General — multiOTP open source forum

Error starting Docker container: /boot/newvm.sh not found

spacefly2020 — Thu, 28 Aug 2025 08:52:12 +0000

Hello! Error starting Docker container: /bin/sh: 1: /boot/newvm.sh: not found Tried on Linux distributions Debian-12 and Centos-8. I installed docker according to the documentation: https://docs.docker.com/engine/install/debian/ https://docs.docker.com/engine/install/centos/ Multiotp version 5.9.9.1 (similar error in versions 5.9.8.3 and 5.9.7.1) I build the image from the Dockerfile: docker build -t multiotp/multiotp-open-source:latest . The docker-image was build without errors. Check status image: #docker images REPOSITORY TAG IMAGE ID CREATED SIZE multiotp/multiotp-open-source latest d3c7e416572e 2 hours ago 982MB I created a shell script named ~/multiotp_docker.sh (see below): #!/bin/bash volume="/docker/multiotp" mkdir -p $volume docker run --name multiotp \ -v $volume/data:/etc/multiotp \ -v $volume/freeradius/config:/etc/freeradius \ -v $volume/multiotp/log:/var/log/multiotp \ -v $volume/freeradius/log:/var/log/freeradius \ -p 8080:80 \ -p 8443:443 \ -p 1812:1812/udp \ -p 1813:1813/udp \ -d multiotp/multiotp-open-source OK. Now run (from "root" account) this bash-script: chmod +x ~/multiotp_docker.sh && ~/multiotp_docker.sh Check status container: # docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3d1db2e0684b multiotp/multiotp-open-source "/bin/sh -c '/boot/n…" 42 hours ago Exited (127) 42 hours ago multiotp Check log status of container: #docker logs multiotp /bin/sh: 1: /boot/newvm.sh: not found Thank you for your help. Best regards, Serge

Using multiOTP CredentialProvider with existing Radius

steins — Mon, 18 Aug 2025 07:19:10 +0000

I would like to integrate the multiOTP CredentialProvider with my existing OTP system. In my current environment, I utilize PricvacyIdea for two-factor authentication on other systems. Is it possible to connect the multiOTP CredentialProvider with this existing authorization source?

Install and use

Alex — Wed, 23 Apr 2025 14:59:36 +0000

Hi. My question is I can't find a multitop installation on Linux. I use Debian. And the second question is it possible to use multitop for VPN. VPN(L2TP)+Freeradius+multiotp+LDAP(AD). Sending the password from the client via mschapv2

AD users of child domains are not synchronized

Andrew — Tue, 11 Feb 2025 12:28:54 +0000

Good day.

The service is deployed on the MS hypervisor image multiOTP-open-source-hyperv-5.9.0.3. Updated to version 5.9.9.1 .

Synchronization is configured with the AD main domain zao-agrokomplex.ru. Everything works fine. Clients are synchronized. Users log in to RDP and locally with 2FA. Everything works fine.

But the problem is that there are subdomains RTL.zao-agrokomplex.ru and BRCH.zao-agrokomplex.ru. And users are not synchronized from these child domains.

I tried adding them to one common universal security group of the parent domain. There are no new users during synchronization. I also tried specifying security groups of child domains. The problem with synchronization is still there are no new users.

I specified child DN addresses in "ldap_users_dn". Also to no avail. The logs only show this:

info LDAP Info: No update for the 19 LDAP synced users, based on 22 LDAP entries (processed in 00:00:32)

Please tell me how to correctly configure multiOTP in a Multi-Domain environment?

Here is the multitop.ini setting

 ./multiotp.php -config multiple-groups=1
encryption_hash= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
log=1
actual_version=5.9.9.1
admin_password_hash:=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
anonymous_stat=1
anonymous_stat_last_update=1739180575
anonymous_stat_random_id=bf1a00eccdad7abc033240359cda6ba160263447
attributes_to_encrypt=
auto_resync=1
backend_encoding=UTF-8
backend_type=files
backend_type_validated=0
cache_data=0
cache_ldap_hash=1
case_sensitive_users=0
challenge_response_enabled=0
clear_otp_attribute=
console_authentication=0
create_host=multiotp
create_time=1739180574
debug=0
default_algorithm=totp
default _dialin_ip_mask=
default_user_group=
default_request_ldap_pwd=0
default_request_prefix_pin=0
demo_mode=0
developer_mode=0
display_log=0
domain_name=
email_admin_address=
email_code_allowed=0
email_code_timeout=600
email_digits=6
encode_file_id=0
encryption_key_full_path=
failure_delayed_time=300
group_attribute=Filter-Id
hash_salt_full_path=
issuer=multiOTP
language=en
last_failed_white_delay=60
last_sync_update=0
las t_sync_update_host=
last_update=1739257821
last_update_host=multiotp
ldap_expired_password_valid=1
ldap_account_suffix=@zao-agrokomplex.ru
ldap_activated=1
ldap_base_dn=DC=zao-agrokomplex,DC=ru
ldap_bind_dn=2FA-srv-motp
ldap_cache_folder=
ldap_cache_on=1
ldap_cn_identifier=sAMAccountName
ldap_default_algorithm=totp
ldap_domain_controllers=srv-dc01.zao-agrokomplex.ru,ldaps://10.10.10.10:636
ldap_group_attribute=memberO f
ldap_group_cn_identifier=sAMAccountName
ldap_users_dn=DC=zao-agrokomplex,DC=ru;DC=RTL,DC=zao-agrokomplex,DC=ru;DC=BRCH,DC=zao-agrokomplex,DC=ru
ldap_hash_cache_time=604800
ldap_in_group=gr-agr-2FA-mOTP,RETAIL-2FA-mOTP
ldap_language_attribute=preferredLanguage
ldap_network_timeout=60
ldap_port=636
ldap_recursive_cache_only=0
ldap_recursive_groups=3
ldap_server_password:=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
ldap_server_type=1
ldap_ssl=1
ldap_synced_user_attribute=
ldap_time_limit=600
ldaptls_reqcert=
ldaptls_cipher_suite=
max_block_failures=6
max_delayed_failures=3
max_event_resync_window=10000
max_event_window=100
max_time_resync_window=90000
max_time_window=600
multiple_groups=0
ntp_server=10.0.200.80
overwrite_request_ldap_pwd=1
radius_error_reply_message=1
radius_reply_attributor= +=
radius_reply_separator_hex=2c
radius_tag_prefix=
scratch_passwords_digits=6
scratch_passwords_amount=10
self_registration=1
server_cache_level=1
server_cache_lifetime=15552000
server_secret:=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
server_timeout=10
server_type=
server_url=
sms_api_id:=
sms_basic_auth=0
sms_code_allowed=1
sms_content_encoding=
sms_content_success=
sms_digits= 6
sms_encoding=
sms_header=
sms_international_format=0
sms_ip=
sms_message_prefix=
sms_method=
sms_no_double_zero=0
sms_originator=multiOTP
sms_password:=
sms_port=
sms_provider=
sms_send_template=
sms_status_success=
sms_timeout=180
sms_url=
sms_userkey:=
smtp_auth=0
smtp_password:=
smtp_port=25
smtp_sender=
smtp_sender_name=
smtp_server=
smtp_ssl=0
smtp_username=
sql_ser ver=
sql_username=
sql_password:=
sql_database=
sql_schema=
sql_config_table=multiotp_config
sql_cache_table=multiotp_cache
sql_ddns_table=multiotp_ddns
sql_devices_table=multiotp_devices
sql_groups_table=multiotp_groups
sql_log_table=multiotp_log
sql_stat_table=multiotp_stat
sql_tokens_table=multiotp_tokens
sql_users_table=multiotp_users
sync_delete_retention_days=30
sysl og_facility=7
syslog_level=5
syslog_port=514
syslog_server=
tel_default_country_code=
timezone=Europe/Zurich
token_serial_number_length=12
token_otp_list_of_length=6
verbose_log_prefix=
sms_challenge_enabled=0
text_sms_challenge=
text_token_challenge=
default_2fa_digits=6
default_pin_digits=4
ignore_no_prefix_cp=0
ldap_filter=
ldap_without2fa_in_group=
log_forced_in_file=0

MultiOTP Credential Provider - Stuck at Other User

abdulaleem — Tue, 07 Jan 2025 16:14:36 +0000

I have implemented multiotp credential provider (5.9.8.0) on windows server 2016 for RDP login. Normally, Its working OK but when a user is set to change password, then credential provider brings the password change prompt and the password is changed successfully but after that instead of initiating login processes, login screen gets stuck displaying "Other User" and nothing happens.

.ova and NIC types

adb100 — Wed, 21 Aug 2024 11:43:18 +0000

I've just replaced a couple of older ova-built VMs that I've been meaning to for a while as Stretch is EoL and I didn't have any success changing the repo on the VM. Anyway, that's all now complete and I've built two new VMs from the 5.9.0.1 .ova, upgraded to the current 5.9.7.1 release and restored all the configuration and OS customisations and scripts. One thing I typically do with most VMs built from .ova's is if they have E1000 vNICs, is to replace them with VMXNET3 vNICs. What are the implications of this with the .ova built VMs?

Join this forum

adminf — Tue, 20 Aug 2024 15:40:55 +0000

If you want to subscribe to this forum, send us an email to forum - at - multiotp - dot - net and we will send you back an invitation.

QR code generation

Armaggedon — Mon, 12 Aug 2024 09:54:38 +0000

Hello,
How can users can get their token provisioning QR code without admin intervention? So far I've only been able to reach it by login on the web as admin and clicking "Print" for each of them.
Many thanks!

Web

barfly — Mon, 22 Jul 2024 06:28:40 +0000

Hello. MultiOTP is installed on windows 10 system. In the morning, when a large number of employees log in, the service stops working; I only find out about this when checking the WEB interface or when employees contact me. Multiotp services continue to work. How to fix the situation with the service crash?

Authentication failed (wrong token length)

dozza — Thu, 23 May 2024 15:33:00 +0000

I have the multiOTP HyperV appliance v5.9.0.3 and multiOTPCredentialProvider v5.9.7.1. Using this to prompt for 6 digit MFA code when a person connects via Remote Desktop to a Windows Server. The multiOTP appliance pulls members of the "2FAUsers" AD user group to create the user accounts and QR codes. This works well for a few weeks, then suddenly stops working. This is my third start-over attempt and each time the problem reoccurs. The user supplies their username, then password, then 6 digit OTP at RDP logon, then after a pause the error "Wrong One Time PIN" is returned. If I run "multiotp -display-log -debug auser", I see the error "authentication typed by the user is 13 chars long instead of 6 chars" and "Authentication failed (wrong token length)". I am only typing in a 6 digit code when prompted, so I am puzzled where the additional 7 characters are coming from. Any ideas to steer me towards a resolution?

Hardware token

dreamscape — Thu, 02 May 2024 09:20:41 +0000

Sorry quick question, if most of my AD sync'ed users are using MS Authenticator for TOTP, can i have one users which uses a hardware token, i.e. Feitian c200 for example?

connecting with RDS2022

fishtail — Mon, 25 Mar 2024 14:59:48 +0000

Hi, a newbie here. I have multiOTP running on docker. The credential provider is installed on the RD Host. When I tried to use it on RDS, it failed with "wrong one-time password" I can't find documentation (apologize if overlooked) regarding to 'ddns' folder. Here's what the log showed: 2024-03-18 03:00:59 warning System Error: Unable to create the missing devices folder /etc/multiotp/ddns/ 0 842c98edad03 2024-03-18 03:01:18 warning System Error: Unable to create the missing devices folder /etc/multiotp/ddns/ 0 842c98edad03 2024-03-18 03:01:18 notice XXX User OK: User XXX successfully logged in with TOTP token 0 842c98edad03 I have removed myself from the designated Windows AD group and tried RDP again, it still asks for 2FA code. I powered off the docker container, it still asks for 2FA code. I finally uninstalled Credential Provider from RD Host in order for me to get back in to my remote desktop Everything is on-prem. Any thoughts/suggestoins is greatly appreciated.

Auhtenticator app is picking up Description of the user from AD

os_jonsson — Tue, 02 Jan 2024 07:39:51 +0000

Hi! In the authenticator app it displays the description of the user from the AD. I would like it to display the username instead but haven't found anything regarding this in the documentation. Is it possible to change? //Oscar

5.9.7.1 issue

dreamscape — Mon, 04 Dec 2023 09:00:24 +0000

Morning All, I've upgraded to 5.9.7.1 to test the new pin functionally (thanks for adding this btw) but unfortunately it no longer works for me? I cannot auth and it doesn't generate a log? If i revert back to 5.9.7.0 it starts working again....

MsChap2 Debug in log

dreamscape — Fri, 01 Dec 2023 09:14:30 +0000

Hi all, How do i turn off this debug in the log, its showing the users pin? 1522 2023-12-01 08:59:56 info Debug Debug: *CalculateMsChap2Response(user, 1522112582) for totp: 0101d3222aa706d9fd0fe0cd8cf4be27ee920000000000000000af6427f4ee9b0781414e1855b25f0690203a7bee6ed340f1 from 192.168.1.* 0 MACHINE Thanks Nick

Pin length

dreamscape — Fri, 01 Dec 2023 09:17:56 +0000

How do i change the length of the prefix pin, its currently 4, would like to make it bigger?

Windows Azure AD setting default domain

MariusS — Fri, 10 Nov 2023 15:06:50 +0000

Hi, I am trying out multiOTP Credential Provider v5.9.5.6 on a single machine which is a member of our Azure AD. The machine has two active user accounts, both Azure domain members, and both of which are used by multiple people. The login process must therefore be as simple and intuitive as possible. Manually entering AzureAD\[username] into the login dialog, followed by domain password and OTP works correctly, but if I tried add "AzureAD" (without the quotes) as the value of the "multiOTPDefaultPrefix" registry key nothing is populated into the login dialog, and authentication fails unless I manually prefix the user name. Can anyone help resolve?

roadmap

burghy — Tue, 31 May 2022 08:50:07 +0000

I really wanted to thank the multiotp developers, they are doing a great job. I wanted to understand if there is a roadmap of the things that will be done on multiotp community. from what I understood: the sending of the qrcode via e-mail to the created users will be implemented/ automatic synchronization with ad will remain on commercial product/ Email account recovery/ Multiple hardware tokens support for one account/ VueJS frontend/ Radius gateway support/ YubiCloud support/ FIDO support (SOAP service)/ Doxygen documentation format/ Users CSV impor/ could I propose to have the web page of the configuration file? the file are simple parameters, having a screen to manage them via the web would be great. same thing to have on the browser the log file / radius log to check what happens under the hood.

update ova image

burghy — Thu, 17 Feb 2022 10:43:26 +0000

Please update multiotp upload image. it little old. is a version 2019 multiotp-open-source-vm-009-5.6.1.5.ova

docker image error

burghy — Thu, 17 Feb 2022 09:05:35 +0000

hello.i trying to install multiotp on docker installed on a synology. there are various problems. What we discovered it's that, first of all, the docker image it's a little bit old so would be great to have a new one. port 80 is not working. Also, the first start/install didn't place the certificates under /etc/multiotp folder mapped on the docker host. So also the SSL contection was not working. The I tried to install the credential provider on a Windows 10 PC and test it. User unknown A little more documentation and logs would be great to understand where is the problem. and not a standard documentation would need the docker documentation. or someone who has managed to install it successfully

raspberry image

burghy — Thu, 17 Feb 2022 10:36:20 +0000

i read in the change log: WHAT'S NEW IN THE RELEASES ========================== # What's new in 5.8 releases - Raspberry Pi 4B support HOW TO BUILD A RASPBERRY PI STRONG AUTHENTICATION SERVER ? ========================================================== 0) If you want to download a multiOTP Raspberry Pi image ready to use, follow this URL: https://download.multiOTP.net/raspberry/ but in a link: https://download.multiotp.net/raspberry/ i don't find anythink

multiotp as Auithenticator for nginx

mth9977 — Wed, 09 Feb 2022 09:47:01 +0000

Hi there, i'm really a newbie on multiotp and nginx. therefor my question might be a little dumb. i'd like to have a reverse proxy which pre-authenticates users using mfa (with multiotp as source) in my current plan i need nginx as reverse-proxy, mutliotp for mfa and an apache as interface for authentication between the reverse-Proxy (nginx) and multiotp (because nginx does not speak radius) Is there a way to omit apache and have multiotp to do its work? Or will there be an easier way to solve this? Kind regards, mth9977

RD Gateway

idoch — Wed, 26 Aug 2020 18:58:37 +0000

We have tried to implement MultiOTP with the RD Gateway, but with MultiOTP protecting just the RDP part you get a second "logon" screen. Is there any way to make this process smoother? Perhaps just a screen that asks for the 2FA code (not username, password (again) and the code? Maybe a way to pre-fill the username and password with the info already submitted? Maybe better RD Gateway integration?

LDAP sync with eDirectory

dkenny — Fri, 20 Mar 2020 14:41:31 +0000

Hi there. I hoping someone can help with this sync problem I'm having. I'm connecting to eDirectory, which originally started with Novell, but is now with Micro Focus. We use several ldap clients which interact ok, but I'm having an error with multiotp when I try to do a users-sync or users-list. In looking at a wireshark trace, I can see a successful bind, but then an error "invalidDNSyntax". Multiotp reports the error as: warning LDAP Error: FATAL: AD/LDAP bind failed. The BaseDN is not accepted I'm using here since I need to start the search from the very top of the tree. I've also tried more specific values, like ou=accounting,o=alberta. Regardless of what I tried, I got the same error. Looking further at the wireshark trace, I see that there's a dn value of 'test-connection' that is being sent. I wonder if that is what may be causing this error since that object does not exist in the directory. Has anybody seen this kind of problem before or maybe some thoughts on where I should focus my efforts? Thanks!!

LDAP (AD) Sync and PINs?

adb100 — Thu, 18 Mar 2021 19:53:53 +0000

I have setup LDAP sync and a daily cron task to sync the users. I have been using this for a while and PINs are not required. I just checked the configuration file and I think it is set to request the LDAP Password & a prefix PIN by default: default_request_ldap_pwd=1 default_request_prefix_pin=1 However none of the users have this set in their configuration files: request_ldap_pwd=1 request_prefix_pin=0 This is a fairly vanilla setup, built from the 5.0.4.7 .OVA file and upgraded to the latest 5.8.1.1 release. Just wondering why my users don't have PINs? Andy

Upgraded to 5.8.1 and authentication now fails for all users?

adb100 — Mon, 15 Mar 2021 20:11:33 +0000

Upgraded to 5.8.1 on the VM version by copying the new files over the original and its stopped working... All users are failing authentication. If I test locally from the GUI I get 'failed (99 ERROR: Authentication failed (and other possible unknown errors)). Not sure how to debug it?

Setting to make LOCAL COMPUTER default rather than DOMAIN on RDP login screen

idoch — Thu, 12 Sep 2019 19:09:51 +0000

We are using an RD Gateway and we have some machines that we would like to default to the LOCAL computer for authentication (even though they may or may not have a domain available). It seems to default to the domain on the login screen. Example for a computer named PC: PC\Username <-- this is what we WANT and we can login to the local PC is we type this Domain\Username <-- this appears to be the default for all domain joined computers It appears that (if you are using a RD Gateway) the domain setting is not passed to the RDP login screen nor is it passed if you specify the username with the PC\Username format (PC\Username WILL be used to authenticate to the RD Gateway though). With the default Credential provider you CAN pass the domain from the RDP file as domain:s:DOMAIN or with the username username:s:PC\Username We tried to set the MOTP config option: domain_name=PC but that didn't seem to do anything We set the computer's default domain via GPO -- but that did not seem to change anything We tried to set: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName\PC and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultDomainName\PC The MOTP Credential Provider seems to be grabbing the domain name for the logon screen from: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain Does anyone have any ideas as to how to set MOTP to default to the local PC name 9such as %computername%) rather than the domain? I see that there is a plugin for pGina called the pGina Local Machine Plugin, but I'm not sure how that might relate to this situation. Anybody have any guidance? The default behavior (without MOTP) passes the parameters for domain (or domain\username) to the RD Gateway AND the RDP login. Is there a way to accomplish this? If not, is there a way to set the logon screen to use the local PC as default (rather than the domain)? Edit: Sorry about the formatting. I don't seem to have any formatting controls available. It looks better before I post.

Time changed on OTP server

elnino54 — Wed, 17 Jun 2020 02:16:53 +0000

Hi all, We had a time skew issue on our OTP server - Somehow it was still working with ~10 min skew but we had some minor issues with users logging in to windows offline with Credential provider that lead me to the issue of the time being out on the OTP server. I fixed the time skew issue but now I am having to resync users. Is there some way to just automatically resync all users?

SMS exec script

glassen — Mon, 10 Feb 2020 13:28:19 +0000

Good day, I'm trying to use the exec feature of sms with a non numerical identifier by setting the following

multiotp -config sms-provider=exec multiotp -config sms-api-id='/opt/multiotp/sms.sh %from %to %msg'

I have also created a user with the following commands

multiotp -fastcreate username multiotp -set username sms='nonNumericalIdentifier'

the sms.sh script is currently only for testing and contains the following:

#!/bin/bash echo $1 >> /etc/multiotp/smstext.log echo $2 >> /etc/multiotp/smstext.log echo $3 >> /etc/multiotp/smstext.log

But when i try to request a SMS by multiotp.php -debug -display-log -requiresms username it throws an error:

PHP Notice: Undefined variable: real_user in /opt/multiotp/multiotp.php on line 16209 PHP Notice: Undefined variable: real_user in /opt/multiotp/multiotp.php on line 16209 LOG 2020-02-10 11:08:15 warning SMS Error: no information on where to send SMS code for 60 *ERROR: No information on where to send SMS code LOG 2020-02-10 11:08:15 debug Debug Debug: *Attributes sent to the RADIUS server: Reply-Message := "ERROR: No information on where to send SMS code" Reply-Message := "ERROR: No information on where to send SMS code"

This is all worked around by removing the references to the CleanPhoneNumber() function in a few places.

My question is how the "special all-in-one-file multiotp.exe executable created using Enigma Virtual Box" is configured?
Since my ultimate goal is to use the Credential Provider with my currently modified multiphp.php to send the OTP via the exec function with a non numerical SMS "number".

Resilient MultiOTP devices?

adb100 — Wed, 09 Oct 2019 09:32:35 +0000

I have a single MultiOTP VM that is synchronising users from AD LDAP via a CRON job. Its all working OK, however I am looking to have a 2nd MultiOTP VM with the same configuration in 2nd location. Is it possible to just backup and restore the configuration to a 2nd VM replicating all the users?