General — multiOTP open source forum

MSCHAP & MSCHAPv2 Always Error 99

Dustin — Thu, 16 Apr 2026 15:39:18 +0000

I am trying to use multiOTP for VPN authentication for macOS via FreeRADIUS in the multiOTP Docker image. Apparently macOS requires MSCHAPv2 and will NAK and cause FreeRADIUS to treat it as misbehaving unless MSCHAPv2 is configured as the default in the eap addon, but even if I change the config to default to MSCHAPv2, I still always get an error regardless of authentication configuration (LDAP Password + TOTP [presumably expected to fail], PIN + TOTP, TOTP Only), and the errors also lead to account lockout, implying that authentication was actually attempted. I am able to successfully authenticate using PAP and CHAP with the default eap addon configuration using diagnostic commands from a fortigate firewall, but MSCHAP and MSCHAPv2 both get rejected (error 99) from there as well. As such, I suspect this is the best point to troubleshoot from (keep macOS out of the equation initially). I might be confused because I don't remember following the instructions under https://github.com/multiOTP/multiotp/wiki/#configuring-multiotp-with-freeradius-3x-under-linux to make the changes, but when I step through the instructions, most of the changes seem to already be in place. Since they might be in place by default in newer versions, I am hesitant to make changes based on that section or the page it links to in case they could be incorrect/outdated. I also notice that the top of that section says "NT_KEY generation is also supported using the -request-nt-key option (like for ntlm_auth --request-nt-key option), which is needed in order to enable VPN (PPTP + MPPE) with MS-CHAP/MS-CHAPv2." But then step 3 proceeds to say -nt-key-only (it isn't obvious if I might need both and/or if they are interchangeable). Here is some lightly sanitized example output from the fortigate for reference: fortigate # diag test authserver radius multiOTP pap testuser 123456900680 authenticate 'testuser' against 'pap' succeeded, server=primary assigned_rad_session_id=74659676487683 session_timeout=0 secs idle_timeout=0 secs! fortigate # diag test authserver radius multiOTP chap testuser 123456398830 authenticate 'testuser' against 'chap' succeeded, server=primary assigned_rad_session_id=74659676487684 session_timeout=0 secs idle_timeout=0 secs! fortigate # diag test authserver radius multiOTP mschap testuser 123456898101 authenticate 'testuser' against 'mschap' failed, assigned_rad_session_id=74659676487685 session_timeout=0 secs idle_timeout=0 secs! fortigate # diag test authserver radius multiOTP mschap2 testuser 123456819895 authenticate 'testuser' against 'mschap2' failed, assigned_rad_session_id=74659676487686 session_timeout=0 secs idle_timeout=0 secs! Here are the lightly sanitized logs for those tests: notice testuser User OK: User testuser successfully logged in with TOTP token 0 26d5455e1eb9 172.24.0.1 notice testuser User Info: User testuser successfully logged in using an external server from [] for 0.0.0.0 0 26d5455e1eb9 notice testuser User OK: User testuser successfully logged in with TOTP token 0 26d5455e1eb9 172.24.0.1 notice testuser User Info: User testuser successfully logged in using an external server from [] for 0.0.0.0 0 26d5455e1eb9 warning testuser User Error: authentication failed for user testuser 0 26d5455e1eb9 172.24.0.1 warning testuser User Error: authentication failed for user testuser (same token replayed) 0 26d5455e1eb9 172.24.0.1 When I debug, I see this for MSCHAP: multiotp 5.10.2.2 Your script is running from /usr/local/bin/multiotp/ debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *CheckUserExists server request for testuser with challenge MOSH93eb750295d8479422eb88d3985ab89c 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *CheckUserExists intermediate error code: 22 0 26d5455e1eb9 172.24.0.1 ======================================== multiotp 5.10.2.2 Your script is running from /usr/local/bin/multiotp/ debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *ReadUserData server request for testuser 0 26d5455e1eb9 172.24.0.1 info Debug Debug: *CheckToken intermediate result (totp) 19578, push_trial: -1 result: 99 0 26d5455e1eb9 172.24.0.1 warning testuser User Error: authentication failed for user testuser 0 26d5455e1eb9 172.24.0.1 warning testuser Debug Debug: *authentication typed by the user is CHAP encrypted 0 26d5455e1eb9 172.24.0.1 info Debug Debug: *CheckToken intermediate result 19880, result: 99 0 26d5455e1eb9 172.24.0.1 However, I see this for MSCHAPv2 (even though I do not submit the token more than once): multiotp 5.10.2.2 Your script is running from /usr/local/bin/multiotp/ debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *CheckUserExists server request for testuser with challenge MOSHb541faaea333a29de711d14ab4167525 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *CheckUserExists intermediate error code: 22 0 26d5455e1eb9 172.24.0.1 ======================================== multiotp 5.10.2.2 Your script is running from /usr/local/bin/multiotp/ debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *ReadUserData server request for testuser 0 26d5455e1eb9 172.24.0.1 info Debug Debug: *CheckToken intermediate result (totp) 19578, push_trial: -1 result: 99 0 26d5455e1eb9 172.24.0.1 warning testuser User Error: authentication failed for user testuser (same token replayed) 0 26d5455e1eb9 172.24.0.1 warning testuser Debug Debug: *authentication typed by the user is CHAP encrypted 0 26d5455e1eb9 172.24.0.1 info Debug Debug: *CheckToken intermediate result 19880, result: 99 0 26d5455e1eb9 172.24.0.1 Both also have this matching (lightly sanitized) bit following the bits above: multiotp 5.10.2.2 Your script is running from /usr/local/bin/multiotp/ info Debug Debug: *CheckToken intermediate result 19891, result: 99 from [] for 0.0.0.0 0 26d5455e1eb9 debug Debug Debug: *99 ERROR: Authentication failed (and other possible unknown errors) from [] for 0.0.0.0 0 26d5455e1eb9 debug Debug Debug: *Attributes sent to the RADIUS server: Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)" from [] for 0.0.0.0 0 26d5455e1eb9 A bit more testing shows that the replayed error was caused by changing -nt-key-only to -request-nt-key in /etc/freeradius/3.0/mods-available/multiotpmschap and reverting that causes MSCHAPv2 to behave the same way as MSCHAPv1. Also, in case it could be relevant, after getting the error with MSCHAPv2, I can go to the webUI and successfully use the same token that didn't work with MSCHAPv2. I'm not sure how to proceed from here.

How to upgrade Docker multiOTP Open Source

Physalis — Thu, 02 Apr 2026 08:19:36 +0000

Hello everyone, I'm posting on the forum to ask for an explanation, or a step-by-step guide, if anyone has successfully updated their Docker version. It's currently at version 5.10.1.5, and an update is available as a zip file for 5.10.2.1. I tried copying the files from the Docker image to /usr/local/bin/multiotp, but nothing updates. I also tried copying the files to the /var/lib/docker/rootfs/overlayfs/bb315dd65a05af7a78c15b39df281342b696f292dd3f44cef904d3944b94837f/usr/local/bin/multiotp/ directory, but again, nothing happens. The web interface remains constantly on 5.10.1.5. As soon as Docker is restarted, everything disappears and it reverts to the base 5.10.1.5 image. What steps should I take, or should I wait for the Docker image to be updated to 5.10.2.1? Thank you in advance for any information you can provide. Eric

Error starting Docker container: /boot/newvm.sh not found

spacefly2020 — Thu, 28 Aug 2025 08:52:12 +0000

Hello! Error starting Docker container: /bin/sh: 1: /boot/newvm.sh: not found Tried on Linux distributions Debian-12 and Centos-8. I installed docker according to the documentation: https://docs.docker.com/engine/install/debian/ https://docs.docker.com/engine/install/centos/ Multiotp version 5.9.9.1 (similar error in versions 5.9.8.3 and 5.9.7.1) I build the image from the Dockerfile: docker build -t multiotp/multiotp-open-source:latest . The docker-image was build without errors. Check status image: #docker images REPOSITORY TAG IMAGE ID CREATED SIZE multiotp/multiotp-open-source latest d3c7e416572e 2 hours ago 982MB I created a shell script named ~/multiotp_docker.sh (see below): #!/bin/bash volume="/docker/multiotp" mkdir -p $volume docker run --name multiotp \ -v $volume/data:/etc/multiotp \ -v $volume/freeradius/config:/etc/freeradius \ -v $volume/multiotp/log:/var/log/multiotp \ -v $volume/freeradius/log:/var/log/freeradius \ -p 8080:80 \ -p 8443:443 \ -p 1812:1812/udp \ -p 1813:1813/udp \ -d multiotp/multiotp-open-source OK. Now run (from "root" account) this bash-script: chmod +x ~/multiotp_docker.sh && ~/multiotp_docker.sh Check status container: # docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3d1db2e0684b multiotp/multiotp-open-source "/bin/sh -c '/boot/n…" 42 hours ago Exited (127) 42 hours ago multiotp Check log status of container: #docker logs multiotp /bin/sh: 1: /boot/newvm.sh: not found Thank you for your help. Best regards, Serge

Using multiOTP CredentialProvider with existing Radius

steins — Mon, 18 Aug 2025 07:19:10 +0000

I would like to integrate the multiOTP CredentialProvider with my existing OTP system. In my current environment, I utilize PricvacyIdea for two-factor authentication on other systems. Is it possible to connect the multiOTP CredentialProvider with this existing authorization source?

Install and use

Alex — Wed, 23 Apr 2025 14:59:36 +0000

Hi. My question is I can't find a multitop installation on Linux. I use Debian. And the second question is it possible to use multitop for VPN. VPN(L2TP)+Freeradius+multiotp+LDAP(AD). Sending the password from the client via mschapv2

AD users of child domains are not synchronized

Andrew — Tue, 11 Feb 2025 12:28:54 +0000

Good day.

The service is deployed on the MS hypervisor image multiOTP-open-source-hyperv-5.9.0.3. Updated to version 5.9.9.1 .

Synchronization is configured with the AD main domain zao-agrokomplex.ru. Everything works fine. Clients are synchronized. Users log in to RDP and locally with 2FA. Everything works fine.

But the problem is that there are subdomains RTL.zao-agrokomplex.ru and BRCH.zao-agrokomplex.ru. And users are not synchronized from these child domains.

I tried adding them to one common universal security group of the parent domain. There are no new users during synchronization. I also tried specifying security groups of child domains. The problem with synchronization is still there are no new users.

I specified child DN addresses in "ldap_users_dn". Also to no avail. The logs only show this:

info LDAP Info: No update for the 19 LDAP synced users, based on 22 LDAP entries (processed in 00:00:32)

Please tell me how to correctly configure multiOTP in a Multi-Domain environment?

Here is the multitop.ini setting

 ./multiotp.php -config multiple-groups=1
encryption_hash= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
log=1
actual_version=5.9.9.1
admin_password_hash:=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
anonymous_stat=1
anonymous_stat_last_update=1739180575
anonymous_stat_random_id=bf1a00eccdad7abc033240359cda6ba160263447
attributes_to_encrypt=
auto_resync=1
backend_encoding=UTF-8
backend_type=files
backend_type_validated=0
cache_data=0
cache_ldap_hash=1
case_sensitive_users=0
challenge_response_enabled=0
clear_otp_attribute=
console_authentication=0
create_host=multiotp
create_time=1739180574
debug=0
default_algorithm=totp
default _dialin_ip_mask=
default_user_group=
default_request_ldap_pwd=0
default_request_prefix_pin=0
demo_mode=0
developer_mode=0
display_log=0
domain_name=
email_admin_address=
email_code_allowed=0
email_code_timeout=600
email_digits=6
encode_file_id=0
encryption_key_full_path=
failure_delayed_time=300
group_attribute=Filter-Id
hash_salt_full_path=
issuer=multiOTP
language=en
last_failed_white_delay=60
last_sync_update=0
las t_sync_update_host=
last_update=1739257821
last_update_host=multiotp
ldap_expired_password_valid=1
ldap_account_suffix=@zao-agrokomplex.ru
ldap_activated=1
ldap_base_dn=DC=zao-agrokomplex,DC=ru
ldap_bind_dn=2FA-srv-motp
ldap_cache_folder=
ldap_cache_on=1
ldap_cn_identifier=sAMAccountName
ldap_default_algorithm=totp
ldap_domain_controllers=srv-dc01.zao-agrokomplex.ru,ldaps://10.10.10.10:636
ldap_group_attribute=memberO f
ldap_group_cn_identifier=sAMAccountName
ldap_users_dn=DC=zao-agrokomplex,DC=ru;DC=RTL,DC=zao-agrokomplex,DC=ru;DC=BRCH,DC=zao-agrokomplex,DC=ru
ldap_hash_cache_time=604800
ldap_in_group=gr-agr-2FA-mOTP,RETAIL-2FA-mOTP
ldap_language_attribute=preferredLanguage
ldap_network_timeout=60
ldap_port=636
ldap_recursive_cache_only=0
ldap_recursive_groups=3
ldap_server_password:=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
ldap_server_type=1
ldap_ssl=1
ldap_synced_user_attribute=
ldap_time_limit=600
ldaptls_reqcert=
ldaptls_cipher_suite=
max_block_failures=6
max_delayed_failures=3
max_event_resync_window=10000
max_event_window=100
max_time_resync_window=90000
max_time_window=600
multiple_groups=0
ntp_server=10.0.200.80
overwrite_request_ldap_pwd=1
radius_error_reply_message=1
radius_reply_attributor= +=
radius_reply_separator_hex=2c
radius_tag_prefix=
scratch_passwords_digits=6
scratch_passwords_amount=10
self_registration=1
server_cache_level=1
server_cache_lifetime=15552000
server_secret:=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
server_timeout=10
server_type=
server_url=
sms_api_id:=
sms_basic_auth=0
sms_code_allowed=1
sms_content_encoding=
sms_content_success=
sms_digits= 6
sms_encoding=
sms_header=
sms_international_format=0
sms_ip=
sms_message_prefix=
sms_method=
sms_no_double_zero=0
sms_originator=multiOTP
sms_password:=
sms_port=
sms_provider=
sms_send_template=
sms_status_success=
sms_timeout=180
sms_url=
sms_userkey:=
smtp_auth=0
smtp_password:=
smtp_port=25
smtp_sender=
smtp_sender_name=
smtp_server=
smtp_ssl=0
smtp_username=
sql_ser ver=
sql_username=
sql_password:=
sql_database=
sql_schema=
sql_config_table=multiotp_config
sql_cache_table=multiotp_cache
sql_ddns_table=multiotp_ddns
sql_devices_table=multiotp_devices
sql_groups_table=multiotp_groups
sql_log_table=multiotp_log
sql_stat_table=multiotp_stat
sql_tokens_table=multiotp_tokens
sql_users_table=multiotp_users
sync_delete_retention_days=30
sysl og_facility=7
syslog_level=5
syslog_port=514
syslog_server=
tel_default_country_code=
timezone=Europe/Zurich
token_serial_number_length=12
token_otp_list_of_length=6
verbose_log_prefix=
sms_challenge_enabled=0
text_sms_challenge=
text_token_challenge=
default_2fa_digits=6
default_pin_digits=4
ignore_no_prefix_cp=0
ldap_filter=
ldap_without2fa_in_group=
log_forced_in_file=0

MultiOTP Credential Provider - Stuck at Other User

abdulaleem — Tue, 07 Jan 2025 16:14:36 +0000

I have implemented multiotp credential provider (5.9.8.0) on windows server 2016 for RDP login. Normally, Its working OK but when a user is set to change password, then credential provider brings the password change prompt and the password is changed successfully but after that instead of initiating login processes, login screen gets stuck displaying "Other User" and nothing happens.

.ova and NIC types

adb100 — Wed, 21 Aug 2024 11:43:18 +0000

I've just replaced a couple of older ova-built VMs that I've been meaning to for a while as Stretch is EoL and I didn't have any success changing the repo on the VM. Anyway, that's all now complete and I've built two new VMs from the 5.9.0.1 .ova, upgraded to the current 5.9.7.1 release and restored all the configuration and OS customisations and scripts. One thing I typically do with most VMs built from .ova's is if they have E1000 vNICs, is to replace them with VMXNET3 vNICs. What are the implications of this with the .ova built VMs?

Join this forum

adminf — Tue, 20 Aug 2024 15:40:55 +0000

If you want to subscribe to this forum, send us an email to forum - at - multiotp - dot - net and we will send you back an invitation.

QR code generation

Armaggedon — Mon, 12 Aug 2024 09:54:38 +0000

Hello,
How can users can get their token provisioning QR code without admin intervention? So far I've only been able to reach it by login on the web as admin and clicking "Print" for each of them.
Many thanks!

Web

barfly — Mon, 22 Jul 2024 06:28:40 +0000

Hello. MultiOTP is installed on windows 10 system. In the morning, when a large number of employees log in, the service stops working; I only find out about this when checking the WEB interface or when employees contact me. Multiotp services continue to work. How to fix the situation with the service crash?

Authentication failed (wrong token length)

dozza — Thu, 23 May 2024 15:33:00 +0000

I have the multiOTP HyperV appliance v5.9.0.3 and multiOTPCredentialProvider v5.9.7.1. Using this to prompt for 6 digit MFA code when a person connects via Remote Desktop to a Windows Server. The multiOTP appliance pulls members of the "2FAUsers" AD user group to create the user accounts and QR codes. This works well for a few weeks, then suddenly stops working. This is my third start-over attempt and each time the problem reoccurs. The user supplies their username, then password, then 6 digit OTP at RDP logon, then after a pause the error "Wrong One Time PIN" is returned. If I run "multiotp -display-log -debug auser", I see the error "authentication typed by the user is 13 chars long instead of 6 chars" and "Authentication failed (wrong token length)". I am only typing in a 6 digit code when prompted, so I am puzzled where the additional 7 characters are coming from. Any ideas to steer me towards a resolution?

Hardware token

dreamscape — Thu, 02 May 2024 09:20:41 +0000

Sorry quick question, if most of my AD sync'ed users are using MS Authenticator for TOTP, can i have one users which uses a hardware token, i.e. Feitian c200 for example?

connecting with RDS2022

fishtail — Mon, 25 Mar 2024 14:59:48 +0000

Hi, a newbie here. I have multiOTP running on docker. The credential provider is installed on the RD Host. When I tried to use it on RDS, it failed with "wrong one-time password" I can't find documentation (apologize if overlooked) regarding to 'ddns' folder. Here's what the log showed: 2024-03-18 03:00:59 warning System Error: Unable to create the missing devices folder /etc/multiotp/ddns/ 0 842c98edad03 2024-03-18 03:01:18 warning System Error: Unable to create the missing devices folder /etc/multiotp/ddns/ 0 842c98edad03 2024-03-18 03:01:18 notice XXX User OK: User XXX successfully logged in with TOTP token 0 842c98edad03 I have removed myself from the designated Windows AD group and tried RDP again, it still asks for 2FA code. I powered off the docker container, it still asks for 2FA code. I finally uninstalled Credential Provider from RD Host in order for me to get back in to my remote desktop Everything is on-prem. Any thoughts/suggestoins is greatly appreciated.

Auhtenticator app is picking up Description of the user from AD

os_jonsson — Tue, 02 Jan 2024 07:39:51 +0000

Hi! In the authenticator app it displays the description of the user from the AD. I would like it to display the username instead but haven't found anything regarding this in the documentation. Is it possible to change? //Oscar

5.9.7.1 issue

dreamscape — Mon, 04 Dec 2023 09:00:24 +0000

Morning All, I've upgraded to 5.9.7.1 to test the new pin functionally (thanks for adding this btw) but unfortunately it no longer works for me? I cannot auth and it doesn't generate a log? If i revert back to 5.9.7.0 it starts working again....

MsChap2 Debug in log

dreamscape — Fri, 01 Dec 2023 09:14:30 +0000

Hi all, How do i turn off this debug in the log, its showing the users pin? 1522 2023-12-01 08:59:56 info Debug Debug: *CalculateMsChap2Response(user, 1522112582) for totp: 0101d3222aa706d9fd0fe0cd8cf4be27ee920000000000000000af6427f4ee9b0781414e1855b25f0690203a7bee6ed340f1 from 192.168.1.* 0 MACHINE Thanks Nick

Pin length

dreamscape — Fri, 01 Dec 2023 09:17:56 +0000

How do i change the length of the prefix pin, its currently 4, would like to make it bigger?

Windows Azure AD setting default domain

MariusS — Fri, 10 Nov 2023 15:06:50 +0000

Hi, I am trying out multiOTP Credential Provider v5.9.5.6 on a single machine which is a member of our Azure AD. The machine has two active user accounts, both Azure domain members, and both of which are used by multiple people. The login process must therefore be as simple and intuitive as possible. Manually entering AzureAD\[username] into the login dialog, followed by domain password and OTP works correctly, but if I tried add "AzureAD" (without the quotes) as the value of the "multiOTPDefaultPrefix" registry key nothing is populated into the login dialog, and authentication fails unless I manually prefix the user name. Can anyone help resolve?

roadmap

burghy — Tue, 31 May 2022 08:50:07 +0000

I really wanted to thank the multiotp developers, they are doing a great job. I wanted to understand if there is a roadmap of the things that will be done on multiotp community. from what I understood: the sending of the qrcode via e-mail to the created users will be implemented/ automatic synchronization with ad will remain on commercial product/ Email account recovery/ Multiple hardware tokens support for one account/ VueJS frontend/ Radius gateway support/ YubiCloud support/ FIDO support (SOAP service)/ Doxygen documentation format/ Users CSV impor/ could I propose to have the web page of the configuration file? the file are simple parameters, having a screen to manage them via the web would be great. same thing to have on the browser the log file / radius log to check what happens under the hood.

update ova image

burghy — Thu, 17 Feb 2022 10:43:26 +0000

Please update multiotp upload image. it little old. is a version 2019 multiotp-open-source-vm-009-5.6.1.5.ova

docker image error

burghy — Thu, 17 Feb 2022 09:05:35 +0000

hello.i trying to install multiotp on docker installed on a synology. there are various problems. What we discovered it's that, first of all, the docker image it's a little bit old so would be great to have a new one. port 80 is not working. Also, the first start/install didn't place the certificates under /etc/multiotp folder mapped on the docker host. So also the SSL contection was not working. The I tried to install the credential provider on a Windows 10 PC and test it. User unknown A little more documentation and logs would be great to understand where is the problem. and not a standard documentation would need the docker documentation. or someone who has managed to install it successfully

raspberry image

burghy — Thu, 17 Feb 2022 10:36:20 +0000

i read in the change log: WHAT'S NEW IN THE RELEASES ========================== # What's new in 5.8 releases - Raspberry Pi 4B support HOW TO BUILD A RASPBERRY PI STRONG AUTHENTICATION SERVER ? ========================================================== 0) If you want to download a multiOTP Raspberry Pi image ready to use, follow this URL: https://download.multiOTP.net/raspberry/ but in a link: https://download.multiotp.net/raspberry/ i don't find anythink

multiotp as Auithenticator for nginx

mth9977 — Wed, 09 Feb 2022 09:47:01 +0000

Hi there, i'm really a newbie on multiotp and nginx. therefor my question might be a little dumb. i'd like to have a reverse proxy which pre-authenticates users using mfa (with multiotp as source) in my current plan i need nginx as reverse-proxy, mutliotp for mfa and an apache as interface for authentication between the reverse-Proxy (nginx) and multiotp (because nginx does not speak radius) Is there a way to omit apache and have multiotp to do its work? Or will there be an easier way to solve this? Kind regards, mth9977

RD Gateway

idoch — Wed, 26 Aug 2020 18:58:37 +0000

We have tried to implement MultiOTP with the RD Gateway, but with MultiOTP protecting just the RDP part you get a second "logon" screen. Is there any way to make this process smoother? Perhaps just a screen that asks for the 2FA code (not username, password (again) and the code? Maybe a way to pre-fill the username and password with the info already submitted? Maybe better RD Gateway integration?

LDAP sync with eDirectory

dkenny — Fri, 20 Mar 2020 14:41:31 +0000

Hi there. I hoping someone can help with this sync problem I'm having. I'm connecting to eDirectory, which originally started with Novell, but is now with Micro Focus. We use several ldap clients which interact ok, but I'm having an error with multiotp when I try to do a users-sync or users-list. In looking at a wireshark trace, I can see a successful bind, but then an error "invalidDNSyntax". Multiotp reports the error as: warning LDAP Error: FATAL: AD/LDAP bind failed. The BaseDN is not accepted I'm using here since I need to start the search from the very top of the tree. I've also tried more specific values, like ou=accounting,o=alberta. Regardless of what I tried, I got the same error. Looking further at the wireshark trace, I see that there's a dn value of 'test-connection' that is being sent. I wonder if that is what may be causing this error since that object does not exist in the directory. Has anybody seen this kind of problem before or maybe some thoughts on where I should focus my efforts? Thanks!!

LDAP (AD) Sync and PINs?

adb100 — Thu, 18 Mar 2021 19:53:53 +0000

I have setup LDAP sync and a daily cron task to sync the users. I have been using this for a while and PINs are not required. I just checked the configuration file and I think it is set to request the LDAP Password & a prefix PIN by default: default_request_ldap_pwd=1 default_request_prefix_pin=1 However none of the users have this set in their configuration files: request_ldap_pwd=1 request_prefix_pin=0 This is a fairly vanilla setup, built from the 5.0.4.7 .OVA file and upgraded to the latest 5.8.1.1 release. Just wondering why my users don't have PINs? Andy

Upgraded to 5.8.1 and authentication now fails for all users?

adb100 — Mon, 15 Mar 2021 20:11:33 +0000

Upgraded to 5.8.1 on the VM version by copying the new files over the original and its stopped working... All users are failing authentication. If I test locally from the GUI I get 'failed (99 ERROR: Authentication failed (and other possible unknown errors)). Not sure how to debug it?

Setting to make LOCAL COMPUTER default rather than DOMAIN on RDP login screen

idoch — Thu, 12 Sep 2019 19:09:51 +0000

We are using an RD Gateway and we have some machines that we would like to default to the LOCAL computer for authentication (even though they may or may not have a domain available). It seems to default to the domain on the login screen. Example for a computer named PC: PC\Username <-- this is what we WANT and we can login to the local PC is we type this Domain\Username <-- this appears to be the default for all domain joined computers It appears that (if you are using a RD Gateway) the domain setting is not passed to the RDP login screen nor is it passed if you specify the username with the PC\Username format (PC\Username WILL be used to authenticate to the RD Gateway though). With the default Credential provider you CAN pass the domain from the RDP file as domain:s:DOMAIN or with the username username:s:PC\Username We tried to set the MOTP config option: domain_name=PC but that didn't seem to do anything We set the computer's default domain via GPO -- but that did not seem to change anything We tried to set: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName\PC and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultDomainName\PC The MOTP Credential Provider seems to be grabbing the domain name for the logon screen from: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain Does anyone have any ideas as to how to set MOTP to default to the local PC name 9such as %computername%) rather than the domain? I see that there is a plugin for pGina called the pGina Local Machine Plugin, but I'm not sure how that might relate to this situation. Anybody have any guidance? The default behavior (without MOTP) passes the parameters for domain (or domain\username) to the RD Gateway AND the RDP login. Is there a way to accomplish this? If not, is there a way to set the logon screen to use the local PC as default (rather than the domain)? Edit: Sorry about the formatting. I don't seem to have any formatting controls available. It looks better before I post.

Time changed on OTP server

elnino54 — Wed, 17 Jun 2020 02:16:53 +0000

Hi all, We had a time skew issue on our OTP server - Somehow it was still working with ~10 min skew but we had some minor issues with users logging in to windows offline with Credential provider that lead me to the issue of the time being out on the OTP server. I fixed the time skew issue but now I am having to resync users. Is there some way to just automatically resync all users?