Authentication failed (wrong token length)

I have the multiOTP HyperV appliance v5.9.0.3 and multiOTPCredentialProvider v5.9.7.1. Using this to prompt for 6 digit MFA code when a person connects via Remote Desktop to a Windows Server. The multiOTP appliance pulls members of the "2FAUsers" AD user group to create the user accounts and QR codes. This works well for a few weeks, then suddenly stops working. This is my third start-over attempt and each time the problem reoccurs. The user supplies their username, then password, then 6 digit OTP at RDP logon, then after a pause the error "Wrong One Time PIN" is returned. If I run "multiotp -display-log -debug auser", I see the error "authentication typed by the user is 13 chars long instead of 6 chars" and "Authentication failed (wrong token length)". I am only typing in a 6 digit code when prompted, so I am puzzled where the additional 7 characters are coming from. Any ideas to steer me towards a resolution?

Comments

  • Hello Dozza,
    What is written in the log of the multiOTP HyperV appliance when you try to log on using the multiOTPCredentialProvider ?
    Where did you run "multiotp -display-log -debug auser xxxx" ? On the Windows Server (where multiOTPCredential Provider is installed) or on the multiOTP HyperV appliance ?
    Regards,
  • Hello AndreL, Could you advise as to the location/path of the log on the multiOTP HyperV appliance? I am running "multiotp -display-log -debug auser" on the mutiOTP HyperV appliance. I ran that command thinking that was how the log on the appliance was viewed.
  • Let me see if this log provides any clues /var/log/multiotp/multiotp.log
  • Odd, it's working now after weeks of not working. I recently changed the "LAN Manager authentication level" on our Windows domain from "Refuse LM & NTLM", to just "Refuse LM". Does multiOTP rely on NTLM? (not talking about NTLMv2 here). Secondly, does the configuration in "C:\Program Files\multiOTP\config\multiotp.ini" on the Windows server, need to be the same as "/etc/multiotp/config/multiotp.ini" on the multiOTP applianc
  • The error "(authentication typed by the user is 13 chars long instead of 6 chars)" shows in /var/log/multiotp/multiotp.log , but it is working now. Will reach out if the problem re-occurs.
Sign In or Register to comment.