Challenge verification fails if user enters capitals in user name

[oskarb]

RDSHandler.vb cleans the incoming username with this routine:

Private Sub CleanUsername()
    ' RD Gateway sends EXAMPLE\username
    ' RD Web sends example\username or - TODO - even example.com\username
    If Not mUsername = Nothing Then
        mUsername = mUsername.ToLower
    End If
End Sub

However, the comment about RD Web sending example\username seems to be wrong - rather, it seems that RD Web sends the domainusername in whatever form the user wrote it.

If the user types EXAMPLE\My.Name, the challenge fails because RDSHandler will encrypt the challenge using the lower case form, while the client will use the form it was entered in.

[oskarb]

It's easy of course to add the ToLower() step also to the client's encryption of the entered sms token.

However, as implemented the logic for sending the OTP is to concatenate it with the username and the configured radius secret, over which an SHA-256 hash is calculated. This value is then submitted to the regular Radius User-Password encryption algorithm, and the resulting value is sent to the server. Since the Radius protocol has it's own encryption of this, why bother doing the additional concatenate+hash step? Is that a useful extra step?

[jakobadam]

Hi Oskar. Glad you find this project useful. Sorry, can't remember the details on the hashing part.

I'm not maintaining this project anymore. Feel free to take over.

kind regards, Jakob

[oskarb]

Alright, I'll proceed with updates in my fork. Thanks for your effort so far!