first login after the boot

[cedricrichard]

Hi,

I have an issue in some computers. After the boot, the first authentification is not working. (on the server multiotp, the authentification is correct). After the second login, the user can use the computer.

Some consumer reports the same problem ?

Best regards.

Cédric Richard

[DominikPretzsch]

Hey Cedric,

yes, we know about current problems. We work hard with our friends at the MultiOTP dev team to resolve this errors. One thing we are currently researching is, whether it could depend on the installed antivirus software.

Dominik Pretzsch

2015-06-12 16:41 GMT+02:00 cedricrichard notifications@github.com:

Hi,

I have an issue in some computers. After the boot, the first authentification is not working. (on the server multiotp, the authentification is correct). After the second login, the user can use the computer.

Some consumer reports the same problem ?

Best regards.

Cédric Richard

[image: step1] https://cloud.githubusercontent.com/assets/12861802/8132385/c5bb2216-1121-11e5-9846-ab72313cb2b7.JPG [image: step2] https://cloud.githubusercontent.com/assets/12861802/8132392/cbaef24c-1121-11e5-97ed-5ecfcaa79ae7.JPG

— Reply to this email directly or view it on GitHub https://github.com/LastSquirrelIT/MultiOneTimePassword-CredentialProvider/issues/9 .

Last Squirrel IT Dominik Pretzsch

Humboldtstr. 2 09130 Chemnitz, Germany

USt-IdNr.: DE290444313

---

Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

This email may contain confidential and/or privileged information. If you are not the intended recipient (or have received this email in error) please notify the sender immediately and destroy this email. Any unauthorized copying, disclosure or distribution of the material in this email is strictly forbidden.

---

[scriptkiddy666]

Hey Dominik, I got the same problem on my Laptop. Are there any new updates? I´m using Win 8.1 x64 Pro withouth domain. Just with Google TOTP on a single user.

Markus

[arcadejust]

Win 8 uses CredentialProviderV2 architecture - it's user oriented (different than Win 7 credential provider), you could try my version of MultiotpCPV2RDP if you know how to install it manually (you would have to change the multiotp.exe location in the reg file provided with my project)

[scriptkiddy666]

Well, I don´t know how to install it manually... I just downloaded you stuff from Git. Can you give ma a short manual where to copy the .dll and how to get it work? (And perhaps if there are different steps necessary to remove it later.)

Edit: Found something how to install and uninstall http://stackoverflow.com/questions/25295147/how-to-install-a-credential-provider-in-windows-8-1

Do I have to change something else then?

[arcadejust]

I don't know what kind of setup you have. If you are using multiotp locally on the machine you are trying to logon to then copy dll to -> c:\windows\system32\MultiOTPCredentialProviderV2.dll and use notepad to edit register.reg to provide your path to multiotp.exe in line 8: MultiOTPPath=c:\whereYouHave\Multiotp.exe. By default it will only check OTP while logon from a remote desktop it is set in line: MultiOTPRDPOnly=1 (if you would like to enter OTP every time you will have to change it to zero, it will be obligatory for all users regardless if they have multiotp credentials so watch out or you will block your computer - if you do use the safe mode to delete the dll). It is also set as the only valid credential provider (if you can't login via OTP you will not login at all) but if you would like the multiotp to be an optional method of logon you can by removing the branch "Credential Provider Filters" from the register.reg. After this you have to add the file to the registry by simply running it. But if you are using some kind of credential server then it's not implemented so don't bother. And to remove it simply delete the dll.

[scriptkiddy666]

I´m using it locally, without a server. Just copied the dll and added the reg key, but still it´s not possible to login right after booting up the system. Is there anything else what i have to do? Can I change the default credential provider to be for example the normal Windows logon?

[arcadejust]

Did you changed the MultiOTPRDPOnly to Zero?

also check if you have more than one entry in regedit key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\

[scriptkiddy666]

Nope, but i also didn´t get an OTP Login via RDP. If I change the key to 0 I wouldn´t be able to login with my normal password, would I?

[arcadejust]

no, you will not

Please check the Credential Provider Filters in the registry - it's probably some other credential provider blocking multiotp

[scriptkiddy666]

That´s kinda risky, if it doesn´t work...

[arcadejust]

So leave the MultiOTPRDPOnly=1 but check the CP Filters - if I'm right you should have more than one entry in there, please copy them in the next post. Also (I know it might sound silly) do you use another computer to initiate the remote desktop connection?

[scriptkiddy666]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters{DDC0EED2-ADBE-40b6-A217-EDE16A79A0DE}] @="GenericFilter"

I used an Android Tablet, but in a few hours I could test it with another Windows Computer.

[arcadejust]

so please add {FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978} for MultiOTPCredentialProviderV2

On the RDP the first password is the connection layer authentication, you have to pass that to connect to rdp server - than it will display the multiotp

[scriptkiddy666]

Just tested it, but it didn´t work on the Remote Desktop :( And I still got the issue, that i can´t login with OTP right after booting the system.

[arcadejust]

Did you run the regfile from my project or did you edited the registry by hand as described on that stackoverflow page that you've found? I think that I could build a dll with log enabled and you could check what's wrong if the dll is loaded by the logon ui but I'm afraid that your problem is bigger and the dll is not even loaded. You either did not put the right registry in place or your system is not 64 bits or you have another credential provider (from previous installations or the computer manufacturer) blocking normal behavior. It's very hard to guess, maybe if you could provide more details (a registry dump of [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication would be a good start and the [HKEY_CLASSES_ROOT\CLSID{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}] too). And for the record - my dll will not repair your "otp after boot issue" it is separate from the dll from this project. It is designed for Win 8 64-bits and requires multiotp.exe and by the default settings only validates the remote desktop connections (as I've mentioned earlier).

[scriptkiddy666]

I run the regfile of yours. That would be nice, because then perhaps we could find out thats going wrong. So to say i think, that I added the right stuff to the registry and of course my operating system is x64. But you´re right, I had another credential provider. I removed Rohos Logon Key before testing multiotp, and there is no key left from rohos in the credential providers path of the registry. Sure, thats no problem: cp.txt

cp2.txt

Ah okay, then this part was an misunderstanding of mine, I thought it would fix this too. So this is still a bug within the normal MOTP Credential Provider? (The multiotp path in the registry with c:\multiotp\ is correct, i copied the files of the windows folder in this folder.)

[arcadejust]

Please try the new _devel.dll - change the name to MultiOTPCredentialProviderV2.dll and copy it to c:\windows\system32\ if you would like to test it simply lock the station (no need to restart) if the dll is loaded you should see new file c:\multiotplog.txt and if after locking and unlocking your station you can't see this file - it's a sign that windows does not load the dll for some reason (antivirus, modified logon ui??). If that's the case I would try running ProcMon and then lock and unlock the station (Windows+L) you should have logs of system trying to load the dll there.

[scriptkiddy666]

Dll is copied an there is no logfile :( Just deactivated Avast, no change. ProcMon shows me this to (filtered) messages:

12:05:09,8902517 LogonUI.exe 17636 RegQueryValue HKCR\CLSID{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}\InprocServer32(Default) SUCCESS Type: REG_SZ, Length: 66, Data: MultiOTPCredentialProviderV2.dll

12:05:09,8911540 LogonUI.exe 17636 CreateFile C:\Windows\System32\MultiOTPCredentialProviderV2.dll NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a

The second message comes several times in different locations. The LogonUI isn´t modified by me. This seems to be a bigger problem with my whole Windows installation at all I think. It may be possible for me testing this on another Windows 8.1 x64 Pro machine, which is fresh reinstalled. I´ll keep you posted.

[arcadejust]

I think I know what's going on. Check the ntfs right on C:\Windows\System32\MultiOTPCredentialProviderV2.dll -> maybe system can't load the dll due to insufficient file rights (NAME NOT FOUND is the error when file does not exists or you don't have sufficient rights)

[scriptkiddy666]

I solved it. If I try to copy the file with TeraCopy (my default copy programm) it tells me, that the file is already there (ntfs rights are correct), but i couldn´t find it with the explorer neither with the command line. So i copied the file again, this time with the default windows copy dialog, and there we go: A tiny little logfile right in c:\ after lock and unlock :) Damn....

If I try to connect via iPhone i can´t login, but i think this is because in Windows 8 my username is my hotmail adress, but it is also accessable with my normal name (maybe an alias) so in general it works now.

Edit: I created a second User, with the same Token and already tried to login via RDB. The last problem is, that I can only type 4 digits, but I need to type 6.

The multiotp.log says this: *(authentication typed by the user is 4 chars long instead of 6 chars)

Ah, do you have any idea how to get the login work right after booting the machine up?

[arcadejust]

Can you sanitize the c:\multiotplog.txt (remove any credential) and post it here? The log should look like this:

20151127 0804450331: RDP connection on port: 3369 20151127 0804450335: Remote Addr: 88.99.22.153 20151127 0805250312: multiotp.exe username@gmail.com 138984 20151127 0805250618: multiOTP.exe Exit Code: 0

[scriptkiddy666]

Of course.

multiotplog.txt

[arcadejust]

When you created the user in multiotp have you chosen the -no-prefix-pin ? I can see your application is generating 4 digits but to add user with 4 digits you have to use -no-prefix-pin and later after the dummy pin you have to add parameter "4" and time "30" like this: multiotp -debug -create -no-prefix-pin alan TOTP 3683453456769abc3452 1111 4 30

one final note - if you would like to use my credential provider to login locally (certainly after the rdp logon will be working) remember you can change it easily in the registry (just set MultiOTPRDPOnly=0)

[scriptkiddy666]

My command was the following: multiotp.exe -debug -create -no-prefix-pin User TOTP 1234 6 30 I tested the user with an generated 6 digits key and the log says everything is ok. (multiotp.exe -debug User TOTP-KEY) The error only occours within remote desktop.

Yea, the MultiOTPRDPOnly key :) I´ll use it if the remote part works fine.

[arcadejust]

In the log file it looks like you are sending only 4 digits:

20151127 1151120889: multiotp.exe -debug Anonymous@hotmail.de 5457 20151127 1213590921: multiotp.exe -debug Anonymous@hotmail.de 1354

can you check that you are writing 6 digits? If that's the case, can you please try writing more than 6 digits and confirm that they are getting logged into the log file?

[scriptkiddy666]

Thats right, because I can´t type in more than 4 digits :( But to use the TOTP and Google Authenticator i have to set 6 digits and the timeout 30 seconds.

[arcadejust]

That's a new one... I do not check the length of the pin you are trying to input... Is the text box not letting you to input more than 4 digits or is it accepting all digits and then not forwarding them to multiotp?

[scriptkiddy666]

Maybe this is a Windows 8.1 specific problem, because its possible to unlock the pc with an only 4 digits pin instead of the normal password. Especially its possible to unlock with password or pin, like someone like to do at the moment. This 4 digits pin isn´t activated on my pc, but the opportunity to do so may interfere with you dll?

[arcadejust]

No it cannot. The pin field type is CPFT_PASSWORD_TEXT (the same as the field above with the user password) and I have a code that checks that after value change every symbol in the field is a digit, and if it's not I set the field content to it's previous state. Try to enter a letter in your pin window - it shouldn't let you, then try to write 1234567890 from the keyboard above letters (not the numlock keys). Let me know what's the result. And if all the digits stay, press enter - that should log all the entered digits to a file. If it doesn't (and will only log 4 digits) maybe there is something I can do about it.

By the way in the win logon api there is no field type specific for PIN... and that's a shame because it should be.

[scriptkiddy666]

Right, I only can type digits in the pin field. Even with the normal number keys its impossible for me to write more than 4 digits. After the unsuccessful remotelogin there are still only the 4 digits in the log, which were allowed to be typed in.

[arcadejust]

So when you are typing what happens with the 5th digit, does it disappear or replace the last digit? I prepared new version of the dll that does not check the PIN field for digits only input. Can you test it and try to put letters in this field to be sure you are not using some crippled build. Does this version also block 5th sign no matter letter or digit?

[scriptkiddy666]

I would say it disappeared, because I simply couldn´t type it. With you new .dll I´m able to write letters in the normal login screen, but not in the remote login screen. This looks like my windows does something what it shouldn´t do. Maybe it doesn´t use your version of the .dll for the remote part...

[arcadejust]

Was there a title "MultiOTP Login" and fields "Password text" and "PIN" and the shortcut for "Synchronize MultiOTP" and when you press the later the password field should be replaced with "PREVIOUS PIN"? Like this:

[scriptkiddy666]

Yes all fields are like you said. (Then I try to remote login.) The normal login screen has an MultiOTP sepcific user picture and the fields a little different. But after your new .dll version it is possible to write letters in the pin field there.

The remote login has my account picture and as mentoined above the fields like you described, but there I can´t type letters or more than 4 digits.

Is it possible, that the normal MultiOtp.dll interfere?

[arcadejust]

No I don't think so, I filter any other credential provider for security reasons. Are you using mstsc (remote desktop client) from another windows (older windows) or different system? If I'm not blocking the input length perhaps the client does. But how does he know it should be 4 letters and not 3 or 8??? I've renamed the control to "One time password" for you so please check it out. Also I have added more log to the digit check so look for the lines "PIN input:" in the log.

[scriptkiddy666]

So tested... The result is the following. (Everything is tested with the normal mtsc) The remotedesktop login defnitely uses your dll, because the changed text is also there. But the log is quite interesting. If I try to connect from a windows 7 machine (first entry in the log) then it is different from the log of the connect try from a windows 8.1 machine. It seems like windows 8.1 does something different, because the log says that at least the trying of the longer pin input... Just take a look. new Log.txt

Edit: But the log didn´t show the letter inputs right after 4 digits, just before, because they are going to be autoremoved...

[arcadejust]

Are 6389 the last digits you have entered or the first? Could you try and copy paste 1234567890 into the pin field? What will be the log?

[scriptkiddy666]

These are the last letters I could type in. This means, that there is no entry in the log of the try typing in letters or digits after 4 digits have already been typed in. Copy paste will be tried this evening. Another interesting thing... In Windows 8.1, then i try to login with the normal credential provider it is possilbe to switch the "login options" right from this login field... Foto will be up in the next minutes. And in this login screen I can also type just 4 digits, no letters and the text is the same new one... Looks like this is the same problem then like logging in from remote.

[arcadejust]

I think that's because you have mixed up Credential Provider V1 with V2 and maybe the logon gui knows that one of them is credential oriented (V1) and the other is user oriented (V2) so it tries to allow both of those methods. You could try and remove (copy first) the old credential provider registry entry (in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers). By the way: my credential provider shouldn't be active if you have RDP only setting in the registry - did you hanged that? I have few ideas for the test: try to input digits first and then password, or try to delete previously typed 4 digits and type another set of 4 digits... is this really the length restriction? Try it on the new devel version it has two new log points "Field altered, fieldID:" and "Invalid field value, fieldID:" - I'm curious to see which field yielded the empty logs previously.

Update: I think I know what's going on I set field option CPCFO_NUMBERS_ONLY on the PIN field. Maybe Windows thinks it's his 4 digit PIN and restricts the field. I have made new dll version without it (as it never worked in my Win 8.0 anyways).

[scriptkiddy666]

You got it :) With your latest dll it works like a charm. I could sucessfully login via rdp from my iPhone and the One Time Password :) (I removed the V1 for testing, so your V2 only worked perfectly like it should be.) Thank you very much for your quick and friendly support.

[arcadejust]

Once again shame on microsoft for undocumented api (https://msdn.microsoft.com/en-us/library/windows/desktop/hh706885(v=vs.85).aspx). I'm glad we've finally nailed it, you can download a clean dll without so much debug info. Thanks for your patience and testing.

[scriptkiddy666]

Yea, documentation and microsoft can never be togehter... Me too, just downloaded. Your welcome.

[scriptkiddy666]

Hey arcadejust, sorry to interrupt again. I just had to restore an old backup of my computer and now I´m unable to use your dll for the login. But the debug version works just fine. Is there any other difference besides the logging function within the two dll files?

[arcadejust]

What do you have in mind when you say "I'm unable to use" is it not loading, you cannot enter a pin, is there another problem?

[scriptkiddy666]

Just take a look at the picture, I think it describes best what I mean. With your debug version the green logo is availible and with the normal it isn´t. (Local login, not remote.)

[arcadejust]

Is that's the screen from the debug dll? I'm guessing that the default credential provider filter is working differently in 8.1 - you should not see any other login option (Anmeldeoptionen should not be there). The main dll might not be working for you if the build is damaged or if the ntfs rights are wrong. I will make another build just to rule out the first cause.

[scriptkiddy666]

That´s right. Looks like yea. The left 2 login options are a 4 digits pin and the normal password. NTFS rights are the same as the rights of the debug version. Okay. Mhm, even with your new version there is no green icon...very strange...

[arcadejust]

Try now please

[scriptkiddy666]

No green icon, neither normal nor now also debug dll.

[arcadejust]

But there is log file, right?