If you want to subscribe to this forum, use your Facebook account, or send us an email to forum - at - multiotp - dot - net and we will send you back an invitation.

multiOTP sync users from AD

edited May 19 in General
Hello All,

The task of checking whether it is possible to use multiopt for additional authorization in a forest consisting of about dozens of domains for authorization on RDS servers and for additional authorization of users on a PC, who has the rights of a domain admin.

My first step is simply to configure MultiOTP in the test domain on the server with AD DS role and the client PC for the Test User from the AD.

My test environment:
1) Windows Server 2012R2 with All Updates, Has AD DS role, DNS role. (Primary Domain Controller )
AV-VDC1.test.com ip 10.0.0.11

2) Windows 10 with All Updates join to domain test.com
AV-PC.test.com ip 10.0.0.12

3)On server I create about 11 domain users in the OU=@otp and build-in Users. Also I created user MFA with domain admin rights.

On the server 10.0.0.11, I run the webservice_install.bat as administrator and get GUI on http://localhost:8112 works fine.

1Step:
Downloaded multiotp_5.0.3.7.zip, extracted to c:\multiotp on both machines.

On server 10.0.0.11 i run the following commands for configuration:

multiotp -config default-request-prefix-pin=1
multiotp -config default-request-ldap-pwd=1
multiotp -config ldap-server-type=1
multiotp -config ldap-cn-identifier="sAMAccountName"
multiotp -config ldap-group-cn-identifier="sAMAccountName"
multiotp -config ldap-group-attribute="memberOf"
multiotp -config ldap-ssl=0
multiotp -config ldap-port=389
multiotp -config ldap-domain-controllers=test.com,ldaps://10.0.0.11:389
multiotp -config ldap-base-dn="DC=test,DC=com"
multiotp -config ldap-bind-dn="CN=mfa,OU=@otp,DC=test,DC=com"
multiotp -config ldap-server-password="PWD"
multiotp -config ldap-in-group="@otp,users"
multiotp -config ldap-network-timeout=10
multiotp -config ldap-time-limit=30
multiotp -config ldap-activated=1

Then I run:
multiotp -debug -display-log -ldap-users-sync
Requested operation successfully done
11 users were added.

In Web GUI i got List of users (11 users)...
Then click print on user and scan the QRcode printed below, User was added to the Google Authenticator.
Then I try Check a user
And got: Test result: failed (99 ERROR: Authentication failed (and other possible unknown errors))
Further I could not find the information, what to check next!

Comments

  • Hello Evgenyte, What did you type as the password for this user ? Based on your configuration (default-request-prefix-pin=1 and default-request-ldap-pwd=1), the password of the user should be: [AD password] + [token displayed on Google Authenticator] Thanks in advance for your feedback, Best regards, Andre
  • edited May 19
    Hi, AndreL

    Yes, i type my domain password + Google authen an example: PWD123456

    Debug:
    multiotp.exe -debug -display-log -log MyUser PWD123456

    LOG 2017-05-19 15:08:22 debug System Debug: *LDAP cache folder value: C:\Users\MyUser\AppData\Local\Temp\.ldap_cache/

    LOG 2017-05-19 15:08:22 warning (user MyUser) User Error: authentication faile d for user MyUser

    LOG 2017-05-19 15:08:22 warning (user MyUser) User Info: *(authentication type d by the user: 123456)

    99 *ERROR: Authentication failed (and other possible unknown errors)

    Can you advise how to change the configuration for the most simple test?

  • Hello Evgenyte, We have done a test with the same server: Windows Server 2012R2 with All Updates, Has AD DS role, DNS role. (Primary Domain Controller). Could you please check with the version 5.0.4.8 which is available for download on http://download.multiotp.net/ ? (the 5.0.4.8 version is released with an embedded PHP 7.x) If it still not work, check the users\MyUser.db file (with a text editor), and check to be sure that both request_ldap_pwd=1 and request_prefix_pin=1. Regards,
Sign In or Register to comment.