search

multiOTP / multiOTPCredentialProvider

multiOTP Credential Provider is a V2 Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016 with options like RDP only and UPN name support
Apache License 2.0
228 stars 75 forks source link

MultiOTPCredentialProvider not working on 2nd server #83

Closed JeroenTuinstra closed 1 year ago

JeroenTuinstra commented 1 year ago

Am running the MultiOTP server and have succesfully installed the MultiOTPCredentialProvider on 1 server. Works as a charm. Then installed it on a second server. During installation no errors or anything. Same settings as on the 1st server - yet it constantly says: "Wrong one-time password".

At first I thought it was the firewall, but I enable port 8112 inbound and outbound (didn't have to do that on the 1st server) - made no difference. At the server side there are no log entries - it looks like server doesn't even connect to the MultiOTP server.

So now I am locked out of the 2nd server. Through Safe-mode I can uninstall (as I have done before with this server, just to get access again). But re-installing gives the same error. Is there a way to check whether the connection will work before I definitively enable the Credential Provider.

multiOTP commented 1 year ago

Hello, What did you install exactly, and where ? Where is the multiOTP open source server installed (name of the machine) ? Where is the first multiOTP Credential Provider installed (name of the machine). Is it the same one ? Where is the second multiOTP Credential Provider installed (name of the machine) ? multiOTP Credential Provider is using https connection in order to validate the authentication. Is the access to the https port of multiOTP open source server allowed for your second server ? Could you surf on the web login page of multiOTP open source server from your second server with multiOTP Credential Provider installed ? Did you provide the correct URL for the multiOTP open source server during multiOTP Credential Provider installation ? Please note also that we strongly advise to deploy the virtual appliance of multiOTP open source server, instead of the Windows version.

If you want to do a working test, please install multiOTP Credential Provider with the option to check the 2FA only for RDP. This way, you can still uninstall it or reconfigure it using direct access.

Regards,

JeroenTuinstra commented 1 year ago

Hi, thank you for the questions:

The multiotp server is installed on a Hyper-v MS server 2022 (domain joined) as webservice (IP address 192.168.21.8 port 8112), with name mfa.fede.adventist.be The first server we installed the MultiOTP credential provider is also a hyper-v MS server 2022 (domain joined) with IP address 192.168.21.6 name mdt-wsus.fede.adventist.be. The second server we installed the MultiOTP credential provider is a hyper-v MS server 2022 (domain joined) with IP address 192.168.21.10 name: mx2022.fede.adventist.be (our exchange mailbox server).

From both servers the website: http://192.168.21.8:8112 can be reached and logged into. This is also the address we provided during the setup of Credential Provider. Both Credential Providers were configured in the exact same way.

With the Credential Provider installed we are able to surf to the address of the MultiOTP server too. We have installed it on a third server (dc2.fede.adventist.be) one of our domain controllers - and exactly the same result. It seems to connect with the MultiOTP server but then again gives the result "Wrong One Time Password". So we were only able to install it on one server.

JeroenTuinstra commented 1 year ago

Perhaps this will help from the log of the MultiOTP server. It is just difficult to see which computer it is responding to:

multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 17:37:51 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest: 1 0   MFA
2023-03-07 17:37:51 debug       Server-Client   Info: *CheckUserToken server request.   0   MFA
2023-03-07 17:37:51 debug       Server-Client   Info: *Server secret used for command CheckUserToken with error code result 70: ClientServerSecret  0   MFA
========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:06:52 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:06:52 debug       Server-Client   Info: *CheckUserExists server request for administrator with challenge KQTH*e 9}/tt('p4cDj)$)/>mzvabsg 0   MFA
2023-03-07 18:06:52 debug       Server-Client   Info: *CheckUserExists intermediate error code: 70  0   MFA
2023-03-07 18:06:52 debug       Server-Client   Info: *Server secret used for command CheckUserExists with error code result 70: ClientServerSecret 0   MFA
========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:06:52 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:06:52 debug       Server-Client   Info: *ReadUserData server request for administrator    0   MFA
2023-03-07 18:06:52 debug       Server-Client   Info: *Server secret used for command ReadUserData with error code result 70: ClientServerSecret    0   MFA
========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:07:06 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:07:06 debug       Server-Client   Info: *CheckUserExists server request for administrator with challenge KQTH-2*9z% s$t g1h,*{ bk|Wtc8w> 0   MFA
2023-03-07 18:07:06 debug       Server-Client   Info: *CheckUserExists intermediate error code: 70  0   MFA
2023-03-07 18:07:06 debug       Server-Client   Info: *Server secret used for command CheckUserExists with error code result 70: ClientServerSecret 0   MFA
========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:07:06 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:07:06 debug       Server-Client   Info: *ReadUserData server request for administrator    0   MFA
2023-03-07 18:07:06 debug       Server-Client   Info: *Server secret used for command ReadUserData with error code result 70: ClientServerSecret    0   MFA
========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:07:19 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:07:19 debug       Server-Client   Info: *CheckUserExists server request for administrator with challenge KQTHx0*1*q' u$r25B<.$x"?Sk $66%e 0   MFA
2023-03-07 18:07:19 debug       Server-Client   Info: *CheckUserExists intermediate error code: 70  0   MFA
2023-03-07 18:07:19 debug       Server-Client   Info: *Server secret used for command CheckUserExists with error code result 70: ClientServerSecret 0   MFA
========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:07:20 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:07:20 debug       Server-Client   Info: *ReadUserData server request for administrator    0   MFA
2023-03-07 18:07:20 debug       Server-Client   Info: *Server secret used for command ReadUserData with error code result 70: ClientServerSecret    0   MFA
JeroenTuinstra commented 1 year ago

Maybe for your help. This is the log entry for the third server that doesn't work: 

========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:16:04 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:16:04 debug       Server-Client   Info: *CheckUserExists server request for administrator with challenge KQTH*5'or/#Bpsp23AhxF/#&bo{; '>8&0    0   MFA
2023-03-07 18:16:04 debug       Server-Client   Info: *CheckUserExists intermediate error code: 70  0   MFA
2023-03-07 18:16:04 debug       Server-Client   Info: *Server secret used for command CheckUserExists with error code result 70: ClientServerSecret 0   MFA
========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:16:05 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:16:05 debug       Server-Client   Info: *ReadUserData server request for administrator    0   MFA
2023-03-07 18:16:05 debug       Server-Client   Info: *Server secret used for command ReadUserData with error code result 70: ClientServerSecret    0   MFA

And this is a successful login from the first server: 

========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:27:09 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:27:09 debug       Server-Client   Info: *CheckUserExists server request for administrator with challenge KQTH/8+9x r''##7dA8.z"`1(!?0(c 0   MFA
2023-03-07 18:27:09 debug       Server-Client   Info: *CheckUserExists intermediate error code: 70  0   MFA
2023-03-07 18:27:09 debug       Server-Client   Info: *Server secret used for command CheckUserExists with error code result 70: ClientServerSecret 0   MFA
========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:27:10 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:27:10 debug       Server-Client   Info: *ReadUserData server request for administrator    0   MFA
2023-03-07 18:27:10 debug       Server-Client   Info: *Server secret used for command ReadUserData with error code result 70: ClientServerSecret    0   MFA
========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:27:10 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest:   0   MFA
2023-03-07 18:27:10 debug       Server-Client   Info: *ReadUserData server request for administrator    0   MFA
2023-03-07 18:27:10 debug       Server-Client   Info: *Server secret used for command ReadUserData with error code result 70: ClientServerSecret    0   MFA
========================================
multiotp 5.9.4.0
Your script is running from C:\MultiOTP\windows\
2023-03-07 18:27:10 debug       CredentialProviderRequest   Info: *Value for IsCredentialProviderRequest: 1 0   MFA
2023-03-07 18:27:10 debug       Server-Client   Info: *CheckUserToken server request.   0   MFA
2023-03-07 18:27:10 debug       Server-Client   Info: *Server secret used for command CheckUserToken with error code result 70: ClientServerSecret  0   MFA
JeroenTuinstra commented 1 year ago

Okay discovered the mistake. So the we had set a Server-Secret, and somehow this got changed. The first server despite having the old secret could still authenticate (probably from the cache??) but the new two servers not. So when we did the following command on the multiotp server: 

multiotp -config server-secret=OurCorrectSecret

It all started to work.

JeroenTuinstra commented 1 year ago

Sorry, thought it all worked, but unfortunately not. It works now on the dc2.fede.adventist.be, but on mx2022.fede.adventist.be it is still not working.

JeroenTuinstra commented 1 year ago

So this is the registry entry of the server that works: 

[HKEY_CLASSES_ROOT\CLSID\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}]
@="multiOTPCredentialProvider"
"login_text"="multiOTP Login"
"multiOTPCacheEnabled"=dword:00000001
"multiOTPDisplaySmsLink"=dword:00000000
"multiOTPDisplayEmailLink"=dword:00000000
"multiOTPFlatDomain"="ADVENTIST"
"multiOTPPath"="C:\\Program Files (x86)\\multiOTP\\"
"multiOTPServers"="http://192.168.21.8:8112"
"multiOTPServerTimeout"=dword:00000005
"multiOTPSharedSecret"="xxxxxxxxxxxxx"
"multiOTPTimeout"=dword:0000003c
"multiOTPUPNFormat"=dword:00000000
"two_step_hide_otp"="1"
"two_step_send_password"="0"
"two_step_send_empty_password"="0"
"otp_text"="One-time password"
"otp_hint_text"="One-time password"
"otp_fail_text"="Wrong one-time password"
"v1_bitmap_path"=""
"excluded_account"=""
"multiOTPDefaultPrefix"=""
"currentOfflineUser"=""
"lastUserAuthenticated"=""
"cpus_logon"="1e"
"cpus_unlock"="3d"
"cpus_credui"="3d"
"multiOTPTimeoutUnlock"=dword:00000000
"multiOTPDisplayLastUser"=dword:00000000
"multiOTPWithout2FA"=dword:00000000
"numlockOn"=dword:00000000

And this is the registry entry of the one that doesn't work: 

[HKEY_CLASSES_ROOT\CLSID\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}]
@="multiOTPCredentialProvider"
"login_text"="multiOTP Login"
"multiOTPCacheEnabled"=dword:00000001
"multiOTPDisplaySmsLink"=dword:00000000
"multiOTPDisplayEmailLink"=dword:00000000
"multiOTPFlatDomain"="ADVENTIST"
"multiOTPPath"="C:\\Program Files (x86)\\multiOTP\\"
"multiOTPServers"="http://192.168.21.8:8112"
"multiOTPServerTimeout"=dword:00000005
"multiOTPSharedSecret"="xxxxxxxxxxxxxx"
"multiOTPTimeout"=dword:0000003c
"multiOTPUPNFormat"=dword:00000000
"two_step_hide_otp"="1"
"two_step_send_password"="0"
"two_step_send_empty_password"="0"
"otp_text"="One-time password"
"otp_hint_text"="One-time password"
"otp_fail_text"="Wrong one-time password"
"v1_bitmap_path"=""
"excluded_account"=""
"multiOTPDefaultPrefix"=""
"currentOfflineUser"=""
"lastUserAuthenticated"=""
"cpus_logon"="1e"
"cpus_unlock"="3d"
"cpus_credui"="3d"
"multiOTPTimeoutUnlock"=dword:00000000
"multiOTPDisplayLastUser"=dword:00000000
"multiOTPWithout2FA"=dword:00000000
"numlockOn"=dword:00000000

Exact the same as I can see - and yet one works and the other not.

JeroenTuinstra commented 1 year ago

Okay found the issue now. It turns out these two files had to be installed on the mx2022.fede.adventist.be: 

https://aka.ms/vs/16/release/vc_redist.x64.exe
https://aka.ms/vs/16/release/vc_redist.x86.exe

Even though during installation it never asked for these. It was asked on the other 2 machines but not on mx2022.fede.adventist.be. After installing these two files on mx2022 it all worked.