problem with username in UPN format about privacyidea-credential-provider HOT 13 CLOSED

hi,
which authentication? windows or privacyidea?

from privacyidea-credential-provider.

ideally post a log

from privacyidea-credential-provider.

You're right, I didn't put it into context. i configured credential provider with two_step_hide_otp, so initially i authenticate to windows without any problem, using both notations [email protected] and domain\user. the problem raise using upn notation, when the credential provider ask for otp, because it does not strip the domain @domain.local from the username, so the provider search for user@[email protected] in the privacy idea realm.

using upn notation:
[23-11-2023 13:30:13] [PrivacyIDEA.cpp:97] PrivacyIDEA::ValidateCheck
[23-11-2023 13:30:13] [Endpoint.cpp:165] Endpoint::SendRequest to /validate/check
[23-11-2023 13:30:13] [Endpoint.cpp:72] Request parameters:
[23-11-2023 13:30:13] [Endpoint.cpp:80] pass=****
[23-11-2023 13:30:13] [Endpoint.cpp:80] user=user%40domain.local
[23-11-2023 13:30:13] [Endpoint.cpp:368] {
"detail": null,
"id": 1,
"jsonrpc": "2.0",
"result": {
"error": {
"code": 904,
"message": "ERR904: The user can not be found in any resolver in this realm!"
},
"status": false
},
"signature": "rsa_sha256_pss:2f103f6e0add014a0261922bdc8a3deb90795a00272c66054274ae89b51c322e6d6163ad04cf57956c2ce2e20b8883c3848953ce2d33260e1ac248152db880b9e01ae2797b587ab38922a6e254b7b6b8a174f84d01c160667ea0d7863fc0480b851306fef14fb0865acadf2f301a764962725b4413674fee62d066239fda9ddaec8de0467fb32e24aa03169dd4a29c16f7ee0a8675dc445e92e9dd67cc1478241e539fe3e5993c173b43b30a8188634b1356efb7a3a2fbd8048f49b963a7c9b518e4062e8118ef0079771ca545e99236da7d8b7bbbdd6f874015956c706e9b2e869a5bb2389a5bd26bf4e38d1cb13c6c5eed7bc26a18adea0e8566011a21404c",
"time": 1700742614.0799088,
"version": "privacyIDEA 3.6.2"
}

using Down-Level notation
[23-11-2023 13:41:39] [PrivacyIDEA.cpp:97] PrivacyIDEA::ValidateCheck
[23-11-2023 13:41:39] [Endpoint.cpp:165] Endpoint::SendRequest to /validate/check
[23-11-2023 13:41:39] [Endpoint.cpp:72] Request parameters:
[23-11-2023 13:41:39] [Endpoint.cpp:80] pass=****
[23-11-2023 13:41:39] [Endpoint.cpp:80] user=user
[23-11-2023 13:41:41] [Endpoint.cpp:368] {
"detail": {
"message": "wrong otp value",
"otplen": 44,
"serial": "UBAM00097003",
"threadid": 140672146937664,
"type": "yubikey"
},
"id": 1,
"jsonrpc": "2.0",
"result": {
"status": true,
"value": false
},
"signature": "rsa_sha256_pss:30a8e1963242a31aeba69a7f0119a80dbed5557718f59033760b026b6b4e8d11ccd64875e308fc32274c6497686b216e61fd8e6dc0d88a2e2c873da7f4f28d598a569e1c5e7c1e9bf4164bba0a5f813645cc3ea25b44b0f2020930a921e0fe9c681057b22c3a494ff4291004f2f01dcbc4a42d95cbbb914f00306de511e603a1ee6e3c3df02a7825ee51f34f5f6ecf725c97ed99ddd0f5095c21a94e171f52876549b0e9e5439065d1ed54dff30046e59ad13542940f391757c5efd644e85dee4315a35bdba74d3aa2d3092472bb0f4c2b41547c993adf32fd1dbabd808601aaa4c00dac32dc3dfb16a03263fd037d5a0180e8aff10c127e91225bd7d9135dc2",
"time": 1700743301.4352405,
"version": "privacyIDEA 3.6.2",
"versionnumber": "3.6.2"
}

thank you

from privacyidea-credential-provider.

your username+password is not validated directly after you enter it, you are just asked for it first. the validation is after the otp, because if the CP submits user+pw(+domain) to windows and its correct, the authentication is ended. But thats not the problem here.
Did you enable send_upn in the CP?
You can also see how the inputs are process further up in the log.

from privacyidea-credential-provider.

hi, with send_upn, the problem remains the same. Logs those i copied are taken before the otp submission. Log say that there is no username [email protected] in the realm (correct) because in the realm exists username user only. Following a complete log before otp inserction, using as username [email protected]

[24-11-2023 09:26:54] [CCredentialProviderFilter.cpp:40] CSample_CreateInstance - FILTER START
[24-11-2023 09:26:54] [CCredentialProviderFilter.cpp:141] CCredentialProviderFilter::CCredentialProviderFilter
[24-11-2023 09:26:54] [CCredentialProviderFilter.cpp:155] CCredentialProviderFilter::UpdateRemoteCredential
[24-11-2023 09:26:54] [CCredentialProviderFilter.cpp:62] CCredentialProviderFilter::Filter CPUS_UNLOCK_WORKSTATION
[24-11-2023 09:26:54] [Shared.cpp:30] Shared::IsRequiredForScenario
[24-11-2023 09:26:54] [Shared.cpp:138] Session is remote
[24-11-2023 09:26:54] [Shared.cpp:66] Checking for Filter, CPUS_UNLOCK_WORKSTATION, remote, entry=0e
[24-11-2023 09:26:54] [CProvider.cpp:82] CProvider::SetUsageScenario: CPUS_UNLOCK_WORKSTATION - AUTHENTICATION START
[24-11-2023 09:26:54] [Configuration.cpp:144] -----------------------------
[24-11-2023 09:26:54] [Configuration.cpp:145] CP Version: 3.4.0
[24-11-2023 09:26:54] [Configuration.cpp:147] Windows Version: 10.0.19045
[24-11-2023 09:26:54] [Configuration.cpp:148] ------- Configuration -------
[24-11-2023 09:26:54] [Configuration.cpp:149] Hostname: pi.domain.local
[24-11-2023 09:26:54] [Configuration.cpp:138] Login text: privacyIDEA Login
[24-11-2023 09:26:54] [Configuration.cpp:138] OTP failure text: Wrong One-Time Password!
[24-11-2023 09:26:54] [Configuration.cpp:162] Hide domain/full name: false/false
[24-11-2023 09:26:54] [Configuration.cpp:163] SSL ignore unknown CA/invalid CN: true/true
[24-11-2023 09:26:54] [Configuration.cpp:166] 2step enabled/send empty/domain password: true/false/true
[24-11-2023 09:26:54] [Configuration.cpp:167] Debug Log: true
[24-11-2023 09:26:54] [Configuration.cpp:168] Log sensitive data: false
[24-11-2023 09:26:54] [Configuration.cpp:169] No default: false
[24-11-2023 09:26:54] [Configuration.cpp:170] Show domain hint: false
[24-11-2023 09:26:54] [Configuration.cpp:125] Send UPN: 1
[24-11-2023 09:26:54] [Configuration.cpp:125] Offline refill threshold: 0
[24-11-2023 09:26:54] [Configuration.cpp:189] -----------------------------
[24-11-2023 09:26:54] [Shared.cpp:30] Shared::IsRequiredForScenario
[24-11-2023 09:26:54] [Shared.cpp:138] Session is remote
[24-11-2023 09:26:54] [Shared.cpp:66] Checking for Provider, CPUS_UNLOCK_WORKSTATION, remote, entry=0e
[24-11-2023 09:26:54] [CProvider.cpp:120] SetUsageScenario result: 0x0
[24-11-2023 09:26:54] [CProvider.cpp:142] CProvider::SetSerialization
[24-11-2023 09:26:54] [CProvider.cpp:178] Serialization found from remote
[24-11-2023 09:26:54] [CProvider.cpp:214] SetSerialization result: 0x0
[24-11-2023 09:26:54] [CProvider.cpp:226] CProvider::Advise
[24-11-2023 09:26:54] [CProvider.cpp:345] CProvider::GetCredentialCount
[24-11-2023 09:26:54] [Shared.cpp:138] Session is remote
[24-11-2023 09:26:54] [CProvider.cpp:370] Setting AutoLogon to true
[24-11-2023 09:26:54] [CProvider.cpp:385] CProvider::GetCredentialAt
[24-11-2023 09:26:54] [CProvider.cpp:392] Checking if already serialized credentials are present
[24-11-2023 09:26:54] [CProvider.cpp:529] CProvider::_GetSerializedCredentials
[24-11-2023 09:26:54] [CProvider.cpp:450] Initializing CCredential
[24-11-2023 09:26:54] [CCredential.cpp:75] CCredential::Initialize
[24-11-2023 09:26:54] [CCredential.cpp:109] Username from provider: [email protected]
[24-11-2023 09:26:54] [CCredential.cpp:110] Domain from provider: DOMAIN.LOCAL
[24-11-2023 09:26:54] [CCredential.cpp:148] Init result: 0x0
[24-11-2023 09:26:54] [CProvider.cpp:476] Returning interface to credential
[24-11-2023 09:26:54] [CProvider.cpp:499] GetCredentialAt result 0x0
[24-11-2023 09:26:54] [CProvider.cpp:267] CProvider::GetFieldDescriptorCount
[24-11-2023 09:26:54] [CCredential.cpp:333] CCredential::GetBitmapValue
[24-11-2023 09:26:54] [CCredential.cpp:380] (long) 0
[24-11-2023 09:26:54] [CCredential.cpp:394] CCredential::GetSubmitButtonValue
[24-11-2023 09:26:54] [CCredential.cpp:780] CCredential::Connect: CREDENTIAL SUBMITTED - step 1
[24-11-2023 09:26:54] [Utilities.cpp:641] Utilities::CopyInputsToConfig
[24-11-2023 09:26:54] [Utilities.cpp:733] Loading password from GUI, value:
[24-11-2023 09:26:54] [Utilities.cpp:746] [Hidden] has value
[24-11-2023 09:26:54] [Utilities.cpp:757] Loading OTP from GUI, from '' to ''
[24-11-2023 09:26:54] [CCredential.cpp:805] Matching user with excluded account: DOMAIN.LOCAL\administrator
[24-11-2023 09:26:54] [CCredential.cpp:843] 1st step: Sending windows pass
[24-11-2023 09:26:54] [PrivacyIDEA.cpp:97] PrivacyIDEA::ValidateCheck
[24-11-2023 09:26:54] [Endpoint.cpp:165] Endpoint::SendRequest to /validate/check
[24-11-2023 09:26:54] [Endpoint.cpp:72] Request parameters:
[24-11-2023 09:26:54] [Endpoint.cpp:84] pass parameter is not logged
[24-11-2023 09:26:54] [Endpoint.cpp:80] user=user%40domain.local
[24-11-2023 09:26:55] [Endpoint.cpp:368] {
"detail": null,
"id": 1,
"jsonrpc": "2.0",
"result": {
"error": {
"code": 904,
"message": "ERR904: The user can not be found in any resolver in this realm!"
},
"status": false
},
"signature": "rsa_sha256_pss:672e0f93210afdcf708654e368ad95a607d27198d60dc069ac4309f712c91d7d51b7d0f1022d897f9e882165d36d221edd9b45bcdf7f3583cfd9dd5729afe78d2323912940b8b99e94ceb3fee975e00df93281f6767fc062d873434d555db1ff75759e3829ff5efd5dacdedf89a81dc75160b090bbda73cc65f939f31e2c8375ce55f5afbb45b98afaef789c3c3750678eb6d1527cb6f57b16048390bd06a3cf1d2adbc9d6805a73e9eb770fdfb3907a23900d2eaaab4df5902fc71a7603e218b4c85eeec046315d0a393a8ebac9317816a035bfa2a0b70c0f529a37ed50034126a0d7c2f9e9fd4729c9d92977e5ae104889ec683ef1a5e58e2e05f94009d146",
"time": 1700814415.112776,
"version": "privacyIDEA 3.6.2"
}
[24-11-2023 09:26:55] [JsonParser.cpp:225] JsonParser::ParseResponseForOfflineData
[24-11-2023 09:26:55] [JsonParser.cpp:53] JsonParser::ParsePIResponse
[24-11-2023 09:26:55] [JsonParser.cpp:31] value was expected to be bool, but was not.
[24-11-2023 09:26:55] [JsonParser.cpp:17] message was expected to be string, but was not.
[24-11-2023 09:26:55] [CCredential.cpp:957] Authentication complete: false
[24-11-2023 09:26:55] [CCredential.cpp:958] Connect - END
[24-11-2023 09:26:55] [CCredential.cpp:606] CCredential::GetSerialization
[24-11-2023 09:26:55] [Utilities.cpp:330] SetScenario: SECOND_STEP
[24-11-2023 09:26:55] [Utilities.cpp:494] Utilities::SetFieldStatePairBatch
[24-11-2023 09:26:55] [CCredential.cpp:744] CPGSR_NO_CREDENTIAL_NOT_FINISHED
[24-11-2023 09:26:55] [CCredential.cpp:750] CCredential::GetSerialization - END

In my opinion CP has to strip @domain.local from inserted username as it makes when username is in down-level notation (domain\user)
In fact in the otp request screen , CP asks the otp for user@[email protected]

thank you

from privacyidea-credential-provider.

it should do that, if send_upn is disabled. i will to look into it.

from privacyidea-credential-provider.

thank you

from privacyidea-credential-provider.

i could reproduce the situation but not the problem, my privacyidea can resolve the user@domain.
However, the behavior of the CP in this situation is not correct. You started the RDP connection with user@domain+password right?
That is why we get
[24-11-2023 09:26:54] [CCredential.cpp:109] Username from provider: [email protected]
[24-11-2023 09:26:54] [CCredential.cpp:110] Domain from provider: DOMAIN.LOCAL
If you start the RDP connection with domain.local\user, it will work correctly. I'm not sure if this is windows not splitting the @ when transmitting the credentials to the target machine or if our filter is expected to do that. Anyway, it will be fixed, but it will take some time before a new release of the CP is ready, because we will also implement #109 for the next version.

You can try to make it work in the meantime by setting a realm (or mapping even) in the CP config. Also, in privacyidea, check that system->config(->system config on the right)-> 1st entry: "Use @ to split user and realm" is set. This way privacyidea will split the user input and then overwrite the realm from the split with the realm that was sent as a parameter of the request (i think that is how it works).

from privacyidea-credential-provider.

yes, i'm using user@domain+password. I'll try what you suggest. Thank you for your support.

from privacyidea-credential-provider.

sure, let me know how it goes

from privacyidea-credential-provider.

Unfortunately we are already using "Use @ to split user and realm" and using default realm or mapping realm in the cp configuration makes no difference. I face always the same result.
Thank you very much and have a nice weekend

from privacyidea-credential-provider.

fixed in 3.5.0 by checking if the username from the provider is in UPN and if so, splitting and using that.

from privacyidea-credential-provider.

thank you very much

from privacyidea-credential-provider.