Allow retry on logon

[britishgov]

When trying to logon to windows without otp if the password is entered incorrectly the user is taken back to the logon screen to enter credentials again. With the OTP credential provider installed trhis does not happen. This is especially problematic when using RDP as it closes the entire session which the user must start again. Ideally if a user enters incorrect details they would be taken back to the logon screen with the option to enter details again, is this possible?

[arcadejust]

Which windows version are you using?

[britishgov]

Server 2012 R2

[arcadejust]

Unfortunately that architecture is unknown for me. But if this is similar to Win 8 then I might be able to help you but if this is more Win 7 style - then you have to ask other participants.

[britishgov]

Thanks 2012r2 is effectively the same base O/S as win 8.1 yes. I will test this on win8 too to see if it is the same behavior.

[arcadejust]

In that case read my post in #16 and #9

[britishgov]

Sorry which part? Are you suggesting using the RDP only dll will fix this issue?

[arcadejust]

Yes, if you know how to manually configure it via registry (it is described in issue 9). In case of RDP and custom credential provider the first credential you enter is for security layer of remote connection, the second is simple logon process and in my dll it is a part of normal process to enter incorrect credentials - it does not disconnect the client (not the first time anyway and not on my Win 8.0).

[britishgov]

Thanks, I have tried setting up your DLL, I can see it being accessed in procmon but it doesnt seem to actually prompt for OTP. I tried using the deval dll and it doesnt seem to create the log either? Im sure I am missing something. Thanks

[arcadejust]

By default register.reg has option forbidding OTP for local user (so you can install it and not block your computer if the multiotp doesn't work). First try to connect via remote desktop if it works and OTP will correctly log you into the system then switch MultiOTPRDPOnly in the registry settings so it will ask you for the OTP every time you login or unlock the station.

[britishgov]

Thanks, I have tried with 1 and 0, i dont get otp for rdp logon or standard logon on any reg setting.

[arcadejust]

Check the dll ntfs rights (add full grants for system). log will be created when the dll is invoked by the LogonUI.

[britishgov]

Thanks, NTFS permissions look fine. Just to explain the setup I have done: On a clean server, installed multiotp and configured, testing using the debug command line and everything is working. Copied the DLL to system 32 (currently the logging DLL but tried with both) and checked NTFS permissions. Imported the reg files (with the correct multiotp path set) and rebooted. When trying to logon with RDP or a console session the multiotp is not shown, I have also changed the rdponly key to 0 and rebooted and the multiotp is still not shown for RDP or console logon.

Thanks

[arcadejust]

I have just uploaded updated dll - it should work ok (I've tested it on my win 8.0) Do you have appropriate reg entries, does ProcMon show the dll being loaded?

[britishgov]

I tried the new DLL and still nothing. This is procmon (filtered) and it looks like it is reading registry and DLL fine

[arcadejust]

Are you sure you have 64bit architecture - the dll does not try to access registry or log file - that is probably because it is loaded but not initialized by the LogonUI.

[britishgov]

Yes this is a 64bit machine. If there are things missing from that screenshot it may be because they are filtered out, where else are you expecting to be accessed?

EDIT:Changed the filters a bit and now a few errors appearing?

[arcadejust]

First I'm trying to create log C:\multiotp.txt (you could try and create this empty file for all users R/W) then if it's an rdp connection I check the rdp port, if local connection HKEY_CLASSES_ROOT\CLSID{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}\MultiOTPRDPOnly I do not see this in your screen.

UPDATE: Sorry I have just confirmed that the maind dll does not load in Win 8.1 (only Win 8.0) for now you can try to substitute with _devel.dll (just change the name). I will work on this and come back to you.

[britishgov]

Thanks, created C:\multiotp.txt and everyone, system, users, administrators all have full control. Nothing being added to that file. I cant see anytihng in procmon trying to read that multiotprdponly key.

[arcadejust]

I have done some more tests today and found out that Win 8.1 is not providing me with a user list... That's completely unacceptable behavior according to CPV2 samples and tutorials I've found on msdn. Could you try and add a local user account and try again to confirm that this is a problem? You can remove registry key that is named [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}] and Set the MultiOTPRDPOnly=0 to speed up the checking process (you won't have to connect via rdp and still be able to logon using other credential providers if my CP fails).

[britishgov]

Sorry still not getting any OTP prompts with the latest DLL. Nothing using RDP or console logon with local or domain account.

[arcadejust]

I will have to migrate to win 8.1 (and that's not an easy task for me)... I'll come back to you as soon as possible.

[arcadejust]

I have just uploaded new version and it should work now (my Win 8.1 test machine works...)

[multiOTP]

Hello,

Please note that we have enhanced this MultiOneTimePassword-CredentialProvider thanks to various contributors, including arcadejust, and it's now available in the multiOTP project (https://github.com/multiOTP/multiOTPCredentialProvider). We will do enhancements in this fork.

Regards,