Comments (13)
hi,
which authentication? windows or privacyidea?
from privacyidea-credential-provider.
ideally post a log
from privacyidea-credential-provider.
You're right, I didn't put it into context. i configured credential provider with two_step_hide_otp, so initially i authenticate to windows without any problem, using both notations [email protected] and domain\user. the problem raise using upn notation, when the credential provider ask for otp, because it does not strip the domain @domain.local from the username, so the provider search for user@[email protected] in the privacy idea realm.
using upn notation:
[23-11-2023 13:30:13] [PrivacyIDEA.cpp:97] PrivacyIDEA::ValidateCheck
[23-11-2023 13:30:13] [Endpoint.cpp:165] Endpoint::SendRequest to /validate/check
[23-11-2023 13:30:13] [Endpoint.cpp:72] Request parameters:
[23-11-2023 13:30:13] [Endpoint.cpp:80] pass=****
[23-11-2023 13:30:13] [Endpoint.cpp:80] user=user%40domain.local
[23-11-2023 13:30:13] [Endpoint.cpp:368] {
"detail": null,
"id": 1,
"jsonrpc": "2.0",
"result": {
"error": {
"code": 904,
"message": "ERR904: The user can not be found in any resolver in this realm!"
},
"status": false
},
"signature": "rsa_sha256_pss:2f103f6e0add014a0261922bdc8a3deb90795a00272c66054274ae89b51c322e6d6163ad04cf57956c2ce2e20b8883c3848953ce2d33260e1ac248152db880b9e01ae2797b587ab38922a6e254b7b6b8a174f84d01c160667ea0d7863fc0480b851306fef14fb0865acadf2f301a764962725b4413674fee62d066239fda9ddaec8de0467fb32e24aa03169dd4a29c16f7ee0a8675dc445e92e9dd67cc1478241e539fe3e5993c173b43b30a8188634b1356efb7a3a2fbd8048f49b963a7c9b518e4062e8118ef0079771ca545e99236da7d8b7bbbdd6f874015956c706e9b2e869a5bb2389a5bd26bf4e38d1cb13c6c5eed7bc26a18adea0e8566011a21404c",
"time": 1700742614.0799088,
"version": "privacyIDEA 3.6.2"
}
using Down-Level notation
[23-11-2023 13:41:39] [PrivacyIDEA.cpp:97] PrivacyIDEA::ValidateCheck
[23-11-2023 13:41:39] [Endpoint.cpp:165] Endpoint::SendRequest to /validate/check
[23-11-2023 13:41:39] [Endpoint.cpp:72] Request parameters:
[23-11-2023 13:41:39] [Endpoint.cpp:80] pass=****
[23-11-2023 13:41:39] [Endpoint.cpp:80] user=user
[23-11-2023 13:41:41] [Endpoint.cpp:368] {
"detail": {
"message": "wrong otp value",
"otplen": 44,
"serial": "UBAM00097003",
"threadid": 140672146937664,
"type": "yubikey"
},
"id": 1,
"jsonrpc": "2.0",
"result": {
"status": true,
"value": false
},
"signature": "rsa_sha256_pss:30a8e1963242a31aeba69a7f0119a80dbed5557718f59033760b026b6b4e8d11ccd64875e308fc32274c6497686b216e61fd8e6dc0d88a2e2c873da7f4f28d598a569e1c5e7c1e9bf4164bba0a5f813645cc3ea25b44b0f2020930a921e0fe9c681057b22c3a494ff4291004f2f01dcbc4a42d95cbbb914f00306de511e603a1ee6e3c3df02a7825ee51f34f5f6ecf725c97ed99ddd0f5095c21a94e171f52876549b0e9e5439065d1ed54dff30046e59ad13542940f391757c5efd644e85dee4315a35bdba74d3aa2d3092472bb0f4c2b41547c993adf32fd1dbabd808601aaa4c00dac32dc3dfb16a03263fd037d5a0180e8aff10c127e91225bd7d9135dc2",
"time": 1700743301.4352405,
"version": "privacyIDEA 3.6.2",
"versionnumber": "3.6.2"
}
thank you
from privacyidea-credential-provider.
your username+password is not validated directly after you enter it, you are just asked for it first. the validation is after the otp, because if the CP submits user+pw(+domain) to windows and its correct, the authentication is ended. But thats not the problem here.
Did you enable send_upn in the CP?
You can also see how the inputs are process further up in the log.
from privacyidea-credential-provider.
hi, with send_upn, the problem remains the same. Logs those i copied are taken before the otp submission. Log say that there is no username [email protected] in the realm (correct) because in the realm exists username user only. Following a complete log before otp inserction, using as username [email protected]
[24-11-2023 09:26:54] [CCredentialProviderFilter.cpp:40] CSample_CreateInstance - FILTER START
[24-11-2023 09:26:54] [CCredentialProviderFilter.cpp:141] CCredentialProviderFilter::CCredentialProviderFilter
[24-11-2023 09:26:54] [CCredentialProviderFilter.cpp:155] CCredentialProviderFilter::UpdateRemoteCredential
[24-11-2023 09:26:54] [CCredentialProviderFilter.cpp:62] CCredentialProviderFilter::Filter CPUS_UNLOCK_WORKSTATION
[24-11-2023 09:26:54] [Shared.cpp:30] Shared::IsRequiredForScenario
[24-11-2023 09:26:54] [Shared.cpp:138] Session is remote
[24-11-2023 09:26:54] [Shared.cpp:66] Checking for Filter, CPUS_UNLOCK_WORKSTATION, remote, entry=0e
[24-11-2023 09:26:54] [CProvider.cpp:82] CProvider::SetUsageScenario: CPUS_UNLOCK_WORKSTATION - AUTHENTICATION START
[24-11-2023 09:26:54] [Configuration.cpp:144] -----------------------------
[24-11-2023 09:26:54] [Configuration.cpp:145] CP Version: 3.4.0
[24-11-2023 09:26:54] [Configuration.cpp:147] Windows Version: 10.0.19045
[24-11-2023 09:26:54] [Configuration.cpp:148] ------- Configuration -------
[24-11-2023 09:26:54] [Configuration.cpp:149] Hostname: pi.domain.local
[24-11-2023 09:26:54] [Configuration.cpp:138] Login text: privacyIDEA Login
[24-11-2023 09:26:54] [Configuration.cpp:138] OTP failure text: Wrong One-Time Password!
[24-11-2023 09:26:54] [Configuration.cpp:162] Hide domain/full name: false/false
[24-11-2023 09:26:54] [Configuration.cpp:163] SSL ignore unknown CA/invalid CN: true/true
[24-11-2023 09:26:54] [Configuration.cpp:166] 2step enabled/send empty/domain password: true/false/true
[24-11-2023 09:26:54] [Configuration.cpp:167] Debug Log: true
[24-11-2023 09:26:54] [Configuration.cpp:168] Log sensitive data: false
[24-11-2023 09:26:54] [Configuration.cpp:169] No default: false
[24-11-2023 09:26:54] [Configuration.cpp:170] Show domain hint: false
[24-11-2023 09:26:54] [Configuration.cpp:125] Send UPN: 1
[24-11-2023 09:26:54] [Configuration.cpp:125] Offline refill threshold: 0
[24-11-2023 09:26:54] [Configuration.cpp:189] -----------------------------
[24-11-2023 09:26:54] [Shared.cpp:30] Shared::IsRequiredForScenario
[24-11-2023 09:26:54] [Shared.cpp:138] Session is remote
[24-11-2023 09:26:54] [Shared.cpp:66] Checking for Provider, CPUS_UNLOCK_WORKSTATION, remote, entry=0e
[24-11-2023 09:26:54] [CProvider.cpp:120] SetUsageScenario result: 0x0
[24-11-2023 09:26:54] [CProvider.cpp:142] CProvider::SetSerialization
[24-11-2023 09:26:54] [CProvider.cpp:178] Serialization found from remote
[24-11-2023 09:26:54] [CProvider.cpp:214] SetSerialization result: 0x0
[24-11-2023 09:26:54] [CProvider.cpp:226] CProvider::Advise
[24-11-2023 09:26:54] [CProvider.cpp:345] CProvider::GetCredentialCount
[24-11-2023 09:26:54] [Shared.cpp:138] Session is remote
[24-11-2023 09:26:54] [CProvider.cpp:370] Setting AutoLogon to true
[24-11-2023 09:26:54] [CProvider.cpp:385] CProvider::GetCredentialAt
[24-11-2023 09:26:54] [CProvider.cpp:392] Checking if already serialized credentials are present
[24-11-2023 09:26:54] [CProvider.cpp:529] CProvider::_GetSerializedCredentials
[24-11-2023 09:26:54] [CProvider.cpp:450] Initializing CCredential
[24-11-2023 09:26:54] [CCredential.cpp:75] CCredential::Initialize
[24-11-2023 09:26:54] [CCredential.cpp:109] Username from provider: [email protected]
[24-11-2023 09:26:54] [CCredential.cpp:110] Domain from provider: DOMAIN.LOCAL
[24-11-2023 09:26:54] [CCredential.cpp:148] Init result: 0x0
[24-11-2023 09:26:54] [CProvider.cpp:476] Returning interface to credential
[24-11-2023 09:26:54] [CProvider.cpp:499] GetCredentialAt result 0x0
[24-11-2023 09:26:54] [CProvider.cpp:267] CProvider::GetFieldDescriptorCount
[24-11-2023 09:26:54] [CCredential.cpp:333] CCredential::GetBitmapValue
[24-11-2023 09:26:54] [CCredential.cpp:380] (long) 0
[24-11-2023 09:26:54] [CCredential.cpp:394] CCredential::GetSubmitButtonValue
[24-11-2023 09:26:54] [CCredential.cpp:780] CCredential::Connect: CREDENTIAL SUBMITTED - step 1
[24-11-2023 09:26:54] [Utilities.cpp:641] Utilities::CopyInputsToConfig
[24-11-2023 09:26:54] [Utilities.cpp:733] Loading password from GUI, value:
[24-11-2023 09:26:54] [Utilities.cpp:746] [Hidden] has value
[24-11-2023 09:26:54] [Utilities.cpp:757] Loading OTP from GUI, from '' to ''
[24-11-2023 09:26:54] [CCredential.cpp:805] Matching user with excluded account: DOMAIN.LOCAL\administrator
[24-11-2023 09:26:54] [CCredential.cpp:843] 1st step: Sending windows pass
[24-11-2023 09:26:54] [PrivacyIDEA.cpp:97] PrivacyIDEA::ValidateCheck
[24-11-2023 09:26:54] [Endpoint.cpp:165] Endpoint::SendRequest to /validate/check
[24-11-2023 09:26:54] [Endpoint.cpp:72] Request parameters:
[24-11-2023 09:26:54] [Endpoint.cpp:84] pass parameter is not logged
[24-11-2023 09:26:54] [Endpoint.cpp:80] user=user%40domain.local
[24-11-2023 09:26:55] [Endpoint.cpp:368] {
"detail": null,
"id": 1,
"jsonrpc": "2.0",
"result": {
"error": {
"code": 904,
"message": "ERR904: The user can not be found in any resolver in this realm!"
},
"status": false
},
"signature": "rsa_sha256_pss:672e0f93210afdcf708654e368ad95a607d27198d60dc069ac4309f712c91d7d51b7d0f1022d897f9e882165d36d221edd9b45bcdf7f3583cfd9dd5729afe78d2323912940b8b99e94ceb3fee975e00df93281f6767fc062d873434d555db1ff75759e3829ff5efd5dacdedf89a81dc75160b090bbda73cc65f939f31e2c8375ce55f5afbb45b98afaef789c3c3750678eb6d1527cb6f57b16048390bd06a3cf1d2adbc9d6805a73e9eb770fdfb3907a23900d2eaaab4df5902fc71a7603e218b4c85eeec046315d0a393a8ebac9317816a035bfa2a0b70c0f529a37ed50034126a0d7c2f9e9fd4729c9d92977e5ae104889ec683ef1a5e58e2e05f94009d146",
"time": 1700814415.112776,
"version": "privacyIDEA 3.6.2"
}
[24-11-2023 09:26:55] [JsonParser.cpp:225] JsonParser::ParseResponseForOfflineData
[24-11-2023 09:26:55] [JsonParser.cpp:53] JsonParser::ParsePIResponse
[24-11-2023 09:26:55] [JsonParser.cpp:31] value was expected to be bool, but was not.
[24-11-2023 09:26:55] [JsonParser.cpp:17] message was expected to be string, but was not.
[24-11-2023 09:26:55] [CCredential.cpp:957] Authentication complete: false
[24-11-2023 09:26:55] [CCredential.cpp:958] Connect - END
[24-11-2023 09:26:55] [CCredential.cpp:606] CCredential::GetSerialization
[24-11-2023 09:26:55] [Utilities.cpp:330] SetScenario: SECOND_STEP
[24-11-2023 09:26:55] [Utilities.cpp:494] Utilities::SetFieldStatePairBatch
[24-11-2023 09:26:55] [CCredential.cpp:744] CPGSR_NO_CREDENTIAL_NOT_FINISHED
[24-11-2023 09:26:55] [CCredential.cpp:750] CCredential::GetSerialization - END
In my opinion CP has to strip @domain.local from inserted username as it makes when username is in down-level notation (domain\user)
In fact in the otp request screen , CP asks the otp for user@[email protected]
thank you
from privacyidea-credential-provider.
it should do that, if send_upn is disabled. i will to look into it.
from privacyidea-credential-provider.
thank you
from privacyidea-credential-provider.
i could reproduce the situation but not the problem, my privacyidea can resolve the user@domain.
However, the behavior of the CP in this situation is not correct. You started the RDP connection with user@domain+password right?
That is why we get
[24-11-2023 09:26:54] [CCredential.cpp:109] Username from provider: [email protected]
[24-11-2023 09:26:54] [CCredential.cpp:110] Domain from provider: DOMAIN.LOCAL
If you start the RDP connection with domain.local\user, it will work correctly. I'm not sure if this is windows not splitting the @ when transmitting the credentials to the target machine or if our filter is expected to do that. Anyway, it will be fixed, but it will take some time before a new release of the CP is ready, because we will also implement #109 for the next version.
You can try to make it work in the meantime by setting a realm (or mapping even) in the CP config. Also, in privacyidea, check that system->config(->system config on the right)-> 1st entry: "Use @ to split user and realm" is set. This way privacyidea will split the user input and then overwrite the realm from the split with the realm that was sent as a parameter of the request (i think that is how it works).
from privacyidea-credential-provider.
yes, i'm using user@domain+password. I'll try what you suggest. Thank you for your support.
from privacyidea-credential-provider.
sure, let me know how it goes
from privacyidea-credential-provider.
Unfortunately we are already using "Use @ to split user and realm" and using default realm or mapping realm in the cp configuration makes no difference. I face always the same result.
Thank you very much and have a nice weekend
from privacyidea-credential-provider.
fixed in 3.5.0 by checking if the username from the provider is in UPN and if so, splitting and using that.
from privacyidea-credential-provider.
thank you very much
from privacyidea-credential-provider.
Related Issues (20)
- Update installer to wix toolset v4
- rename/alias scenario specific config entries
- winget
- Image from network path HOT 2
- Tile Image not working as expected HOT 7
- Auto-submit after X digits
- add version to useragent, optionally windows version
- Wrong OTP pin HOT 7
- WebAuthn offline
- otp_hint_text ist not working HOT 3
- enable_reset Text wrong and not editable HOT 2
- webauthn offline show info HOT 1
- HOTP offline does not finish the authentication HOT 1
- When to do WebAuthn offline refill
- German promt in login window (By default) HOT 2
- reset after user not found in realm HOT 1
- make 2step the default - drop the 1 step option
- ResetScenario does not work for reset in 1st step
- SetStatusMessage not working on CPUS_CREDUI HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from privacyidea-credential-provider.