Offline mode not working

[Luca Mancuso]

Hi, I'm unable to use the offline login method.

I've:

1. Enabled "Offline mode" in the windows client
2. Enabled TOTP and PUSH on the user
3. Logged in the user with TOPT
   

If I disable network it don't show the qrcode for one-use

Thank you

[Spyridon Gouliarmis (RCDevs)]

Hi Luca,

set debug_mode to 4 in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\RCDevs\OpenOTP-CP\, try an online login then an offline login again, and go check the logs for the CP within C:\RCDevs-Logs\ . There should be a lot, and you probably want to censor any reference to private info before giving it here.

Note that between 2. and 3. in your steps, you should make sure the soft token is synchronized with WebADM. If you registered the token, then enabled PUSH but did not let it synchronize, and try online+offline logins it won't work.

[Luca Mancuso]

Hi,

Here's the logs.

I see "Cannot create a QrCode uri"

[Yoann Traut (RCDevs)]

Hello, 

The WebADM CA certificate seems not accessible by the CP when the machine is offline. 
It is by default located in the installation folder in C:\Program Files\RCDevs\OpenOTP-CP\ca.crt

Is it there? 
Can you check the path of the ca_file registry key in HKLM > Software > RCDevs > OpenOTP-CP ?

The CA certificate can be dowloaded at the following URL: https://webadm_server_addr/cacert

Regards

[Luca Mancuso]

Bingo!
I don't have any ca.crt in that path even in registry, so I re-downloaded e reconfigured the path now it works! Thank you

I have only last question: now I can log-in as domain user with offline mode but there is the possibility to login as local user (local administrator)?
What I already did is:

1. Create "." domain alias so It can check the windows credentials provider
2. Activated administrator webadm side 
3. Configured the BYPASS login mode for that user 
4. If I try to login (ONLINE) to .\administrator using local password i can login without problems but how can I login to local user in offline mode?

Thank you for quickly responses.

[Yoann Traut (RCDevs)]

Hello,

If you want to authenticate local users with OpenOTP, the easiest setup is as follows:

• During the CP installation, set the "Remote LDAP password check" option to No. The LDAP or local password will still be validated using Windows authentication mechanisms.

• For OpenOTP to authenticate a user, the username provided must be found. You have two options:

1. Create an alias on an existing LDAP account by configuring the local username on an attribute defined in the uid_attrs setting of the /opt/webadm/conf/webadm.conf configuration file.

2. Create an LDAP MountPoint using the RCDevs Directory, then create the local account(s) inside the RCDevs Directory. After that, you need to create a new WebADM domain for this LDAP MountPoint. For example, name it LOCAL and configured it to target the user search base of the LDAP MountPoint. Remove the "." Domain Name Alias from your other WebADM Domain. There is another setting which must be configured during the CP installation which is the Local alias setting. This setting is the domain value that is going to be sent to OpenOTP when authenticating with local accounts. This allows WebADM/OpenOTP to find local users in the RCDevs Directory. Create a Client Policy for your Windows machine which allow the 2 domains in  the Allowed Domain setting. Then try to login with ".\local_account" on Windows, and it should target your LOCAL domain and authenticate the local account with RCDevs Directory. Of course a Token must be registered on the user account...

https://docs.rcdevs.com/openotp-credential-provider-for-windows/
https://docs.rcdevs.com/rcdevs-directory-server/

https://docs.rcdevs.com/ldap-mount-points/
https://docs.rcdevs.com/ldap-domains/

https://docs.rcdevs.com/policies-conditional-access/