RDP Credential Provider
54 views
Skip to first unread message
Maxime Laplante
Nov 16, 2023, 9:41:59 PM11/16/23
to RCDevs Security
Hi guys,
I successfully configured the virtual appliance.
And I also installed the OpenOTP-CP agent on a PC on my LAN.
I have 2 questions :
a) What do I need to configure so that my issuer (account) is named differently?
(Right now it is the ip address of the webadm that is displayed in the OpenOTP Token app for android)
b) I would like to have the possibility to enforce "default credential provider" for RDP only.
(Right now it is the ip address of the webadm that is displayed in the OpenOTP Token app for android)
b) I would like to have the possibility to enforce "default credential provider" for RDP only.
Is there a way to do it ?
Right now, the only way to get my login protected via "remote desktop" is to install the "credential provider fiter" but I would like to have the possibility to use the windows default basic credential when I login locally.
I played with the whitelist and protected list to enforce or bypass for specific users but the way I see it is that I will have to remove the remote login for the whitelist users.
Thanks a lot.
Congrats for this great software !
Yoann Traut (RCDevs)
Nov 17, 2023, 4:53:06 AM11/17/23
to RCDevs Security
Hello,
A. You see the IP address of your WebADM/OpenOTP server in the push request because the org_name setting is not configured in webadm.conf file. Normally in that case it should fallback to the organisation name contained in the certificate used by WebADM but is seems there is a small issue in the setup script that we gonna fix. The organisation field is empty for the certificate issued during the setup script. If you change the org_name setting in webadm.conf, then you have to perform a new token registration in order to reflect the changes on the token app and restart webadm services.
Have a look on that documentation for client policies:
A. You see the IP address of your WebADM/OpenOTP server in the push request because the org_name setting is not configured in webadm.conf file. Normally in that case it should fallback to the organisation name contained in the certificate used by WebADM but is seems there is a small issue in the setup script that we gonna fix. The organisation field is empty for the certificate issued during the setup script. If you change the org_name setting in webadm.conf, then you have to perform a new token registration in order to reflect the changes on the token app and restart webadm services.
B. It is not possible to enforce our CP only for RDP login but you can create 2 client policies in webadm for your Windows machine to get the desired behavior.
The default client id value will be used for local login on your machine and then the client policy can be configured in LDAP login mode.
The default client id value will be used for local login on your machine and then the client policy can be configured in LDAP login mode.
The RDP client id value will be used for RDP logins and for that one you can configure LDAPOTP login mode in the RDP policy.
Have a look on that documentation for client policies:
Regards
Maxime Laplante
Nov 20, 2023, 9:46:04 PM11/20/23
to RCDevs Security
Hi Yoann,
Thanks a lot for your quick response.
A) I modified the webadm.conf and registered a new token. Organization name I configured is now listed as account name in the Android app. ;-)
B) I will try it as suggested.
Best regards,
Maxime
Reply all
Reply to author
Forward
0 new messages