Hi, please help me.

I have enrolled my user token but when I try use the credential provider on a windows 10 x64 Client it does not work. Error code in Title. I have compiled & installed the x64 debug version. The log file says:

"result:" {"status": false, "error":{"message":"SubscriptionError('No subscription for your client.', application=privacyidea-cp,"code": -500)"}} .. at line 648 'endpoint.cpp'

The user is from an ldap resolver and testing the OTP on the web UI works. Thank you for your time.

in case of two-step, there needs to be a way to reset the login.
This could be done using the hyperlink.

Hello,
I installed VS2019 and Wix v3.11.02.
I copied the json-develop\json-develop\single_include\json.hpp to privacyidea-credential-provider-master\CppClientCore\nlohmann

However when I treid to build the solution in VS2019, I get this error :
LNK2019 symbole externe non résolu _main référencé dans la fonction "int __cdecl invoke_main(void)" (?invoke_main@@YAHXZ) CppClientCore C:\Data\privacyidea-credential-provider-master\privacyidea-credential-provider-master\CppClientCore\CppClientCore\MSVCRTD.lib(exe_main.obj) 1

Can you please help me resolve it ?

Thanks a lot for your help

To use email/sms token, the transaction id has to be added to the post request.
Also the message recevied when triggering the challenge should be displayed to the user.

Fix registry files to register the cp and filter

OTP text configurable
Username hidable

Let the installer insert all possible config entry in the registry, eventhough they are not directly configurable in the installer.
This will prevent misunderstandings / wrong spelling.

as of now when the connection fails, the cert error is always displayed.
Add more error cases

read the last logged in user from registry and prefill the username field. This should be enabled optionally via registry.

When entering https://someserver the connection fails, so the https:// needs to be cut off if it was entered this way during installation

Log errors occuring when using the release version.
Preferably in the windows event log.

Add how to register the provider etc to the documentation.

Hello,

When I build the source code, I am getting this Linker error:

3>CppClientCore.lib(Logger.obj) : error LNK2019: unresolved external symbol __imp__fgetc referenced in function "bool __cdecl std::_Fgetc(char &,struct _iobuf *)" (??$_Fgetc@D@std@@YA_NAADPAU_iobuf@@@z)

And 14 other issues similar to this one. I believe that I am missing some libraries that my linker cannot find. What libraries are being used to compile the program?

Also, can you confirm the compiler Configuration settings for the projects:

CPPClientCore -> Static library (Should this be a DLL?)
CredentialProvider -> DLL
CredentialProviderFilter -> DLL
Shared -> Utility

When only the username is entered, the login package is packed without a computername (/domain).
Lookup the computername (/domain) if its empty.

"Bitte geben Sie ihren zweiten Faktor ein!"
please write "ihren" with a capital Letter "Ihren".
->
"Bitte geben Sie Ihren zweiten Faktor ein!"

If the CP is set up to be 2step with the 1st step doing nothing, PrivacyIDEA::validateCheck is never called and the user input is never compared to the excludedAccount which results in the user still getting prompted to enter an OTP.

Move the excludedAccount logic into the plugin (CCredential::Connect).

If the offline values are emtpy and the offline refill fails (because the system is offline), the next offline refill try while being online creates another json object in the offline file resulting in the following:
"offline": [
{
"count": "20",
"refilltoken": "old refill token",
"response": null,
"serial": "serial",
"user": "",
"username": "username"
},
{
"count": "20",
"refilltoken": "new refill token",
"response": { ...,
....
},
"serial": "serial",
"user": "",
"username": "username"
}
]

Trying to compile with VS2019. I have installed wix toolset v3.11.02 and its VS2019 extension, and have added nlohmann/json.hpp in CppClientCore.

How can I solve the following compile failures?
1>------ Build started: Project: CppClientCore, Configuration: Debug Win32 ------
2>------ Build started: Project: CredentialProviderFilter, Configuration: Debug Win32 ------
1>Challenge.cpp
2>Dll.cpp
2>CCredentialProviderFilter.cpp
2>C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProviderFilter\CCredentialProviderFilter.h(25,10): fatal error C1083: Cannot open include file: 'helpers.h': No such file or directory
2>guid.cpp
2>Generating Code...
2>Done building project "CredentialProviderFilter.vcxproj" -- FAILED.
1>Endpoint.cpp
1>Logger.cpp
1>OfflineData.cpp
1>OfflineHandler.cpp
1>PrivacyIDEA.cpp
1>RegistryReader.cpp
1>Generating Code...
1>MSVCRTD.lib(exe_main.obj) : error LNK2019: unresolved external symbol _main referenced in function "int __cdecl invoke_main(void)" (?invoke_main@@yahxz)
1>C:\Users\username\source\repos\privacyidea-credential-provider\Debug\CppClientCore.exe : fatal error LNK1120: 1 unresolved externals
1>Done building project "CppClientCore.vcxproj" -- FAILED.
3>------ Build started: Project: CredentialProvider, Configuration: Debug Win32 ------
3>Configuration.cpp
3>C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProvider\Configuration.h(21,10): fatal error C1083: Cannot open include file: 'PIConf.h': No such file or directory
3>CCredential.cpp
3>C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\windows.h(167,10): fatal error C1083: Cannot open include file: 'excpt.h': No such file or directory
3>CProvider.cpp
3>C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\windows.h(167,10): fatal error C1083: Cannot open include file: 'excpt.h': No such file or directory
3>Dll.cpp
3>C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\windows.h(167,10): fatal error C1083: Cannot open include file: 'excpt.h': No such file or directory
3>guid.cpp
3>C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\ucrt\corecrt.h(10,10): fatal error C1083: Cannot open include file: 'vcruntime.h': No such file or directory
3>helpers.cpp
3>C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\windows.h(167,10): fatal error C1083: Cannot open include file: 'excpt.h': No such file or directory
3>Utilities.cpp
3>C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProvider\Configuration.h(21,10): fatal error C1083: Cannot open include file: 'PIConf.h': No such file or directory
3>Generating Code...
3>Done building project "CredentialProvider.vcxproj" -- FAILED.
4>------ Build started: Project: WiXSetup, Configuration: Debug x86 ------
4> C:\Program Files (x86)\WiX Toolset v3.11\bin\candle.exe -dDebug -d"DevEnvDir=C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\" -dSolutionDir=C:\Users\username\source\repos\privacyidea-credential-provider\ -dSolutionExt=.sln -dSolutionFileName=PrivacyIDEA-CredentialProvider.sln -dSolutionName=PrivacyIDEA-CredentialProvider -dSolutionPath=C:\Users\username\source\repos\privacyidea-credential-provider\PrivacyIDEA-CredentialProvider.sln -dConfiguration=Debug -dOutDir=bin\x86\Debug\ -dPlatform=x86 -dProjectDir=C:\Users\username\source\repos\privacyidea-credential-provider\WiXSetup\ -dProjectExt=.wixproj -dProjectFileName=WiXSetup.wixproj -dProjectName=WiXSetup -dProjectPath=C:\Users\username\source\repos\privacyidea-credential-provider\WiXSetup\WiXSetup.wixproj -dTargetDir=C:\Users\username\source\repos\privacyidea-credential-provider\WiXSetup\bin\x86\Debug\ -dTargetExt=.msi -dTargetFileName=privacyIDEACredentialProviderSetup.msi -dTargetName=privacyIDEACredentialProviderSetup -dTargetPath=C:\Users\username\source\repos\privacyidea-credential-provider\WiXSetup\bin\x86\Debug\privacyIDEACredentialProviderSetup.msi -dCredentialProviderFilter.Configuration=Debug -d"CredentialProviderFilter.FullConfiguration=Debug|Win32" -dCredentialProviderFilter.Platform=Win32 -dCredentialProviderFilter.ProjectDir=C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProviderFilter\ -dCredentialProviderFilter.ProjectExt=.vcxproj -dCredentialProviderFilter.ProjectFileName=CredentialProviderFilter.vcxproj -dCredentialProviderFilter.ProjectName=CredentialProviderFilter -dCredentialProviderFilter.ProjectPath=C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProviderFilter\CredentialProviderFilter.vcxproj -dCredentialProviderFilter.TargetDir=C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProviderFilter\bin\Win32\Debug\ -dCredentialProviderFilter.TargetExt=.dll -dCredentialProviderFilter.TargetFileName=CredentialProviderFilter.dll -dCredentialProviderFilter.TargetName=CredentialProviderFilter -dCredentialProviderFilter.TargetPath=C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProviderFilter\bin\Win32\Debug\CredentialProviderFilter.dll -dCredentialProvider.Configuration=Debug -d"CredentialProvider.FullConfiguration=Debug|Win32" -dCredentialProvider.Platform=Win32 -dCredentialProvider.ProjectDir=C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProvider\ -dCredentialProvider.ProjectExt=.vcxproj -dCredentialProvider.ProjectFileName=CredentialProvider.vcxproj -dCredentialProvider.ProjectName=CredentialProvider -dCredentialProvider.ProjectPath=C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProvider\CredentialProvider.vcxproj -dCredentialProvider.TargetDir=C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProvider\bin\Win32\Debug\ -dCredentialProvider.TargetExt=.dll -dCredentialProvider.TargetFileName=CredentialProvider.dll -dCredentialProvider.TargetName=CredentialProvider -dCredentialProvider.TargetPath=C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProvider\bin\Win32\Debug\CredentialProvider.dll -out obj\Debug\ -arch x86 -ext "C:\Program Files (x86)\WiX Toolset v3.11\bin\WixUIExtension.dll" ConfigurationDlgs.wxs Product.wxs
4> C:\Program Files (x86)\WiX Toolset v3.11\bin\Light.exe -out C:\Users\username\source\repos\privacyidea-credential-provider\WiXSetup\bin\x86\Debug\en-us\privacyIDEACredentialProviderSetup.msi -pdbout C:\Users\username\source\repos\privacyidea-credential-provider\WiXSetup\bin\x86\Debug\en-us\privacyIDEACredentialProviderSetup.wixpdb -cultures:en-us -ext "C:\Program Files (x86)\WiX Toolset v3.11\bin\WixUIExtension.dll" -loc ConfigurationDlgsLocales.wxl -sice:ICE09 -contentsfile obj\Debug\WiXSetup.wixproj.BindContentsFileListen-us.txt -outputsfile obj\Debug\WiXSetup.wixproj.BindOutputsFileListen-us.txt -builtoutputsfile obj\Debug\WiXSetup.wixproj.BindBuiltOutputsFileListen-us.txt -wixprojectfile C:\Users\username\source\repos\privacyidea-credential-provider\WiXSetup\WiXSetup.wixproj obj\Debug\ConfigurationDlgs.wixobj obj\Debug\Product.wixobj
4>C:\Users\username\source\repos\privacyidea-credential-provider\WiXSetup\Product.wxs(195,0): error LGHT0103: The system cannot find the file 'C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProvider\bin\Win32\Debug\CredentialProvider.dll'.
4>C:\Users\username\source\repos\privacyidea-credential-provider\WiXSetup\Product.wxs(249,0): error LGHT0103: The system cannot find the file 'C:\Users\username\source\repos\privacyidea-credential-provider\CredentialProviderFilter\bin\Win32\Debug\CredentialProviderFilter.dll'.
4>C:\Users\username\source\repos\privacyidea-credential-provider\WiXSetup\Product.wxs(152,0): error LGHT0103: The system cannot find the file 'C:\Users\username\source\repos\privacyidea-credential-provider\lib\merge\Microsoft_VC142_DebugCRT_x86.msm'.
4>Done building project "WiXSetup.wixproj" -- FAILED.
4>
========== Build: 0 succeeded, 4 failed, 0 up-to-date, 0 skipped ==========

A local search revealed that I have three excpt.h and vcruntime.h files in the following directories:

C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.16.27023\include
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.25.28610\include
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\include

PIConf.h is there too (in CppClientCore)

• Remove the spawned dialog, instead use credential provider fields.
• Add password new1+2 fields, which are usually hidden
• Support password change for CPUS_UNLOCK_WORKSTATION and CPUS_LOGON
• CPUS_CHANGE_PASSWORD is not required, because you have to be logged in already to trigger it

The privacyIDEA Credential Provider needs to talk to privacyIDEA as "privacyIDEA-CP".

Hello,
Documentation at github repository (privacyidea-credential-provider/doc/installation.rst) states, that "The privacyIDEA Credential Provider comes as a 32bit and 64bit MSI package."

But I found no msi package at this repository. May be someone can guide me we I can find it?

Add WinHttpStatusCallback function to get more details about failures, especially WINHTTP_CALLBACK_STATUS_SECURE_FAILURE.

the path is loaded properly from the registry but assumes an undefined value in CCredential::GetBitmapValue.

Support CPUS_CHANGE_PASSWORD
needs gui and endpoint implementation

Hi,
i'am getting following error when i compiled the project using Visual Studio 2017

Severity Code Description Project File Line Suppression State
Error The extension '..\CredentialProviderFilter\bin\x64\Debug\CredentialProviderFilter.dll' could not be loaded because of the following reason: Could not load file or assembly 'file:///D:\privacyidea-credential-provider-master\CredentialProviderFilter\bin\x64\Debug\CredentialProviderFilter.dll' or one of its dependencies. The module was expected to contain an assembly manifest. WiXSetup candle.exe 0

Regards
Subramaniyam.KMV

No admin users can change the config in the software explorer.
Check if the user is an admin with a custom action in WiX.
Checking for privilege is not sufficient since it is also elevated when changing software from the software explorer as a non-admin user

The label of the OTP field should be configurable via a registry key.

when I access the serve rusing the RDWeb html5-webclient sometime sit asks me for the OTP and sometimes it just crashes.

"/RDWeb/webclient/"

Does the available source code support Windows 10? I've compiled the code and ran the installer on Windows 10 1709 and Windows 10 1809, but it doesn't give the option to log in with PrivacyIDEA. I've also reinstalled and made it the default authentication provider but it still doesn't work.

I see the registry entries under HKLM\SOFTWARE\WOW6432Node\Netknights GmbH\PrivacyIDEA-CP, but not the entries under CLSID.

I compiled the installer using Visual Studio 2017 and retargeted the project to SDK 10.0.17763.0 and Platform Toolset v141. Using the most recent version of rapidjson and Wix 3.11

Installing a new version doesnt uninstall older ones.

the submit button is still assigned to be adjacent to the OTP field when failing the logon using the two step config.
Utilities::ResetScenario should take care of this.

move the point where the config is printed further back

Resetting the scenario crashes the CP. The scenario is reset in case of deselecting the tile.
_config->_pCredProvCredentialEvents is a nullptr there.

It should be configurable to not show the user on the lock screen.

I.e. show that the screen is locked, but do not display the information by whom.

Add a registry key where an account (+domain) can be specified, which will be excluded from doing 2FA.
This can be useful if something has to be fixed (e.g. privacyIDEA URL changed).
Restrict this to one account only, as this is an "emergency" feature.

WinHttpOpen uses the flag WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY which does not work on Windows Versions prior to 6.3 => Windows 8.1 / Server2012R2.

Check the windows version and set the flag accoring to that.

Define a registry entry that allows to configure in which scenarios the cp should be enabled.
Having a remote session should be considered aswell.

Currently the scenarios LOGON, UNLOCK and CREDUI (two step turned off automatically) are enabled by default.
CHANGE_PASSWORD seems unneccessary because it only covers the password change that is triggered by the user AFTER logon/unlock. If the password has to be changed because it is expired etc., the scenario is still UNLOCK or LOGON which is already covered.

The config entry could be:

• 0 - Both non-remote and remote.
• 1 - Non-remote only.
• 2 - Remote only.
• 3 - Disabled.

Where every scenario has a separate entry and if there is none, the default - enabled for both - is assumed.

Evaluation should be in CProvider::SetUsageScenario.

Hi I have been trying a while to compile using Microsoft VS 2017.

I have installed Wix and its extensions for VS 2017 but I currently run into a lot of errors.
Usually based upon files it cannot find or dependencies that are not able to be found such as vcdruntime.h cannot be included, Cannot open include file: 'rapidjson/documents.h'

Please help, I am relatively new to c++ compiling.

The credential provider should support privacyidea realms.

We could define a mapping of windows domains to privacyidea realms like

domainA = realmX

So that if a user@domainA logs in to the CP, the data user=user and realm=realmX will be sent to privacyIDEA.

The mapping could be save in a key subfolder
HKLM\Software\NetKnights GmbH\privacyiDEA-CP\realm-mapping\ with the domain name being the key:

HKLM\Software\NetKnights GmbH\privacyiDEA-CP\realm-mapping\domainA = realmX

If there is no matching mapping (or the windows user is no domain member) we can have a default realm with a key realm:

HKLM\Software\NetKnights GmbH\privacyiDEA-CP\realm = realmDefault

in the following scenario:

• Using the filter
• Using 2 step

If the user is not found in any realm, it is not possibie to go back to the first step to change the username, instead it stays in the second step.

i'm testing out the credential provider, and so far pretty happy with it.
But i'm having an issue with users that don't have any token enrolled. (its desired for us that some users are allowed to login without token).

Whenever i just enter the Username and Password and leave the One-Time Password field blank in the credential provider i get the following error:

An error occured, Error Code: 88809008 You could not be authenticated. Wrong username or password?

And in privayidea.log:

[WARNING][privacyidea.lib.resolvers.LDAPIdResolver:259] failed to check password for u'cn=user1,o=org'/u'cn=user1,o=org': LDAPPasswordIsMandatoryError('password is mandatory in simple bind',)
[INFO][privacyidea.lib.user:359] user User(login=u'user1', realm=u'realm1', resolver=u'ldapresolver1') failed to authenticate.

Whenever i enter the password besides the Password Field also in in the One-Time Password field it successfully logs in the user.

I have a policy set with the following setting:
{ "passthru": "userstore" }

How can i make sure the credential provider also works by leaving the OTP field blank, this is confusing to have the password entered twice.
Is this possible, should i configure some setting in the credential provider or the privacyidea backend to support this scenario? Or is this currently not supported?

add a registry key to enable sensitive data logging for debug versions.

I am able to circumvent this tool with a 100% success rate.

If you use mRemoteNG or similar tools which can save the Windows-creds, you can just readjust the window size after it asks for the OTP -> after the reconnect it won't ask and you get full access to the desktop.

display the domain that given by the provider that is used by default with the login

Supporting German language where possible

The following thing should be configurable:

When the desktop is locked, the domain name of the user should be hidden.
I.e. the user user@domain locks the desktop.

Usually user@domain is displayed on the lock screen.
We can now however hide the complete user name.

It would be good to be able to only display user without the domain.

Why is that?

Users are domain users and login with only the username user. They are not aware of domain.
So this is a simply convenience function, that the users see their username, but are not puzzled by the domain name.

Make the usage of the client handler optional, i.e. by constructing the object outside of the PrivacyIDEA object and passing it.
This will be useful if the projects are split and the client core is used in another project that does not have offline capabilities.

The default timeouts in the configuration are way too low (probably by mistaking the time unit they should be in)
They should be multiplied by 1000.