Web ADM 2.3

[Gemechis Doja]

I have installed WEB ADM 2.3.23 and successfully setup all configurations. After registering a user with MFA Authentication, when I do test it on web adm portal, it shows a success response. But after installing the RCDev's client on my machine and tied to login after entering the OTP, it displays "You could not be authenticated. Wrong username or password". What could be the issue? Any help is appreciated.

[Yoann Traut (RCDevs)]

Hello, 

It is likely due to a misconfiguration of authentication policies. Could you provide the complete session logs related to your authentication attempt? 

Additionally, could you share a screenshot of the Windows client's registry configuration?

HKLM > Software > RCDevs > OpenOTP-CP 

Regards

[Gemechis Doja]

@yoann Thank you for the swift reply. 

Below is the screenshot of both config files. 

[Spyridon Gouliarmis (RCDevs)]

Can you set debug_mode to 4 in that registry key you've shown, and check what appears in C:\RCDevs Logs after the next failed authentication?

[Gemechis Doja]

Hello,

Attached is the Log file.

[Gemechis Doja]

Here is the debug log

On Wednesday, November 27, 2024 at 12:23:08 PM UTC+3 Spyridon Gouliarmis (RCDevs) wrote:

[Spyridon Gouliarmis (RCDevs)]

Is the exact username you're using (Default\gemechis) valid in your Windows domain/workstation? I doubt it.

In a standard integration you normally tell WebADM to look into the Active Directory through LDAP directly (conf/servers.xml) or through a "mount point" in the web UI. You then create a WebADM domain that has the same name as your Windows domain, and has the short domain name as an alias. Search for "WebADM LDAP Domains" in https://docs.rcdevs.com/webadm-administrator-guide/#webadm-ldap-domains .

[Gemechis Doja]

The user gemechis exists in my local computer. I have configured the web adm default ldap configuration. 

What could be the solution?

[Spyridon Gouliarmis (RCDevs)]

What about COOPBANK\gemechisd ? Does it work?

[Spyridon Gouliarmis (RCDevs)]

You're not using the latest version of the plugin by the way, try installing the latest first.

[Gemechis Doja]

Yes, but When I tried to login through OpenOTP installed on my pc, after entering the OTP it throws an error of "You could not be authenticated. Invalid Username or Password". The log on web adm shows successful response.

[Spyridon Gouliarmis (RCDevs)]

On the OpenOTP credential provider, which of these did you try:

- "Default\gemechis"

- "gemechis"

- "COOPBANK\gemechisd"

- "gemechisd"

Also, which version of Windows are you using? If it's Windows 7, the version of the plugin you use is the latest one to work on it, but it's also unmaintained and may have some bugs that may never get fixed.

[Gemechis Doja]

I have tried with all of the above mentioned usernames.

--
You received this message because you are subscribed to the Google Groups "RCDevs Security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/rcdevs-technical/0247a9ee-7d98-4feb-b3a4-8d690980f9f2n%40googlegroups.com.

[Spyridon Gouliarmis (RCDevs)]

Have you created a WebADM domain called "COOPBANK", or added the string "COOPBANK" as an alias in the existing WebADM domain called "Default"? WebADM domains are under the Admin tab.

Since you're using an old version of Windows, and an old version our plugin, you will probably have to type DOMAIN\username for the plugin to work correctly.

[Gemechis Doja]

Okay. I need to start over everything including the installation. I have Centos 9 installed on my server. SHould I install the new release " webadm_all_in_one-2.3.24-x64.sh.gz  " or there is any stable version? Also how can i install with latest plugin?

[Spyridon Gouliarmis (RCDevs)]

2.3.14 is what we call stable right now. Though since 2.3.22 there's the cloud push feature, that relieves you from setting up a reverse proxy exposing WebADM's web services to the internet if you want push notifications.

The latest plugin is the first download on the plugins page: https://www.rcdevs.com/downloads/integration-plugins/

Though if your setup has not changed from before, I would start by just doing what I wrote: add your Windows domain short name to the aliases of the "Default" domain in WebADM.

[Gemechis Doja]

I have removed the configuration.  Let me install the stable version 2.3.14 now, and i will let you know the status. 

To view this discussion visit https://groups.google.com/d/msgid/rcdevs-technical/80008f09-29d3-4333-a6ab-e46e2aae2271n%40googlegroups.com.

[Gemechis Doja]

Hello Spyridon,

I have configured the new WebADM 2.3.24 using Docker Installation and all components are working fine. As you suggested i have added the alias name on the Default configuration too. But all is unsuccessful. Below I have attached the screenshots during the login. 

To view this discussion visit https://groups.google.com/d/msgid/rcdevs-technical/80008f09-29d3-4333-a6ab-e46e2aae2271n%40googlegroups.com.

[Gemechis Doja]

Also, the log on web adm is the below.
We have configured the time zone for the server as GMT +3 East African Time. But the one we see on the Web ADM log is at a different time.Is it possible to set a time for Web ADM application other than the server?

To view this discussion visit https://groups.google.com/d/msgid/rcdevs-technical/80008f09-29d3-4333-a6ab-e46e2aae2271n%40googlegroups.com.

[Spyridon Gouliarmis (RCDevs)]

Does you Windows host have a "gemechis" user? From the logs before, there was a "gemechisd", with a "d", already logged in.

The usual Windows setup is to have an Active Directory, and tell WebADM to use the directory controllers as LDAP servers. This way both Windows and WebADM agree on the user login names and their attributes. If you have no AD domain, you can indeed keep users in a separate LDAP server like you do, but you have to keep their information up to date by hand.

[Gemechis Doja]

Yes dear.  I have created a user with gemechis, on the computer local users with the same password and username on both web adm and local computer.

To view this discussion visit https://groups.google.com/d/msgid/rcdevs-technical/0cfb791c-0506-4b92-99db-de954bbf528bn%40googlegroups.com.

[Spyridon Gouliarmis (RCDevs)]

Can you try getting the CP logs with debug_level 4 just like before? I am looking in particular for lines saying "Unable to retrieve user SID for ...", that indicate Windows is telling the CP it doesn't know about the requested user (Default\gemechis, for example, probably because "Default" is not a domain or workstation name in your Windows setup). You can try entering the user name in different formats, like DOMAIN\gemechis, gemechis, geme...@your.domain.fqdn, ...

[Gemechis Doja]

I have done the debug and as you mentioned i have seen a line saying " Unable to retrieve user SID for ". What do i need to do to resolve this? Is there any policy configuration i need to do on webadm settings. Note that I am using everything as default (as of installed).

[Spyridon Gouliarmis (RCDevs)]

That line means Windows does not know about the user that our plugin gives it. Probably because it is passing "Default\gemechis", and there is no domain or workstation called "Default" in your Windows installation. You have to figure out a way to tell the plugin the specific domain you want: "COOPBANK\gemechis", etc.

In older versions of our plugin, it had a bug where it would try the domain "Default" by default, and you had to be explicit about the domain when logging in. If you're stuck with an older version, that's your workaround. Otherwise, use the latest version of our Windows plugin.