OpenOTP Plugin for Windows Login

[Vitalij B]

Hi!

I have few questions regarding "Windows login plugin".

1. Why it's not protecting RDP connections? Do you have plans implementing this feature?
2. "Login mode" is set to "OTP only",  "core components"+"default provider" installed and I am able to click "sign in as different user" and sucessfully sign in to windows with username/password only. How can I configure Plugin/Server so that it would be mandatory to input OTP?
3. Is it possible to configure so the user would't have a password input field, only username+OTP when "Login mode" is set to "OTP only"?

[Administrators]

It works with RDP. It's not working when the rdp client passes the credential by itself.

So open the rdp session without configuring the credentials in the rdp client and it just works.

Default Provider should prevent default Windows CP to be usable. We're checking why it does not...

OTP only is not possible for technical reasons. 

The Windows CP works with two-factors: LDAPOTP login mode (Domain password + OTP)

[Vitalij B]

Thanks for quick response!

But how about RDP in opposite way. If pc1 have plugin installed and pc2 doesn't. And pc2 want to RDP to pc1? Is it possible for pc2 to get a prompt to input OTP without installing plugin on pc2?

вторник, 20 октября 2015 г., 17:10:19 UTC+3 пользователь Administrators написал:

[Spyridon Gouliarmis (RCDevs)]

It is possible. The login is handled by a credential provider on the target machine, so if you install our credential provider ("plugin"), authentications to access that computer (normally or over RDP) will go through it.

The problem with RDP is that, somewhere around 2008R2, RDP started using something Microsoft calls NLA by default, which bypasses the credential provider (so our CP does not get a chance to run). Within a relatively trusted environment (a VPN, say), disabling NLA is not a problem in my opinion.

[Denis Rosenkranz]

Hello Vitalij,

For RDP, jut edit the registry key on the Windows server where the plugin i installed as follow:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer at 0.

After the Remote Desktop login screen will show you all the credential providers available on your server.

[Vitalij B]

Had to modify UserAuthentication=0 in addition to SecurityLayer. Now it's working like a charm, but also have a glitch where you can "sign in as different user" and bypass OpenOTP credential provider. Hope you will fix it next plugin release. It would be great also if you would implement an option to disable NLA during plugin install. 

среда, 21 октября 2015 г., 0:36:18 UTC+3 пользователь Denis Rosenkranz написал:

[Vitalij B]

I was able to fix "sign in as different user" issue with another dirty hack of the registry. First I took ownership of all CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers and then deleted all but "openOTP credential provider".

When can we expect the new version of Windows plugin installer with all those fixes?

среда, 21 октября 2015 г., 9:52:23 UTC+3 пользователь Vitalij B написал:

[Vitalij B]

The other, more clean option to disable all but openOTP credential provider is to modify group policy  "Computer Configuration -> Administrative Templates -> System -> Logon->Exclude credential providers" and add CLSID's of every but openOTP.

Now I found another bug. You cannot RDP from machine protected with windows plugin to any computer which have NLA enabled. openOTP credential provider will ask you to input Username/Password/OTP and when you will input them Windows security windows will hang on "enter your token password".

So in conclusion, Windows plugin is full with bugs and cannot be used in production enviroments unless the new version will come out with all those fixes. Are you planning to release new stable version in near future?

четверг, 29 октября 2015 г., 11:24:49 UTC+2 пользователь Vitalij B написал:

[Spyridon Gouliarmis (RCDevs)]

We were planning on releasing a new version for U2F support soon anyway (end of this year), and we've added your first bug ("sign in as a different user") to the backlog. Although doing it through GPO is probably the best way in the first place.

Your second bug is new to us. We're looking into it.

Concerning the plugin's fitness for production, we have paying clients using it, so we won't let stay buggy for long.

[Spyridon Gouliarmis (RCDevs)]

The credential provider that's now online should fix your first problem. We're still looking into the second.

[Vitalij B]

Thanks for quick version release, great work! 

I had tested new version and noticed that "second" problem only persist when installing in "simple" mode. In "normal" mode now everything is fine.

It would be good if in next release you could disable all credential providers in RDP client aswell when installing plugin as default credential provider (I mean "windows security" window when RDPing to NLA-enabled servers).

пятница, 6 ноября 2015 г., 18:41:57 UTC+2 пользователь Spyridon Gouliarmis (RCDevs) написал:

[Olorunfemi Ajibulu]

Deleting all other Credential Providers is very dangerous.