Attempting to allow users to login when server is offline

Jacob_Egan · July 10, 2025, 6:54am

Hello, i’m attempting to configure the windows credential provider to pass authentication if the server isn’t available.

What i’ve done so far, created a policy within the server to allow pass on no token and pass on no user. This allows users to authentication without the token, as long as the server is online.

I’m attempting to set the windows 11 client to allow windows username/password as the only credential in the event the server is offline. I’ve read that adding the registry string PassOnNoServer=1 will allow this. However, i’ve not had any success.

Any suggestions on how to accomplish this? Thank you!

cornelinux · July 10, 2025, 9:06pm

Interesting. Where did you read PassonNoServer?
This would be the best security flaw I every heard.

Jacob_Egan · July 10, 2025, 9:13pm

The passOnNoServer registry key is not officially documented in PrivacyIDEA’s primary documentation, but it is implemented in the PrivacyIDEA Credential Provider’s source code and has been referenced by PrivacyIDEA developers in support discussions and GitHub issues.

Primary Source: Credential Provider Source Code

The key source is the official repository:
GitHub - privacyidea/privacyidea-credential-provider: Credential Provider to enchance the Windows login with a second factor

Within the codebase, you’ll find passOnNoServer implemented as a registry-based flag.

Relevant source references:

File: privacyIDEACredentialProvider.cpp
Function: CPIData::ReadSettingsFromRegistry()

Inside this function:

cpp

CopyEdit

ReadDwordFromRegistry(L"passOnNoServer", &_passOnNoServer);

And used later in the logic that determines if the credential provider should allow login when the server is unavailable.

Of course it was chatgpt that ran me down this path… So what options would there be to login, if the server wasn’t available?

nilsbehlen · July 14, 2025, 8:05am

hi, you can specify an excluded account as stated in the documentation.

Jacob_Egan · July 14, 2025, 11:16am

That doesn’t resolve the question asked.

nilsbehlen · July 14, 2025, 11:58am

well i think it does. there is obviously no blanked solution for all users because why even do multifactor authentication then. So you can use the excluded account and fix your problems, or use an advanced network to increase availability so this situation does not occur.
“passOnNoServer” does not exist in the credential provider, only the excluded account setting.