Windows Server 2016 AD

[CollegeNoob]

Hello,

I am having a hard time configuring my config file to sync with my AD. I am using a windows 2016 server with one user as a test server name capstone19.local Server account: Administrator password: ** multiotp -config default-request-prefix-pin=0 multiotp -config default-request-ldap-pwd=1 multiotp -config ldap-server-type=1 multiotp -config ldap-cn-identifier=sAMAccountName multiotp -config ldap-group-cn-identifier=sAMAccountName multiotp -config ldap-group-attribute=memberOf multiotp -config ldap-ssl=0 multiotp -config ldap-port=389 multiotp -config ldap-domain-controllers=my.srv.com,ldaps://172.17.222.3:389 multiotp -config ldap-base-dn=DC=capstone19,DC=local multiotp -config ldap-bind-dn=CN=Users,DC=capstone19,DC=local multiotp -config ldap-server-password=***** multiotp -config ldap-in-group=students multiotp -config ldap-network-timeout=10 multiotp -config ldap-time-limit=30 multiotp -config ldap-activated=1 multiotp -debug -display-log -ldap-users-sync

Error" 15 warning LDAP Error: FATAL: AD bind failed. Check the login credentials (-1: Can't contact LDAP server). 99 *ERROR: Authentication failed (and other possible unknown errors)"

So my questions are: Am I required to use LADP? Do I need anything elsee besides having my AD set up with a Domain and DHCP?

Note: this did not pull anything " dsquery user -name sync"

After failing many times, I decided to add LADP and use the same info as above.. Still same issue , configured it under a different port because it stated port was in use and changed the config script to the correct port.

Please help !

[multiOTP]

Hello, Please note that LDAPS is usualy on port 636.

These three lines are not correct: multiotp -config ldap-ssl=0 multiotp -config ldap-port=389 multiotp -config ldap-domain-controllers=my.srv.com,ldaps://172.17.222.3:389

That means:

• by default, the LDAP is not secure (no LDAPS)
• by default, the LDAP port is 389
• the following LDADP domain controllers are defined:
  • my.srv.com (with default LDAP configuration, which means LDAP (no LDAPS) on port 389
  • 172.17.222.3, using LDAPS, on port 389

I suggest to try the following config line for the domain controllers: multiotp -config ldap-domain-controllers=ldaps://172.17.222.3:636

Which will define the domain controller to be 172.17.222.3, in LDAPS, on port 636

Regards,

Andre

[CollegeNoob]

Hello, and thank you for responding I got the same error

Any help or suggestions are appreciated. Just to make sure, LADP needs to be set up, correct? For this to work? Radius is not required, correct?

[multiOTP]

Hello, On the domain controller, LDAP is available by default, because Active Directory is based on LDAP. You don't need to install RADIUS on the domain controller. You can check also your LDAP connectivity using the free LDAP Browser from Softerra Regards,

[CollegeNoob]

Helllo,

Thank you, I tested the LDAP and was able to access it. Still getting authentication error multiotp -config default-request-prefix-pin=0 multiotp -config default-request-ldap-pwd=1 multiotp -config ldap-server-type=1 multiotp -config ldap-cn-identifier=sAMAccountName multiotp -config ldap-group-cn-identifier=sAMAccountName multiotp -config ldap-group-attribute=memberOf multiotp -config ldap-ssl=1 multiotp -config ldap-port=389 multiotp -config ldap-domain-controllers=my.srv.com,ldaps://172.17.222.3:389 multiotp -config ldap-base-dn=DC=capstone19,DC=local multiotp -config ldap-bind-dn=OU=Students,DC=capstone19,DC=local multiotp -config ldap-server-password=**** multiotp -config ldap-in-group=students multiotp -config ldap-network-timeout=10 multiotp -config ldap-time-limit=30 multiotp -config ldap-activated=1 multiotp -debug -display-log -ldap-users-sync

[multiOTP]

Hello,

OK, I see on your test that you have done a LDAP (and not LDAPS) connection. Change your configuration file like this:

multiotp -config default-request-prefix-pin=0 multiotp -config default-request-ldap-pwd=1 multiotp -config ldap-server-type=1 multiotp -config ldap-cn-identifier=sAMAccountName multiotp -config ldap-group-cn-identifier=sAMAccountName multiotp -config ldap-group-attribute=memberOf multiotp -config ldap-ssl=0 multiotp -config ldap-port=389 multiotp -config ldap-domain-controllers=ldap://capstone19.capstone19.local:389 multiotp -config ldap-base-dn=DC=capstone19,DC=local multiotp -config ldap-bind-dn=OU=Students,DC=capstone19,DC=local multiotp -config ldap-server-password=**** multiotp -config ldap-in-group=students multiotp -config ldap-network-timeout=10 multiotp -config ldap-time-limit=30 multiotp -config ldap-activated=1 multiotp -debug -display-log -ldap-users-sync

Thanks to keep us in touch

Regards,

[CollegeNoob]

Hello,

I tried this method, and I got this "(49: Invalid credentials). (80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839) 99 *ERROR: Authentication failed (and other possible unknown errors)" Just to verified, "multiotp -config ldap-server-password=****" this is the password it validates, correct? and that would be my server password, correct?

[CollegeNoob]

Bump

[multiOTP]

Yes, "multiotp -config ldap-server-password=****" is the password of your bind-user "multiotp -config ldap-bind-dn=OU=Students,DC=capstone19,DC=local" Regards,

[CollegeNoob]

Any ideas what I should try next?

Thanks for all the help btw!

[CollegeNoob]

I am now running into an issue where it's not syncing my group, "students" I guess that was my goal. Also, once I have it sync, this will prompt for a one time code, correct? Sorry, this is my 1st time doing this and it's a bit hard to follow the guide. But it is syncing saying that 0 users are synced. multiotp -config default-request-prefix-pin=0 multiotp -config default-request-ldap-pwd=1 multiotp -config ldap-server-type=1 multiotp -config ldap-cn-identifier=administrator@capstone19.capstone19.local multiotp -config ldap-group-cn-identifier=administrator multiotp -config ldap-group-attribute=students multiotp -config ldap-ssl=0 multiotp -config ldap-port=389 multiotp -config ldap-domain-controllers=ldap://capstone19.capstone19.local:389 multiotp -config ldap-base-dn=DC=capstone19,DC=local multiotp -config ldap-bind-dn=CN=Administrator,CN=Users,DC=capstone19,DC=local multiotp -config ldap-server-password=*** multiotp -config ldap-in-group=students multiotp -config ldap-network-timeout=10 multiotp -config ldap-time-limit=30 multiotp -config ldap-activated=1 multiotp -debug -display-log -ldap-users-sync

[CollegeNoob]

Another question, will I be able to configure it just on my active directory? Or I must use ldap?

[multiOTP]

Hello, Once again, Active Directory is LDAP branded by Microsoft. If you are using multiOTP with a Microsoft server, you are working with Active Directory. Your last configuration file is not correct in order to configure groups: please put this one: multiotp -config ldap-group-cn-identifier=sAMAccountName (this is the name of the Active Directory attribute that contains the group name) multiotp -config ldap-group-attribute=memberOf (this is the name of the RADIUS attribute that will be sent to the device during authentication) Regards, Andre

[CollegeNoob]

multiotp -config default-request-prefix-pin=0 multiotp -config default-request-ldap-pwd=1 multiotp -config ldap-server-type=1 multiotp -config ldap-cn-identifier=sAMAccountName multiotp -config ldap-group-cn-identifier=sAMAccountName multiotp -config ldap-group-attribute=memberOf multiotp -config ldap-ssl=0 multiotp -config ldap-port=389 multiotp -config ldap-domain-controllers=ldap://capstone19.capstone19.local:389 multiotp -config ldap-base-dn=DC=capstone19,DC=local multiotp -config ldap-bind-dn=CN=Administrator,CN=Users,DC=capstone19,DC=local multiotp -config ldap-server-password=**** multiotp -config ldap-in-group=students multiotp -config ldap-network-timeout=10 multiotp -config ldap-time-limit=30 multiotp -config ldap-activated=1 multiotp -debug -display-log -ldap-users-sync

This did sync my group correctly, thank you ! but the 2 step authentication is not coming up when I am using my workstation, do I need to set anything else up for it to prompt for the authentication? I am going to be using Google Authentication

[multiOTP]

Hello, From here, we don't know your Active Directory tree, so we cannot say if it's correct or not. We notice that this line is not well written: multiotp -config ldap-group-attribute=memberOf Try first without any group (leave the ldap-in-group line empty), which should synchronize all users of the AD (starting at the DC=capstone19,DC=local as specified in the ldap-base-dn parameter) multiotp -config ldap-in-group= Regards,

[multiOTP]

Hello, If you want to do 2FA on the Windows login page, you will have to install multiOTPCredentialProvider on every computer (github.com/multiOTP/multiOTPCredentialProvider) Regards,

[multiOTP]

Where is your school located in the world ?

[CollegeNoob]

Awesome, thanks for the help! I now have all my users synced. I will make a video about this later once I have everything perfected and set up! Thank you

[CollegeNoob]

I am now having troubles with the authentication process, here is what I have so far: I was able to ping the server just fine and tested the user with Google Authentication, wondering if I am missing anything?

Any ideas on what I am doing wrong?

[multiOTP]

Hello, On which server is installed multiOTP ? As all workstation will have to connect to this multiOTP server, you have to give your local network IP address, not 127.0.0.1 (which is only the loopback). What is written in the log file on the computer where multiOTP Credential Provider is installed ? What is written in the log file of the multiOTP server ? Is test1 a user that exists in the CAPSTONE190 domain ? Regards, Andre

[CollegeNoob]

Yes test1 does exist. I realize that the address is a loopback address but that is how I pull the multiOTP file up, I am not sure where I can change the address of the web GUI. Server address is a .3 in my network, same address as I was using above in my script.

[multiOTP]

multiOTP server is installed somewhere on this IP : IP.address.multiOTP.server multiOTP Credential Provider must be installed on each workstation When installing multiOTP Credential Provider, you must give the multiOTP server URL : http://IP.address.multiOTP.server:8112 Regards,

[CollegeNoob]

Okay, I believe I resolved that issue, and I was able to time out my user from the test and verify it is communicating to the MultiOTP server. However, I am getting an error when putting my OTP in the credential provider. "Wrong Token Length, check if a perfix is required". The token is from Google Autheinitcator and I was able to test it in the "check user" on the MultiOTP GUI. I also pulled the log

" 172.17.222.7 - - [27/Mar/2019:05:42:26 -0700] "POST / HTTP/1.0" 200 1673 "-" "multiOTP" 172.17.222.7 - - [27/Mar/2019:05:42:26 -0700] "POST / HTTP/1.0" 200 1673 "-" "multiOTP" 172.17.222.7 - - [27/Mar/2019:05:42:26 -0700] "POST / HTTP/1.0" 200 358 "-" "multiOTP" "

The ip address in the log is the workstation I was testing this from Thank you !

[multiOTP]

Hello, Check the parameters at the beginning of the installation of the multiOTP Credential Provider. The options must match what you have configured on multiOTP server. One option will enable or disable the automatic concatenation of the WIndows password with the token. Regards,

[CollegeNoob]

Alright, awesome. I got it to work! I will do some testing with it. Thanks for all the help !