Recent Discussions — multiOTP open source forum

MSCHAP & MSCHAPv2 Always Error 99

Dustin — Thu, 16 Apr 2026 15:39:18 +0000

I am trying to use multiOTP for VPN authentication for macOS via FreeRADIUS in the multiOTP Docker image. Apparently macOS requires MSCHAPv2 and will NAK and cause FreeRADIUS to treat it as misbehaving unless MSCHAPv2 is configured as the default in the eap addon, but even if I change the config to default to MSCHAPv2, I still always get an error regardless of authentication configuration (LDAP Password + TOTP [presumably expected to fail], PIN + TOTP, TOTP Only), and the errors also lead to account lockout, implying that authentication was actually attempted. I am able to successfully authenticate using PAP and CHAP with the default eap addon configuration using diagnostic commands from a fortigate firewall, but MSCHAP and MSCHAPv2 both get rejected (error 99) from there as well. As such, I suspect this is the best point to troubleshoot from (keep macOS out of the equation initially). I might be confused because I don't remember following the instructions under https://github.com/multiOTP/multiotp/wiki/#configuring-multiotp-with-freeradius-3x-under-linux to make the changes, but when I step through the instructions, most of the changes seem to already be in place. Since they might be in place by default in newer versions, I am hesitant to make changes based on that section or the page it links to in case they could be incorrect/outdated. I also notice that the top of that section says "NT_KEY generation is also supported using the -request-nt-key option (like for ntlm_auth --request-nt-key option), which is needed in order to enable VPN (PPTP + MPPE) with MS-CHAP/MS-CHAPv2." But then step 3 proceeds to say -nt-key-only (it isn't obvious if I might need both and/or if they are interchangeable). Here is some lightly sanitized example output from the fortigate for reference: fortigate # diag test authserver radius multiOTP pap testuser 123456900680 authenticate 'testuser' against 'pap' succeeded, server=primary assigned_rad_session_id=74659676487683 session_timeout=0 secs idle_timeout=0 secs! fortigate # diag test authserver radius multiOTP chap testuser 123456398830 authenticate 'testuser' against 'chap' succeeded, server=primary assigned_rad_session_id=74659676487684 session_timeout=0 secs idle_timeout=0 secs! fortigate # diag test authserver radius multiOTP mschap testuser 123456898101 authenticate 'testuser' against 'mschap' failed, assigned_rad_session_id=74659676487685 session_timeout=0 secs idle_timeout=0 secs! fortigate # diag test authserver radius multiOTP mschap2 testuser 123456819895 authenticate 'testuser' against 'mschap2' failed, assigned_rad_session_id=74659676487686 session_timeout=0 secs idle_timeout=0 secs! Here are the lightly sanitized logs for those tests: notice testuser User OK: User testuser successfully logged in with TOTP token 0 26d5455e1eb9 172.24.0.1 notice testuser User Info: User testuser successfully logged in using an external server from [] for 0.0.0.0 0 26d5455e1eb9 notice testuser User OK: User testuser successfully logged in with TOTP token 0 26d5455e1eb9 172.24.0.1 notice testuser User Info: User testuser successfully logged in using an external server from [] for 0.0.0.0 0 26d5455e1eb9 warning testuser User Error: authentication failed for user testuser 0 26d5455e1eb9 172.24.0.1 warning testuser User Error: authentication failed for user testuser (same token replayed) 0 26d5455e1eb9 172.24.0.1 When I debug, I see this for MSCHAP: multiotp 5.10.2.2 Your script is running from /usr/local/bin/multiotp/ debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *CheckUserExists server request for testuser with challenge MOSH93eb750295d8479422eb88d3985ab89c 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *CheckUserExists intermediate error code: 22 0 26d5455e1eb9 172.24.0.1 ======================================== multiotp 5.10.2.2 Your script is running from /usr/local/bin/multiotp/ debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *ReadUserData server request for testuser 0 26d5455e1eb9 172.24.0.1 info Debug Debug: *CheckToken intermediate result (totp) 19578, push_trial: -1 result: 99 0 26d5455e1eb9 172.24.0.1 warning testuser User Error: authentication failed for user testuser 0 26d5455e1eb9 172.24.0.1 warning testuser Debug Debug: *authentication typed by the user is CHAP encrypted 0 26d5455e1eb9 172.24.0.1 info Debug Debug: *CheckToken intermediate result 19880, result: 99 0 26d5455e1eb9 172.24.0.1 However, I see this for MSCHAPv2 (even though I do not submit the token more than once): multiotp 5.10.2.2 Your script is running from /usr/local/bin/multiotp/ debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *CheckUserExists server request for testuser with challenge MOSHb541faaea333a29de711d14ab4167525 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *CheckUserExists intermediate error code: 22 0 26d5455e1eb9 172.24.0.1 ======================================== multiotp 5.10.2.2 Your script is running from /usr/local/bin/multiotp/ debug CredentialProviderRequest Info: *Value for IsCredentialProviderRequest: 0 26d5455e1eb9 172.24.0.1 debug Server-Client Info: *ReadUserData server request for testuser 0 26d5455e1eb9 172.24.0.1 info Debug Debug: *CheckToken intermediate result (totp) 19578, push_trial: -1 result: 99 0 26d5455e1eb9 172.24.0.1 warning testuser User Error: authentication failed for user testuser (same token replayed) 0 26d5455e1eb9 172.24.0.1 warning testuser Debug Debug: *authentication typed by the user is CHAP encrypted 0 26d5455e1eb9 172.24.0.1 info Debug Debug: *CheckToken intermediate result 19880, result: 99 0 26d5455e1eb9 172.24.0.1 Both also have this matching (lightly sanitized) bit following the bits above: multiotp 5.10.2.2 Your script is running from /usr/local/bin/multiotp/ info Debug Debug: *CheckToken intermediate result 19891, result: 99 from [] for 0.0.0.0 0 26d5455e1eb9 debug Debug Debug: *99 ERROR: Authentication failed (and other possible unknown errors) from [] for 0.0.0.0 0 26d5455e1eb9 debug Debug Debug: *Attributes sent to the RADIUS server: Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)" from [] for 0.0.0.0 0 26d5455e1eb9 A bit more testing shows that the replayed error was caused by changing -nt-key-only to -request-nt-key in /etc/freeradius/3.0/mods-available/multiotpmschap and reverting that causes MSCHAPv2 to behave the same way as MSCHAPv1. Also, in case it could be relevant, after getting the error with MSCHAPv2, I can go to the webUI and successfully use the same token that didn't work with MSCHAPv2. I'm not sure how to proceed from here.

How to upgrade Docker multiOTP Open Source

Physalis — Thu, 02 Apr 2026 08:19:36 +0000

Hello everyone, I'm posting on the forum to ask for an explanation, or a step-by-step guide, if anyone has successfully updated their Docker version. It's currently at version 5.10.1.5, and an update is available as a zip file for 5.10.2.1. I tried copying the files from the Docker image to /usr/local/bin/multiotp, but nothing updates. I also tried copying the files to the /var/lib/docker/rootfs/overlayfs/bb315dd65a05af7a78c15b39df281342b696f292dd3f44cef904d3944b94837f/usr/local/bin/multiotp/ directory, but again, nothing happens. The web interface remains constantly on 5.10.1.5. As soon as Docker is restarted, everything disappears and it reverts to the base 5.10.1.5 image. What steps should I take, or should I wait for the Docker image to be updated to 5.10.2.1? Thank you in advance for any information you can provide. Eric

Error starting Docker container: /boot/newvm.sh not found

spacefly2020 — Thu, 28 Aug 2025 08:52:12 +0000

Hello! Error starting Docker container: /bin/sh: 1: /boot/newvm.sh: not found Tried on Linux distributions Debian-12 and Centos-8. I installed docker according to the documentation: https://docs.docker.com/engine/install/debian/ https://docs.docker.com/engine/install/centos/ Multiotp version 5.9.9.1 (similar error in versions 5.9.8.3 and 5.9.7.1) I build the image from the Dockerfile: docker build -t multiotp/multiotp-open-source:latest . The docker-image was build without errors. Check status image: #docker images REPOSITORY TAG IMAGE ID CREATED SIZE multiotp/multiotp-open-source latest d3c7e416572e 2 hours ago 982MB I created a shell script named ~/multiotp_docker.sh (see below): #!/bin/bash volume="/docker/multiotp" mkdir -p $volume docker run --name multiotp \ -v $volume/data:/etc/multiotp \ -v $volume/freeradius/config:/etc/freeradius \ -v $volume/multiotp/log:/var/log/multiotp \ -v $volume/freeradius/log:/var/log/freeradius \ -p 8080:80 \ -p 8443:443 \ -p 1812:1812/udp \ -p 1813:1813/udp \ -d multiotp/multiotp-open-source OK. Now run (from "root" account) this bash-script: chmod +x ~/multiotp_docker.sh && ~/multiotp_docker.sh Check status container: # docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3d1db2e0684b multiotp/multiotp-open-source "/bin/sh -c '/boot/n…" 42 hours ago Exited (127) 42 hours ago multiotp Check log status of container: #docker logs multiotp /bin/sh: 1: /boot/newvm.sh: not found Thank you for your help. Best regards, Serge

502 Bad Gateway on WebGUI

CJRhines — Thu, 16 Oct 2025 13:48:00 +0000

I just installed MultiOTP on a Windows 2012R2 server, and I get a 502 Bad Gateway page when I open the webGUI at 127.0.0.1:8112. Looking at the error.log file in C:\MultiOTP\windows\webservice\logs, I see the following error: 2025/10/16 09:26:40 [error] 1384#1380: *18 connect() failed (10061: No connection could be made because the target machine actively refused it) while connecting to upstream, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "127.0.0.1:8112" 2025/10/16 09:26:41 [error] 1384#1380: *18 connect() failed (10061: No connection could be made because the target machine actively refused it) while connecting to upstream, client: 127.0.0.1, server: localhost, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "127.0.0.1:8112", referrer: "http://127.0.0.1:8112/" Any idea what could be causing this?

Using multiOTP CredentialProvider with existing Radius

steins — Mon, 18 Aug 2025 07:19:10 +0000

I would like to integrate the multiOTP CredentialProvider with my existing OTP system. In my current environment, I utilize PricvacyIdea for two-factor authentication on other systems. Is it possible to connect the multiOTP CredentialProvider with this existing authorization source?

Emergency login in case of lost access

aratoken — Mon, 28 Jul 2025 16:15:25 +0000

Hi! i am currently using multiOTP successfully in a testing environment but there is one question that i have not yet found a clear answer to. Is there a way to restore access in case if i lose my ability to log into for example the Administrator account (For example lost phone)? Can i create backup codes or similar to temporarely disable multiOTP? If not what would be the usual approach? Thank you!

How to apply local only version for Windows 11 ?

datlv — Mon, 23 Jun 2025 04:53:00 +0000

I have one Windows 11 PC, I want to apply OTP during the remote desktop, so I tried to installed local only version but I dont know how to create user with QR code (or secret key). Please share me the correct way to do it. Thanks for the support.

enable and disable 2fa for users

aratoken — Thu, 12 Jun 2025 08:13:05 +0000

Hi! i am recently using the windows version to secure rdp logins on my server, so far its working fine. However i am a bit confused regarding the "iswithout2fa" option through the command line: I tried to set this option for two users for testing purposes, setting it for my Administrator (using the Administrator) worked fine but configuring it for another testuser did not seem to work. If i log in with said user and set it, it works without issues but in return i cannot set the option for other users (for example the Administrator). Is there a restriction as to how/where to set the without2fa option that i'm missing? In both cases (working and not) i got no output on my cli after using the command at all. Also: am i assuming correctly that the "iswithout2fa" can only be removed with a restart of the whole system? I couldn't find any option for it in the help output and i noticed that after restarting the server because of updates that 2FA was re-enabled for a user i previously disabled it using that option. Thank you and best regards!

OTP in the login field

Alex — Fri, 25 Apr 2025 09:30:15 +0000

Is it possible to do with multiotp and MS-CHAPv2? MS-CHAPv2 is for a password. Username: username:OTP Password: password Example for username = john, password = myBigPassword, OTP = 123456 Username: john:123456 Password: myBigPassword

Install and use

Alex — Wed, 23 Apr 2025 14:59:36 +0000

Hi. My question is I can't find a multitop installation on Linux. I use Debian. And the second question is it possible to use multitop for VPN. VPN(L2TP)+Freeradius+multiotp+LDAP(AD). Sending the password from the client via mschapv2

Check Active Directory Group Membership for TunnelGroupName

boycej — Mon, 21 Apr 2025 19:31:18 +0000

i am currently using the Virtual Machine version of Multiotp that has been upgraded. Current configuration below: multiOTP 5.9.9.1 2025-01-20 Web service is ready 2025-04-21 21:15:11, nginx/1.22.1, PHP/8.2.28 Is there any way to use a script within FreeRADIUS to check the Group Membership that multiotop has in the database/files? Such as this script below: elsif (ASA-TunnelGroupName == "Tech_CCS_AnyConnect" && LDAP-Group == "CCS_TECHS") { reject } I am currently using this with LDAP on another FreeRADIUS server without multiotop. Or is there another place I can make sure that the ASA-TunnelGroupName matches with the AD Group membership such as the multiotip.php or the multiotp.pl? Thanks for help.

AD users of child domains are not synchronized

Andrew — Tue, 11 Feb 2025 12:28:54 +0000

Good day.

The service is deployed on the MS hypervisor image multiOTP-open-source-hyperv-5.9.0.3. Updated to version 5.9.9.1 .

Synchronization is configured with the AD main domain zao-agrokomplex.ru. Everything works fine. Clients are synchronized. Users log in to RDP and locally with 2FA. Everything works fine.

But the problem is that there are subdomains RTL.zao-agrokomplex.ru and BRCH.zao-agrokomplex.ru. And users are not synchronized from these child domains.

I tried adding them to one common universal security group of the parent domain. There are no new users during synchronization. I also tried specifying security groups of child domains. The problem with synchronization is still there are no new users.

I specified child DN addresses in "ldap_users_dn". Also to no avail. The logs only show this:

info LDAP Info: No update for the 19 LDAP synced users, based on 22 LDAP entries (processed in 00:00:32)

Please tell me how to correctly configure multiOTP in a Multi-Domain environment?

Here is the multitop.ini setting

 ./multiotp.php -config multiple-groups=1
encryption_hash= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
log=1
actual_version=5.9.9.1
admin_password_hash:=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
anonymous_stat=1
anonymous_stat_last_update=1739180575
anonymous_stat_random_id=bf1a00eccdad7abc033240359cda6ba160263447
attributes_to_encrypt=
auto_resync=1
backend_encoding=UTF-8
backend_type=files
backend_type_validated=0
cache_data=0
cache_ldap_hash=1
case_sensitive_users=0
challenge_response_enabled=0
clear_otp_attribute=
console_authentication=0
create_host=multiotp
create_time=1739180574
debug=0
default_algorithm=totp
default _dialin_ip_mask=
default_user_group=
default_request_ldap_pwd=0
default_request_prefix_pin=0
demo_mode=0
developer_mode=0
display_log=0
domain_name=
email_admin_address=
email_code_allowed=0
email_code_timeout=600
email_digits=6
encode_file_id=0
encryption_key_full_path=
failure_delayed_time=300
group_attribute=Filter-Id
hash_salt_full_path=
issuer=multiOTP
language=en
last_failed_white_delay=60
last_sync_update=0
las t_sync_update_host=
last_update=1739257821
last_update_host=multiotp
ldap_expired_password_valid=1
ldap_account_suffix=@zao-agrokomplex.ru
ldap_activated=1
ldap_base_dn=DC=zao-agrokomplex,DC=ru
ldap_bind_dn=2FA-srv-motp
ldap_cache_folder=
ldap_cache_on=1
ldap_cn_identifier=sAMAccountName
ldap_default_algorithm=totp
ldap_domain_controllers=srv-dc01.zao-agrokomplex.ru,ldaps://10.10.10.10:636
ldap_group_attribute=memberO f
ldap_group_cn_identifier=sAMAccountName
ldap_users_dn=DC=zao-agrokomplex,DC=ru;DC=RTL,DC=zao-agrokomplex,DC=ru;DC=BRCH,DC=zao-agrokomplex,DC=ru
ldap_hash_cache_time=604800
ldap_in_group=gr-agr-2FA-mOTP,RETAIL-2FA-mOTP
ldap_language_attribute=preferredLanguage
ldap_network_timeout=60
ldap_port=636
ldap_recursive_cache_only=0
ldap_recursive_groups=3
ldap_server_password:=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
ldap_server_type=1
ldap_ssl=1
ldap_synced_user_attribute=
ldap_time_limit=600
ldaptls_reqcert=
ldaptls_cipher_suite=
max_block_failures=6
max_delayed_failures=3
max_event_resync_window=10000
max_event_window=100
max_time_resync_window=90000
max_time_window=600
multiple_groups=0
ntp_server=10.0.200.80
overwrite_request_ldap_pwd=1
radius_error_reply_message=1
radius_reply_attributor= +=
radius_reply_separator_hex=2c
radius_tag_prefix=
scratch_passwords_digits=6
scratch_passwords_amount=10
self_registration=1
server_cache_level=1
server_cache_lifetime=15552000
server_secret:=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
server_timeout=10
server_type=
server_url=
sms_api_id:=
sms_basic_auth=0
sms_code_allowed=1
sms_content_encoding=
sms_content_success=
sms_digits= 6
sms_encoding=
sms_header=
sms_international_format=0
sms_ip=
sms_message_prefix=
sms_method=
sms_no_double_zero=0
sms_originator=multiOTP
sms_password:=
sms_port=
sms_provider=
sms_send_template=
sms_status_success=
sms_timeout=180
sms_url=
sms_userkey:=
smtp_auth=0
smtp_password:=
smtp_port=25
smtp_sender=
smtp_sender_name=
smtp_server=
smtp_ssl=0
smtp_username=
sql_ser ver=
sql_username=
sql_password:=
sql_database=
sql_schema=
sql_config_table=multiotp_config
sql_cache_table=multiotp_cache
sql_ddns_table=multiotp_ddns
sql_devices_table=multiotp_devices
sql_groups_table=multiotp_groups
sql_log_table=multiotp_log
sql_stat_table=multiotp_stat
sql_tokens_table=multiotp_tokens
sql_users_table=multiotp_users
sync_delete_retention_days=30
sysl og_facility=7
syslog_level=5
syslog_port=514
syslog_server=
tel_default_country_code=
timezone=Europe/Zurich
token_serial_number_length=12
token_otp_list_of_length=6
verbose_log_prefix=
sms_challenge_enabled=0
text_sms_challenge=
text_token_challenge=
default_2fa_digits=6
default_pin_digits=4
ignore_no_prefix_cp=0
ldap_filter=
ldap_without2fa_in_group=
log_forced_in_file=0

AD sync not working now?

dreamscape — Wed, 26 Mar 2025 15:42:13 +0000

I have hardened my AD and now get the error below when trying to do a sync: LOG 2025-03-26 15:36:14 warning LDAP Error: FATAL: AD bind failed. Check the login credentials (8: Strong(er) authentication required). (00002028: LdapErr: DSID-0C090330, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4f7c) 99 *ERROR: Authentication failed (and other possible unknown errors) Any ideas how i fix this?

MultiOTP Credential Provider - Stuck at Other User

abdulaleem — Tue, 07 Jan 2025 16:14:36 +0000

I have implemented multiotp credential provider (5.9.8.0) on windows server 2016 for RDP login. Normally, Its working OK but when a user is set to change password, then credential provider brings the password change prompt and the password is changed successfully but after that instead of initiating login processes, login screen gets stuck displaying "Other User" and nothing happens.

Log file when using database

Armaggedon — Fri, 23 Aug 2024 14:55:40 +0000

Hi there!
When using multiOTP with a database, log entries are also written on the database. Is there any way to change this behavior, so I can also/instead write logs to a file on the server?
I'd like to send them to an aggregator like ElasticSearch, be able to logrotate, clean up old logs for GDPR compliance... Which is way easier with files.
Thanks!

Free text on Windows login screen

Armaggedon — Wed, 21 Aug 2024 13:11:13 +0000

It would be nice to have a configurable free text field on the Windows login screen. Admins could, for example, set here an email address for support, a link to instructions...

Alternatively, and perhaps easier to implement since the logic is already there to get the token, a "send me instructions" link so admins could customize an email template.

Currently we could only modify the "otp_hint_text" value on the registry key, which is an OK workaround, but a dedicated field might be better.

.ova and NIC types

adb100 — Wed, 21 Aug 2024 11:43:18 +0000

I've just replaced a couple of older ova-built VMs that I've been meaning to for a while as Stretch is EoL and I didn't have any success changing the repo on the VM. Anyway, that's all now complete and I've built two new VMs from the 5.9.0.1 .ova, upgraded to the current 5.9.7.1 release and restored all the configuration and OS customisations and scripts. One thing I typically do with most VMs built from .ova's is if they have E1000 vNICs, is to replace them with VMXNET3 vNICs. What are the implications of this with the .ova built VMs?

Join this forum

adminf — Tue, 20 Aug 2024 15:40:55 +0000

If you want to subscribe to this forum, send us an email to forum - at - multiotp - dot - net and we will send you back an invitation.

QR code generation

Armaggedon — Mon, 12 Aug 2024 09:54:38 +0000

Hello,
How can users can get their token provisioning QR code without admin intervention? So far I've only been able to reach it by login on the web as admin and clicking "Print" for each of them.
Many thanks!

Web

barfly — Mon, 22 Jul 2024 06:28:40 +0000

Hello. MultiOTP is installed on windows 10 system. In the morning, when a large number of employees log in, the service stops working; I only find out about this when checking the WEB interface or when employees contact me. Multiotp services continue to work. How to fix the situation with the service crash?

Cannot get user/group downloading working from AD - how can I enable more logging?

IanMurphy — Thu, 06 Jun 2024 09:54:07 +0000

sorry for the lack of formatting. I can't work out how to post anything than a block of text. I'm playing around with MultiOTP on a windows server attempting to set up a 2FA system. Everything went smoothly up to the point of actually downloading the group/users when the system always indicates no updates: ``` C:\MultiOTP\Windows>multiotp -debug -display-log -ldap-users-sync LOG 2024-06-06 09:31:54 debug LDAP Debug: *AD/LDAP synchronization started at 09:31:54 / Memory used: 14.5MB / Peak: 27.1MB LOG 2024-06-06 09:31:54 info LDAP Info: AD/LDAP synchronization started LOG 2024-06-06 09:31:54 debug System Debug: *LDAP cache folder value: C:\Users\ADMIN-~1\AppData\Local\Temp\.ldap_cache/ LOG 2024-06-06 09:31:54 info LDAP Info: No update for the 0 LDAP synced users, based on 1 LDAP entries (processed in 00:00:00) 19 *INFO: Requested operation successfully done ``` As far as I can tell my LDAP connection is correctly configured. I have a single group with a single test user in the group. I've tried adding a new user to the group to see if that provoked any changed but it always indicates 0 ldap synced users If I connect to ldap using an ldap client tool, it works and allows me to see the contents of the group and can browse around the AD objects without any problems. So the account I'm using works fine - its a specially created account. Is there a way to enable verbose logging which will log the tcp open, each message, etc.? I've been over the documentation but can't find anything which will enable detailed debug logging. If I execute multiotp -ldap-check -debug it reports nothing at all, no errors, no warnings.

Authentication failed (wrong token length)

dozza — Thu, 23 May 2024 15:33:00 +0000

I have the multiOTP HyperV appliance v5.9.0.3 and multiOTPCredentialProvider v5.9.7.1. Using this to prompt for 6 digit MFA code when a person connects via Remote Desktop to a Windows Server. The multiOTP appliance pulls members of the "2FAUsers" AD user group to create the user accounts and QR codes. This works well for a few weeks, then suddenly stops working. This is my third start-over attempt and each time the problem reoccurs. The user supplies their username, then password, then 6 digit OTP at RDP logon, then after a pause the error "Wrong One Time PIN" is returned. If I run "multiotp -display-log -debug auser", I see the error "authentication typed by the user is 13 chars long instead of 6 chars" and "Authentication failed (wrong token length)". I am only typing in a 6 digit code when prompted, so I am puzzled where the additional 7 characters are coming from. Any ideas to steer me towards a resolution?

Hardware token

dreamscape — Thu, 02 May 2024 09:20:41 +0000

Sorry quick question, if most of my AD sync'ed users are using MS Authenticator for TOTP, can i have one users which uses a hardware token, i.e. Feitian c200 for example?

connecting with RDS2022

fishtail — Mon, 25 Mar 2024 14:59:48 +0000

Hi, a newbie here. I have multiOTP running on docker. The credential provider is installed on the RD Host. When I tried to use it on RDS, it failed with "wrong one-time password" I can't find documentation (apologize if overlooked) regarding to 'ddns' folder. Here's what the log showed: 2024-03-18 03:00:59 warning System Error: Unable to create the missing devices folder /etc/multiotp/ddns/ 0 842c98edad03 2024-03-18 03:01:18 warning System Error: Unable to create the missing devices folder /etc/multiotp/ddns/ 0 842c98edad03 2024-03-18 03:01:18 notice XXX User OK: User XXX successfully logged in with TOTP token 0 842c98edad03 I have removed myself from the designated Windows AD group and tried RDP again, it still asks for 2FA code. I powered off the docker container, it still asks for 2FA code. I finally uninstalled Credential Provider from RD Host in order for me to get back in to my remote desktop Everything is on-prem. Any thoughts/suggestoins is greatly appreciated.

Auhtenticator app is picking up Description of the user from AD

os_jonsson — Tue, 02 Jan 2024 07:39:51 +0000

Hi! In the authenticator app it displays the description of the user from the AD. I would like it to display the username instead but haven't found anything regarding this in the documentation. Is it possible to change? //Oscar

5.9.7.1 issue

dreamscape — Mon, 04 Dec 2023 09:00:24 +0000

Morning All, I've upgraded to 5.9.7.1 to test the new pin functionally (thanks for adding this btw) but unfortunately it no longer works for me? I cannot auth and it doesn't generate a log? If i revert back to 5.9.7.0 it starts working again....

MsChap2 Debug in log

dreamscape — Fri, 01 Dec 2023 09:14:30 +0000

Hi all, How do i turn off this debug in the log, its showing the users pin? 1522 2023-12-01 08:59:56 info Debug Debug: *CalculateMsChap2Response(user, 1522112582) for totp: 0101d3222aa706d9fd0fe0cd8cf4be27ee920000000000000000af6427f4ee9b0781414e1855b25f0690203a7bee6ed340f1 from 192.168.1.* 0 MACHINE Thanks Nick

Pin length

dreamscape — Fri, 01 Dec 2023 09:17:56 +0000

How do i change the length of the prefix pin, its currently 4, would like to make it bigger?

Problem with QR and Google Authenticator

jcasadom — Mon, 20 Nov 2023 07:16:13 +0000

I'm trying to read the QR code generated by the GUI, but I always get the message "Cannot interpret QR code" in Google Authenticator. I have no problem writing the secret seed en Base 32 in Google Authenticator. I have no problem with the QR with FreeOTP or Microsoft Autenthicator

Windows Azure AD setting default domain

MariusS — Fri, 10 Nov 2023 15:06:50 +0000

Hi, I am trying out multiOTP Credential Provider v5.9.5.6 on a single machine which is a member of our Azure AD. The machine has two active user accounts, both Azure domain members, and both of which are used by multiple people. The login process must therefore be as simple and intuitive as possible. Manually entering AzureAD\[username] into the login dialog, followed by domain password and OTP works correctly, but if I tried add "AzureAD" (without the quotes) as the value of the "multiOTPDefaultPrefix" registry key nothing is populated into the login dialog, and authentication fails unless I manually prefix the user name. Can anyone help resolve?