RDP window 2FA prompt for user without2fa - Githubissues

multiOTP / multiOTPCredentialProvider

multiOTP Credential Provider is a V2 Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016 with options like RDP only and UPN name support

Apache License 2.0

228 stars 75 forks source link

RDP window 2FA prompt for user without2fa #69

Closed comet-itmanager closed 1 year ago

comet-itmanager commented 1 year ago

Hi,

Thank you very much for this great software!

I recently deployed multiOTP appliance and CredentialProvider internally and it is working well. However, I just realized when initiating an RDP connection that CredentialProvider prompting for a code to start the connection even though I'm logged in as a without2fa user on a workstation where multiOTPWithout2FA is enabled.

This occurs on a workstation on which multiOTPWithout2FA is enabled, but not on another workstation where it is disabled. Both have multiOTPCredentialProvider installed pointing to the same multiOTP appliance, with the following settings:

multiOTPCacheEnabled         : 1
multiOTPServerTimeout        : 5
multiOTPTimeout              : 60
multiOTPUPNFormat            : 1
two_step_hide_otp            : 1
two_step_send_password       : 0
two_step_send_empty_password : 0
cpus_logon                   : 0e
cpus_unlock                  : 0e
cpus_credui                  : 0e
multiOTPTimeoutUnlock        : 60
multiOTPDisplayLastUser      : 1
multiOTPWithout2FA           : 1

Is this expected behavior, or am I missing something?

I'm not sure if this is an issue, but I don't recall this behavior during my initial testing and deployment. It seems unnecessary, since a client connecting to a computer with CredentialProvider is challenged by CredentialProvider whether or not it is installed on the client.

Thanks again!

multiOTP commented 1 year ago

Hello, If the account used on the RDP connected computer is not a "without2fa" account, it will always ask for a 2FA. Regards,

comet-itmanager commented 1 year ago

Hmm, I'm logged into the workstation as a "without2fa" user, and attempting to RDP to a server using the same credentials, but it prompts for a code. The server also has CredentialProvider installed.

If I set cpus_credui = 1e, I can log into the server without being prompted for a code. In this case, I see the CredentialProvider login screen as the RDP connection completes, and I am not prompted for a code there, either. If I try logging into the same server with an account enabled for 2FA, I am prompted at the login screen for the code rather than when RDP prompts for username and password.

multiOTP commented 1 year ago

Could you tell us which version of multiOTP Credential Provider is installed:

on the workstation ? ("%ProgramFiles(x86)%\multiOTP\multiotp.exe" -version)
on the server ? ("%ProgramFiles(x86)%\multiOTP\multiotp.exe" -version)

You can also give us a full registry export of the Key HKEY_CLASSES_ROOT\CLSID{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978, for both the workstation and the server

Regards,

multiOTP commented 1 year ago

We will try to reproduce the issue on our side.

multiOTP commented 1 year ago

Hello, we tried to produce the bug on our infrastructure without success. Can you please update to the last version of credential provider and try again.

If the problem is still present, can you please send us the file you use for remote desktop (file with extension *.rdp)

Best regards

multiOTP commented 1 year ago

Closed due to inactivity during the last 30 days.