Domain: MJX
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Password: xxxxxxxxxx
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Client ID: RDWeb
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Context: XbJufcfSYljBNAdBmHovdxcouYgxOJSV
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Options: NOVOICE
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] > Virtual: preferredLanguage=EN
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] Registered openotpSimpleLogin request
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] Domain 'MJX' not existing
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] User invalid or not found
[2025-06-26 11:20:42] [192.168.255.249:50435] [OpenOTP:7JC6M8ZK] Sent failure response

the exact upn = pi...@mjx.com   i've tried creating both mjx and mjx.com domain on webadm, but not success

Op donderdag 26 juni 2025 om 13:11:01 UTC+2 schreef Benoît Jager (RCDevs):

Hello,

[Imani Uerlings]

Perhaps this is a better output, start at RDWeb, etc continuing to the rdp file and opening etc:

[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] > Username: pi...@mjx.com
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] > Client ID: RDWeb
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] > Source IP: 178.228.76.113
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] > Context: Wm6ltF107h3RtUpLeasqrv73LLpQEkAZ
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] > Retry ID: 823d4763f6f44e41ac4d91af8df43f91
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] > Settings: LockTimer=0
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] > Options: -LDAP,WEBAUTH
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Registered openotpNormalLogin request
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Resolved source location: NL
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Resolved LDAP user: cn=pi...@mjx.com,dc=mjx.com,o=Root
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Started transaction lock for user
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Found 53 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Found 1 request settings: LockTimer=0
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Found 5 user data: TokenType,TokenKey,TokenState,TokenID,TokenSerial
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Unrecognized option 'WEBAUTH' (ignoring option)
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Found 1 registered OTP token (HOTP)
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Requested login factors: OTP
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Authentication challenge required
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Sent push notification for token #1 (session LwsbRXPR2oCoBj2L)
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Started request retry context valid for 28 seconds
[2025-06-26 11:27:39] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Waiting 28 seconds for mobile response
[2025-06-26 11:27:45] [127.0.0.1:33088] [OpenOTP:I3NTSUMT] Received mobile login response from 178.228.76.113
[2025-06-26 11:27:45] [127.0.0.1:33088] [OpenOTP:I3NTSUMT] > Session: LwsbRXPR2oCoBj2L
[2025-06-26 11:27:45] [127.0.0.1:33088] [OpenOTP:I3NTSUMT] > Password: 16 Bytes
[2025-06-26 11:27:45] [127.0.0.1:33088] [OpenOTP:I3NTSUMT] Found authentication session started 2025-06-26 11:27:39
[2025-06-26 11:27:45] [127.0.0.1:33088] [OpenOTP:I3NTSUMT] PUSH password Ok (token #1)
[2025-06-26 11:27:45] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Updated user data
[2025-06-26 11:27:45] [192.168.255.250:50874] [OpenOTP:I3NTSUMT] Sent login success response
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] New openotpSimpleLogin SOAP request
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] > Username: piet
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] > Domain: MJX
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] > Password: xxxxxxxxxx
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] > Client ID: RDWeb
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] > Context: XbJufcfSYljBNAdBmHovdxcouYgxOJSV
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] > Options: NOVOICE
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] > Virtual: preferredLanguage=EN
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] Registered openotpSimpleLogin request
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] Domain 'MJX' not existing
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] User invalid or not found
[2025-06-26 11:28:00] [192.168.255.249:50470] [OpenOTP:HY9X88RS] Sent failure response

[Spyridon Gouliarmis (RCDevs)]

Hello Imani, you probably need to create a User Domain (Admin tab in WebADM) named "MJX", or, more likely in your case, add "MJX" to the domain's aliases (it's one of the first settings under "Configure").

Your "Creating WebADM XXX" problem is probably an LDAP rights issue. The user you were logged in as, when you got this, did not have the rights to create the listed objects from your LDAP server's perspective. Setting log_debug to Yes /opt/webadm/conf/webadm.conf gives you more info on what WebADM sends to the LDAP service, and the answers it gets (usually including the reasons why the operation failed). Changes to webadm.conf need a webadm service restart.

[Imani Uerlings]

So i got all sorted and ldap connected

The user domain called MJX and all users underneath work perfectly

But if i make a new OU lets say called MJX1 with users connect the webadm domain to the specific group with users, then still get me the invalid user and I have to retype us...@domain.com in order to get pass the error.

Do I move 1 user from the MJX1 ou to the MJX ou then it works.

I renamed the domain in webadm from mjx to test01 then renamed mjx1 to mjx then this group also works :/ but not test01

The AD domain is called MJX or MJX.local

I tried with domain alias etc but this doesnt help, as only the webadm domain called MJX and everything underneath let my users login with upn or user@domain rather then domain\user

Am i missing something?

Op ma 30 jun 2025 om 10:55 schreef 'Spyridon Gouliarmis (RCDevs)' via RCDevs Security <rcdevs-t...@googlegroups.com>

--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/Pa1yDQubsHo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/rcdevs-technical/5c904543-7949-49a4-b60c-25a454202726n%40googlegroups.com.

[Spyridon Gouliarmis (RCDevs)]

I'm not sure I get your issue. Is there a reason you're not creating a single WebADM User Domain, that covers your whole Active Directory (that is, its User Search Base is the root DSE), with mjx.locas as its name, and MJX,MJX.LOCAL as its Aliases? This should let you log in as MJX\user, us...@mjx.local and maybe some other formats depending on the Credential Provider's config.

[Imani Uerlings]

I did above and just connected the WEBadm created domain to the MJX / MJX.local fixed all :) thanks for that.

Now I hit my next issue :(  after installing RDS Licensing manager on the same server where the rds gateway role resides, everthingthing seems broken again: i cannot login via rdweb anymore, gives me this in the error log:

[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] New openotpNormalLogin SOAP request
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] > Username: b...@XXXXXX.com
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] > Client ID: RDWeb
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] > Source IP: 178.228.77.254
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] > Context: Wm6ltF107h3RtUpLeasqrv73LLpQEkAZ
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] > Retry ID: 888d67767cc34f03976ce964dfe153fc
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] > Settings: LockTimer=0
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] > Options: -LDAP,WEBAUTH
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] Registered openotpNormalLogin request
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] Domain not provided and no default domain configured
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] User invalid or not found
[2025-07-04 18:42:35] [192.168.255.250:50096] [OpenOTP:S4PYHK17] Sent failure response

If i try to RDP directly into the vm, it now "again" only lets' me in via MJX\USERNAME  instead of US...@DOMAIN.COM?

Op vrijdag 4 juli 2025 om 17:36:41 UTC+2 schreef Spyridon Gouliarmis (RCDevs):

[Imani Uerlings]

In the previous working setup it sends this:

[2025-07-04 15:51:04] [192.168.255.237:59423] [OpenOTP:5BGCYMIY] New openotpSimpleLogin SOAP request
[2025-07-04 15:51:04] [192.168.255.237:59423] [OpenOTP:5BGCYMIY] > Username: bas
[2025-07-04 15:51:04] [192.168.255.237:59423] [OpenOTP:5BGCYMIY] > Domain: MJX                                <------ this part is now missing since after RDS licensing got installed, even removal didn't fix it now.
[2025-07-04 15:51:04] [192.168.255.237:59423] [OpenOTP:5BGCYMIY] > Password: xxxxxxxxxxx
[2025-07-04 15:51:04] [192.168.255.237:59423] [OpenOTP:5BGCYMIY] > Client ID: RDWeb
[2025-07-04 15:51:04] [192.168.255.237:59423] [OpenOTP:5BGCYMIY] > Source IP: 0.0.0.0

Op vrijdag 4 juli 2025 om 17:36:41 UTC+2 schreef Spyridon Gouliarmis (RCDevs):

I'm not sure I get your issue. Is there a reason you're not creating a single WebADM User Domain, that covers your whole Active Directory (that is, its User Search Base is the root DSE), with mjx.locas as its name, and MJX,MJX.LOCAL as its Aliases? This should let you log in as MJX\user, us...@mjx.local and maybe some other formats depending on the Credential Provider's config.

[Spyridon Gouliarmis (RCDevs)]

Set your mjx.local WebADM User Domain as Default Domain in Applications tab -> MFA Server -> Configuration. In production, you'll probably want to do this in a Client Policy called RDWeb instead (Application Settings in the Client Policy) so that applies only when RDWeb is calling.