Credential Provider fails with wrong username or password message

My lab with credential provider was working in July.

PrivacyIdea server container has never been stopped.

Windows client is up-to-date with Microsoft monthly updates

my test user is still able to authenticate with push app when login to PrivacyIdea server web page

But I have an error with Credential provider with the usual scenario

  1. I enter Windows username and password
  2. I validate the push request on my smartphone
  3. I receive an error in Credential provider about wrong username or password

I update Credential Provider but still have the same error

The debug on server side is too verbose for an easy troubleshooting

the CP debug log file looks more useful.

How can I fix this issue?

Thanks for your support

[17-10-2022 14:54:30] [Endpoint.cpp:353] WinHttp Result error: 12152
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:39] CSample_CreateInstance - FILTER START
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:108] CCredentialProviderFilter::CCredentialProviderFilter
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:61] CCredentialProviderFilter::Filter CPUS_LOGON
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:68] Filter disabled by registry setting!
[17-10-2022 15:06:11] [CProvider.cpp:82] CProvider::SetUsageScenario: CPUS_LOGON - AUTHENTICATION START
[17-10-2022 15:06:11] [Configuration.cpp:144] -----------------------------
[17-10-2022 15:06:11] [Configuration.cpp:145] CP Version: 3.2.1
[17-10-2022 15:06:11] [Configuration.cpp:147] Windows Version: 10.0.22000
[17-10-2022 15:06:11] [Configuration.cpp:148] ------- Configuration -------
[17-10-2022 15:06:11] [Configuration.cpp:149] Hostname: privacyideaferge-test.e-serv.ch
[17-10-2022 15:06:11] [Configuration.cpp:138] Login text: privacyIDEA Login
[17-10-2022 15:06:11] [Configuration.cpp:138] OTP failure text: Wrong One-Time Password!
[17-10-2022 15:06:11] [Configuration.cpp:162] Hide domain/full name: false/false
[17-10-2022 15:06:11] [Configuration.cpp:163] SSL ignore unknown CA/invalid CN: true/true
[17-10-2022 15:06:11] [Configuration.cpp:166] 2step enabled/send empty/domain password: true/false/true
[17-10-2022 15:06:11] [Configuration.cpp:167] Debug Log: true
[17-10-2022 15:06:11] [Configuration.cpp:168] Log sensitive data: true
[17-10-2022 15:06:11] [Configuration.cpp:169] No default: false
[17-10-2022 15:06:11] [Configuration.cpp:170] Show domain hint: false
[17-10-2022 15:06:11] [Configuration.cpp:125] Offline refill threshold: 0
[17-10-2022 15:06:11] [Configuration.cpp:189] -----------------------------
[17-10-2022 15:06:11] [Shared.cpp:30] Shared::IsRequiredForScenario
[17-10-2022 15:06:11] [Shared.cpp:138] Session is local
[17-10-2022 15:06:11] [Shared.cpp:66] Checking for Provider, CPUS_LOGON, local, entry=0e
[17-10-2022 15:06:11] [CProvider.cpp:120] SetUsageScenario result: 0x0
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:39] CSample_CreateInstance - FILTER START
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:108] CCredentialProviderFilter::CCredentialProviderFilter
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:61] CCredentialProviderFilter::Filter CPUS_PLAP
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:68] Filter disabled by registry setting!
[17-10-2022 15:06:11] [CProvider.cpp:226] CProvider::Advise
[17-10-2022 15:06:11] [CProvider.cpp:345] CProvider::GetCredentialCount
[17-10-2022 15:06:11] [CProvider.cpp:385] CProvider::GetCredentialAt
[17-10-2022 15:06:11] [CProvider.cpp:392] Checking if already serialized credentials are present
[17-10-2022 15:06:11] [CProvider.cpp:529] CProvider::_GetSerializedCredentials
[17-10-2022 15:06:11] [CProvider.cpp:435] Looking-up missing domain name from computer
[17-10-2022 15:06:11] [CProvider.cpp:446] Found domain:WORKGROUP
[17-10-2022 15:06:11] [CProvider.cpp:450] Initializing CCredential
[17-10-2022 15:06:11] [CCredential.cpp:73] CCredential::Initialize
[17-10-2022 15:06:11] [CCredential.cpp:107] Username from provider: empty
[17-10-2022 15:06:11] [CCredential.cpp:108] Domain from provider: WORKGROUP
[17-10-2022 15:06:11] [CCredential.cpp:111] Password from provider: empty
[17-10-2022 15:06:11] [CCredential.cpp:146] Init result: 0x0
[17-10-2022 15:06:11] [CProvider.cpp:476] Returning interface to credential
[17-10-2022 15:06:11] [CProvider.cpp:499] GetCredentialAt result 0x0
[17-10-2022 15:06:11] [CProvider.cpp:267] CProvider::GetFieldDescriptorCount
[17-10-2022 15:06:11] [CCredential.cpp:324] CCredential::GetBitmapValue
[17-10-2022 15:06:11] [CCredential.cpp:371] (long) 0
[17-10-2022 15:06:11] [CCredential.cpp:385] CCredential::GetSubmitButtonValue
[17-10-2022 15:06:11] [CCredential.cpp:189] CCredential::SetSelected
[17-10-2022 15:06:12] [CCredential.cpp:189] CCredential::SetSelected
[17-10-2022 15:06:24] [CCredential.cpp:755] CCredential::Connect: CREDENTIAL SUBMITTED - step 1
[17-10-2022 15:06:24] [Utilities.cpp:629] Utilities::CopyInputsToConfig
[17-10-2022 15:06:24] [Utilities.cpp:670] Loading user and domain from GUI: 'jdoe@corp'
[17-10-2022 15:06:24] [Utilities.cpp:678] Changing user from '' to 'jdoe'
[17-10-2022 15:06:24] [Utilities.cpp:693] Changing domain from 'WORKGROUP' to 'corp'
[17-10-2022 15:06:24] [Utilities.cpp:716] Loading password from GUI, value:
[17-10-2022 15:06:24] [Utilities.cpp:719] xxxxxxxxx
[17-10-2022 15:06:24] [Utilities.cpp:740] Loading OTP from GUI, from '' to ''
[17-10-2022 15:06:24] [CCredential.cpp:810] 1st step: Sending windows pass
[17-10-2022 15:06:24] [PrivacyIDEA.cpp:96] PrivacyIDEA::ValidateCheck
[17-10-2022 15:06:24] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/check
[17-10-2022 15:06:24] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:24] [Endpoint.cpp:79] pass=xxxxxxxxx
[17-10-2022 15:06:24] [Endpoint.cpp:79] user=jdoe
[17-10-2022 15:06:25] [Endpoint.cpp:367] {
    "detail": {
        "attributes": {
            "hideResponseInput": true
        },
        "client_mode": "poll",
        "message": "Please confirm the authentication on your mobile device!",
        "messages": [
            "Please confirm the authentication on your mobile device!"
        ],
        "multi_challenge": [
            {
                "attributes": {
                    "hideResponseInput": true
                },
                "client_mode": "poll",
                "message": "Please confirm the authentication on your mobile device!",
                "serial": "PIPU00005383",
                "transaction_id": "18335783138859868666",
                "type": "push"
            }
        ],
        "serial": "PIPU00005383",
        "threadid": 140173293106944,
        "transaction_id": "18335783138859868666",
        "transaction_ids": [
            "18335783138859868666"
        ],
        "type": "push"
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "CHALLENGE",
        "status": true,
        "value": false
    },
    "signature": "rsa_sha256_pss:4efda2409ac2bc3c893ba5b3853fcb3425c96105810a0e6c5e11f7db808db93b195ea0fd5cbfadbd0a0b956af8c33b269bc22052559a562d7d59d390a5a4e896a10af0786e9d62187b24d1e15f885b01154f187dcdbf3f28541892813125fdf5741424928688cb6f788d67a178532fb2835310cc1274c4807697a208f00cf431fbddc777277994cc24a5a330fb7618d199ed9586ca86dd819ed10f9ed5e8899857ddc9a46b22e7d4d273559afd7362c9c58cfff10e00a0e26036e79ace8a2dcee41740806d3cf92e5e91768bd7b6ad9e653319e4a75b1ae6e7efdbee32de12208384ac3ad255dc404978a1f90f434fa43d4b1acf355aeb25ba9b8afc4b2e2a61",
    "time": 1666011985.8190806,
    "version": "privacyIDEA 3.7.1",
    "versionnumber": "3.7.1"
}
[17-10-2022 15:06:25] [JsonParser.cpp:224] JsonParser::ParseResponseForOfflineData
[17-10-2022 15:06:25] [JsonParser.cpp:53] JsonParser::ParsePIResponse
[17-10-2022 15:06:25] [CCredential.cpp:873] Challenges have been triggered
[17-10-2022 15:06:25] [PrivacyIDEA.cpp:59] Starting poll thread...
[17-10-2022 15:06:25] [CCredential.cpp:888] Authentication complete: false
[17-10-2022 15:06:25] [CCredential.cpp:889] Connect - END
[17-10-2022 15:06:25] [CCredential.cpp:589] CCredential::GetSerialization
[17-10-2022 15:06:25] [Utilities.cpp:330] SetScenario: SECOND_STEP
[17-10-2022 15:06:25] [Utilities.cpp:482] Utilities::SetFieldStatePairBatch
[17-10-2022 15:06:25] [CCredential.cpp:719] CPGSR_NO_CREDENTIAL_NOT_FINISHED
[17-10-2022 15:06:25] [CCredential.cpp:725] CCredential::GetSerialization - END
[17-10-2022 15:06:26] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:26] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:26] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:26] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:26] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:26] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:27] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:27] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:27] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:28] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:28] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:28] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:28] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:28] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:28] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:29] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:29] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:29] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:29] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:29] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:29] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:30] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:30] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:30] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:31] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:31] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:31] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:31] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:31] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:31] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:32] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:32] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:32] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:33] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:33] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:33] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:33] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:33] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:33] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:35] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:35] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:35] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:35] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:35] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:35] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:36] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:36] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:36] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:37] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:37] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:37] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:38] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:38] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:38] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:38] [PrivacyIDEA.cpp:74] Polling stopped
[17-10-2022 15:06:38] [PrivacyIDEA.cpp:78] Finalizing transaction...
[17-10-2022 15:06:38] [PrivacyIDEA.cpp:96] PrivacyIDEA::ValidateCheck
[17-10-2022 15:06:38] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/check
[17-10-2022 15:06:38] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:38] [Endpoint.cpp:79] pass=
[17-10-2022 15:06:38] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:38] [Endpoint.cpp:79] user=jdoe
[17-10-2022 15:06:39] [Endpoint.cpp:367] {
    "detail": {
        "message": "Found matching challenge",
        "serial": "PIPU00005383",
        "threadid": 140173293106944
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "ACCEPT",
        "status": true,
        "value": true
    },
    "signature": "rsa_sha256_pss:92ec4e3bf445e6b2a93b8afbee4434a03c5a895f6cff00ecfb7acdc89c8e20238e7be6d30ea1d321238672a8f148668e37d5e925c96cf28a9db7d41190b94297c1ad90764e387e07720b051280d1578f1a353e775df0cb24f80a7a8168xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxcfe202d1e18887eafecf6642bf63fb1d3050a7902b4a26bed94df7507aefc8172a795a4ad42c8fe7396c9c38e8bda3eeb9b641d2bc407e651f60d6ae949bed78afe8d4cf2eecd3f48ae71b3853dd75b4e41cc119f5d2a58efdbb92fb5c110c94877b3f6ba00be9fa528ddf1e073c1ca9bbbf2ce7cd5d87883b6d62928975d4d1c6785a4e86fac8",
    "time": 1666011999.1162498,
    "version": "privacyIDEA 3.7.1",
    "versionnumber": "3.7.1"
}
[17-10-2022 15:06:39] [JsonParser.cpp:224] JsonParser::ParseResponseForOfflineData
[17-10-2022 15:06:39] [JsonParser.cpp:53] JsonParser::ParsePIResponse
[17-10-2022 15:06:39] [CCredential.cpp:741] CCredential::PushAuthenticationCallback
[17-10-2022 15:06:39] [CProvider.cpp:345] CProvider::GetCredentialCount
[17-10-2022 15:06:39] [CProvider.cpp:385] CProvider::GetCredentialAt
[17-10-2022 15:06:39] [CProvider.cpp:476] Returning interface to credential
[17-10-2022 15:06:39] [CProvider.cpp:499] GetCredentialAt result 0x0
[17-10-2022 15:06:39] [CProvider.cpp:267] CProvider::GetFieldDescriptorCount
[17-10-2022 15:06:39] [CCredential.cpp:324] CCredential::GetBitmapValue
[17-10-2022 15:06:39] [CCredential.cpp:371] (long) 0
[17-10-2022 15:06:39] [CCredential.cpp:385] CCredential::GetSubmitButtonValue
[17-10-2022 15:06:39] [CCredential.cpp:189] CCredential::SetSelected
[17-10-2022 15:06:39] [CCredential.cpp:196] AUTOLOGON ENABLED!
[17-10-2022 15:06:39] [CCredential.cpp:755] CCredential::Connect: CREDENTIAL SUBMITTED - step 2
[17-10-2022 15:06:39] [Utilities.cpp:629] Utilities::CopyInputsToConfig
[17-10-2022 15:06:39] [Utilities.cpp:670] Loading user and domain from GUI: 'jdoe@corp'
[17-10-2022 15:06:39] [Utilities.cpp:678] Changing user from 'jdoe' to 'jdoe'
[17-10-2022 15:06:39] [Utilities.cpp:693] Changing domain from 'corp' to 'corp'
[17-10-2022 15:06:39] [Utilities.cpp:716] Loading password from GUI, value:
[17-10-2022 15:06:39] [Utilities.cpp:719] xxxxxxxxx
[17-10-2022 15:06:39] [Utilities.cpp:740] Loading OTP from GUI, from '' to ''
[17-10-2022 15:06:39] [CCredential.cpp:784] Bypassing privacyIDEA...
[17-10-2022 15:06:39] [CCredential.cpp:589] CCredential::GetSerialization
[17-10-2022 15:06:39] [PrivacyIDEA.cpp:194] Stopping poll thread...
[17-10-2022 15:06:39] [Utilities.cpp:47] Utilities::KerberosLogon - Packing Credential with: 
[17-10-2022 15:06:39] [Utilities.cpp:57] Username: jdoe
[17-10-2022 15:06:39] [Utilities.cpp:59] Password: xxxxxxxxx
[17-10-2022 15:06:39] [Utilities.cpp:60] Domain: corp
[17-10-2022 15:06:39] [Utilities.cpp:438] Utilities::Clear
[17-10-2022 15:06:39] [CCredential.cpp:720] CPGSR_RETURN_CREDENTIAL_FINISHED
[17-10-2022 15:06:39] [CCredential.cpp:725] CCredential::GetSerialization - END
[17-10-2022 15:06:39] [CCredential.cpp:909] CCredential::ReportResult
[17-10-2022 15:06:39] [CCredential.cpp:911] ntsStatus: 0xc000006d, ntsSubstatus: 0x0
[17-10-2022 15:06:39] [CCredential.cpp:920] Complete reset!
[17-10-2022 15:06:39] [Utilities.cpp:764] Utilities::ResetScenario
[17-10-2022 15:06:39] [Utilities.cpp:346] SetScenario: LOGON_TWO_STEP
[17-10-2022 15:06:39] [Utilities.cpp:482] Utilities::SetFieldStatePairBatch
[17-10-2022 15:06:40] [CCredential.cpp:189] CCredential::SetSelected
[17-10-2022 15:06:41] [CCredential.cpp:247] CCredential::SetDeselected
[17-10-2022 15:06:41] [Utilities.cpp:438] Utilities::Clear
[17-10-2022 15:06:41] [Utilities.cpp:764] Utilities::ResetScenario
[17-10-2022 15:06:41] [Utilities.cpp:346] SetScenario: LOGON_TWO_STEP
[17-10-2022 15:06:41] [Utilities.cpp:482] Utilities::SetFieldStatePairBatch
[17-10-2022 15:06:47] [CProvider.cpp:244] CProvider::UnAdvise - AUTHENTICATION END
[17-10-2022 15:06:47] [Utilities.cpp:438] Utilities::Clear

This is because you entered your credentials wrong.

Hi Nils,

unfortunately, username and passwords are the right ones as

  • they are present in the log with the right value
  • I can use them to LDAP authentication against AD
  • I can use them to open a Windows session without PrivacyIdea Credential Provider

Password expired? Reset Policy?

(/me putting back his magic glass ball)

I am able to connect with the provided credentials on a Windows desktop with no Credential Provider, on Privacy Idea web pages and with direct ldapsearch as well

If these credentials are correct:

And you get

[17-10-2022 15:06:39] [CCredential.cpp:911] ntsStatus: 0xc000006d, ntsSubstatus: 0x0

I don’t see what we could do (or could do wrong), because there is nothing we do inbetween those things.
The login will be attempted with corp\jdoe and the password.
It is the result reported by Windows that the credentials are wrong.

@cornelinux Those errors would produce differently values für ntsStatus and ntsSubstatus.

I do confirm: credentials are rights !

How many special characters do you have in your password? Does it happen with other passwords?