Credential Provider fails with wrong username or password message

My lab with credential provider was working in July.

PrivacyIdea server container has never been stopped.

Windows client is up-to-date with Microsoft monthly updates

my test user is still able to authenticate with push app when login to PrivacyIdea server web page

But I have an error with Credential provider with the usual scenario

  1. I enter Windows username and password
  2. I validate the push request on my smartphone
  3. I receive an error in Credential provider about wrong username or password

I update Credential Provider but still have the same error

The debug on server side is too verbose for an easy troubleshooting

the CP debug log file looks more useful.

How can I fix this issue?

Thanks for your support

[17-10-2022 14:54:30] [Endpoint.cpp:353] WinHttp Result error: 12152
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:39] CSample_CreateInstance - FILTER START
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:108] CCredentialProviderFilter::CCredentialProviderFilter
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:61] CCredentialProviderFilter::Filter CPUS_LOGON
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:68] Filter disabled by registry setting!
[17-10-2022 15:06:11] [CProvider.cpp:82] CProvider::SetUsageScenario: CPUS_LOGON - AUTHENTICATION START
[17-10-2022 15:06:11] [Configuration.cpp:144] -----------------------------
[17-10-2022 15:06:11] [Configuration.cpp:145] CP Version: 3.2.1
[17-10-2022 15:06:11] [Configuration.cpp:147] Windows Version: 10.0.22000
[17-10-2022 15:06:11] [Configuration.cpp:148] ------- Configuration -------
[17-10-2022 15:06:11] [Configuration.cpp:149] Hostname: privacyideaferge-test.e-serv.ch
[17-10-2022 15:06:11] [Configuration.cpp:138] Login text: privacyIDEA Login
[17-10-2022 15:06:11] [Configuration.cpp:138] OTP failure text: Wrong One-Time Password!
[17-10-2022 15:06:11] [Configuration.cpp:162] Hide domain/full name: false/false
[17-10-2022 15:06:11] [Configuration.cpp:163] SSL ignore unknown CA/invalid CN: true/true
[17-10-2022 15:06:11] [Configuration.cpp:166] 2step enabled/send empty/domain password: true/false/true
[17-10-2022 15:06:11] [Configuration.cpp:167] Debug Log: true
[17-10-2022 15:06:11] [Configuration.cpp:168] Log sensitive data: true
[17-10-2022 15:06:11] [Configuration.cpp:169] No default: false
[17-10-2022 15:06:11] [Configuration.cpp:170] Show domain hint: false
[17-10-2022 15:06:11] [Configuration.cpp:125] Offline refill threshold: 0
[17-10-2022 15:06:11] [Configuration.cpp:189] -----------------------------
[17-10-2022 15:06:11] [Shared.cpp:30] Shared::IsRequiredForScenario
[17-10-2022 15:06:11] [Shared.cpp:138] Session is local
[17-10-2022 15:06:11] [Shared.cpp:66] Checking for Provider, CPUS_LOGON, local, entry=0e
[17-10-2022 15:06:11] [CProvider.cpp:120] SetUsageScenario result: 0x0
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:39] CSample_CreateInstance - FILTER START
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:108] CCredentialProviderFilter::CCredentialProviderFilter
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:61] CCredentialProviderFilter::Filter CPUS_PLAP
[17-10-2022 15:06:11] [CCredentialProviderFilter.cpp:68] Filter disabled by registry setting!
[17-10-2022 15:06:11] [CProvider.cpp:226] CProvider::Advise
[17-10-2022 15:06:11] [CProvider.cpp:345] CProvider::GetCredentialCount
[17-10-2022 15:06:11] [CProvider.cpp:385] CProvider::GetCredentialAt
[17-10-2022 15:06:11] [CProvider.cpp:392] Checking if already serialized credentials are present
[17-10-2022 15:06:11] [CProvider.cpp:529] CProvider::_GetSerializedCredentials
[17-10-2022 15:06:11] [CProvider.cpp:435] Looking-up missing domain name from computer
[17-10-2022 15:06:11] [CProvider.cpp:446] Found domain:WORKGROUP
[17-10-2022 15:06:11] [CProvider.cpp:450] Initializing CCredential
[17-10-2022 15:06:11] [CCredential.cpp:73] CCredential::Initialize
[17-10-2022 15:06:11] [CCredential.cpp:107] Username from provider: empty
[17-10-2022 15:06:11] [CCredential.cpp:108] Domain from provider: WORKGROUP
[17-10-2022 15:06:11] [CCredential.cpp:111] Password from provider: empty
[17-10-2022 15:06:11] [CCredential.cpp:146] Init result: 0x0
[17-10-2022 15:06:11] [CProvider.cpp:476] Returning interface to credential
[17-10-2022 15:06:11] [CProvider.cpp:499] GetCredentialAt result 0x0
[17-10-2022 15:06:11] [CProvider.cpp:267] CProvider::GetFieldDescriptorCount
[17-10-2022 15:06:11] [CCredential.cpp:324] CCredential::GetBitmapValue
[17-10-2022 15:06:11] [CCredential.cpp:371] (long) 0
[17-10-2022 15:06:11] [CCredential.cpp:385] CCredential::GetSubmitButtonValue
[17-10-2022 15:06:11] [CCredential.cpp:189] CCredential::SetSelected
[17-10-2022 15:06:12] [CCredential.cpp:189] CCredential::SetSelected
[17-10-2022 15:06:24] [CCredential.cpp:755] CCredential::Connect: CREDENTIAL SUBMITTED - step 1
[17-10-2022 15:06:24] [Utilities.cpp:629] Utilities::CopyInputsToConfig
[17-10-2022 15:06:24] [Utilities.cpp:670] Loading user and domain from GUI: 'jdoe@corp'
[17-10-2022 15:06:24] [Utilities.cpp:678] Changing user from '' to 'jdoe'
[17-10-2022 15:06:24] [Utilities.cpp:693] Changing domain from 'WORKGROUP' to 'corp'
[17-10-2022 15:06:24] [Utilities.cpp:716] Loading password from GUI, value:
[17-10-2022 15:06:24] [Utilities.cpp:719] xxxxxxxxx
[17-10-2022 15:06:24] [Utilities.cpp:740] Loading OTP from GUI, from '' to ''
[17-10-2022 15:06:24] [CCredential.cpp:810] 1st step: Sending windows pass
[17-10-2022 15:06:24] [PrivacyIDEA.cpp:96] PrivacyIDEA::ValidateCheck
[17-10-2022 15:06:24] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/check
[17-10-2022 15:06:24] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:24] [Endpoint.cpp:79] pass=xxxxxxxxx
[17-10-2022 15:06:24] [Endpoint.cpp:79] user=jdoe
[17-10-2022 15:06:25] [Endpoint.cpp:367] {
    "detail": {
        "attributes": {
            "hideResponseInput": true
        },
        "client_mode": "poll",
        "message": "Please confirm the authentication on your mobile device!",
        "messages": [
            "Please confirm the authentication on your mobile device!"
        ],
        "multi_challenge": [
            {
                "attributes": {
                    "hideResponseInput": true
                },
                "client_mode": "poll",
                "message": "Please confirm the authentication on your mobile device!",
                "serial": "PIPU00005383",
                "transaction_id": "18335783138859868666",
                "type": "push"
            }
        ],
        "serial": "PIPU00005383",
        "threadid": 140173293106944,
        "transaction_id": "18335783138859868666",
        "transaction_ids": [
            "18335783138859868666"
        ],
        "type": "push"
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "CHALLENGE",
        "status": true,
        "value": false
    },
    "signature": "rsa_sha256_pss:4efda2409ac2bc3c893ba5b3853fcb3425c96105810a0e6c5e11f7db808db93b195ea0fd5cbfadbd0a0b956af8c33b269bc22052559a562d7d59d390a5a4e896a10af0786e9d62187b24d1e15f885b01154f187dcdbf3f28541892813125fdf5741424928688cb6f788d67a178532fb2835310cc1274c4807697a208f00cf431fbddc777277994cc24a5a330fb7618d199ed9586ca86dd819ed10f9ed5e8899857ddc9a46b22e7d4d273559afd7362c9c58cfff10e00a0e26036e79ace8a2dcee41740806d3cf92e5e91768bd7b6ad9e653319e4a75b1ae6e7efdbee32de12208384ac3ad255dc404978a1f90f434fa43d4b1acf355aeb25ba9b8afc4b2e2a61",
    "time": 1666011985.8190806,
    "version": "privacyIDEA 3.7.1",
    "versionnumber": "3.7.1"
}
[17-10-2022 15:06:25] [JsonParser.cpp:224] JsonParser::ParseResponseForOfflineData
[17-10-2022 15:06:25] [JsonParser.cpp:53] JsonParser::ParsePIResponse
[17-10-2022 15:06:25] [CCredential.cpp:873] Challenges have been triggered
[17-10-2022 15:06:25] [PrivacyIDEA.cpp:59] Starting poll thread...
[17-10-2022 15:06:25] [CCredential.cpp:888] Authentication complete: false
[17-10-2022 15:06:25] [CCredential.cpp:889] Connect - END
[17-10-2022 15:06:25] [CCredential.cpp:589] CCredential::GetSerialization
[17-10-2022 15:06:25] [Utilities.cpp:330] SetScenario: SECOND_STEP
[17-10-2022 15:06:25] [Utilities.cpp:482] Utilities::SetFieldStatePairBatch
[17-10-2022 15:06:25] [CCredential.cpp:719] CPGSR_NO_CREDENTIAL_NOT_FINISHED
[17-10-2022 15:06:25] [CCredential.cpp:725] CCredential::GetSerialization - END
[17-10-2022 15:06:26] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:26] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:26] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:26] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:26] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:26] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:27] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:27] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:27] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:28] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:28] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:28] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:28] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:28] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:28] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:29] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:29] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:29] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:29] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:29] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:29] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:30] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:30] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:30] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:31] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:31] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:31] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:31] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:31] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:31] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:32] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:32] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:32] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:33] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:33] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:33] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:33] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:33] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:33] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:35] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:35] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:35] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:35] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:35] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:35] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:36] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:36] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:36] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:37] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:37] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:37] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:38] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/polltransaction
[17-10-2022 15:06:38] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:38] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:38] [PrivacyIDEA.cpp:74] Polling stopped
[17-10-2022 15:06:38] [PrivacyIDEA.cpp:78] Finalizing transaction...
[17-10-2022 15:06:38] [PrivacyIDEA.cpp:96] PrivacyIDEA::ValidateCheck
[17-10-2022 15:06:38] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/check
[17-10-2022 15:06:38] [Endpoint.cpp:72] Request parameters:
[17-10-2022 15:06:38] [Endpoint.cpp:79] pass=
[17-10-2022 15:06:38] [Endpoint.cpp:79] transaction_id=18335783138859868666
[17-10-2022 15:06:38] [Endpoint.cpp:79] user=jdoe
[17-10-2022 15:06:39] [Endpoint.cpp:367] {
    "detail": {
        "message": "Found matching challenge",
        "serial": "PIPU00005383",
        "threadid": 140173293106944
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "ACCEPT",
        "status": true,
        "value": true
    },
    "signature": "rsa_sha256_pss:92ec4e3bf445e6b2a93b8afbee4434a03c5a895f6cff00ecfb7acdc89c8e20238e7be6d30ea1d321238672a8f148668e37d5e925c96cf28a9db7d41190b94297c1ad90764e387e07720b051280d1578f1a353e775df0cb24f80a7a8168xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxcfe202d1e18887eafecf6642bf63fb1d3050a7902b4a26bed94df7507aefc8172a795a4ad42c8fe7396c9c38e8bda3eeb9b641d2bc407e651f60d6ae949bed78afe8d4cf2eecd3f48ae71b3853dd75b4e41cc119f5d2a58efdbb92fb5c110c94877b3f6ba00be9fa528ddf1e073c1ca9bbbf2ce7cd5d87883b6d62928975d4d1c6785a4e86fac8",
    "time": 1666011999.1162498,
    "version": "privacyIDEA 3.7.1",
    "versionnumber": "3.7.1"
}
[17-10-2022 15:06:39] [JsonParser.cpp:224] JsonParser::ParseResponseForOfflineData
[17-10-2022 15:06:39] [JsonParser.cpp:53] JsonParser::ParsePIResponse
[17-10-2022 15:06:39] [CCredential.cpp:741] CCredential::PushAuthenticationCallback
[17-10-2022 15:06:39] [CProvider.cpp:345] CProvider::GetCredentialCount
[17-10-2022 15:06:39] [CProvider.cpp:385] CProvider::GetCredentialAt
[17-10-2022 15:06:39] [CProvider.cpp:476] Returning interface to credential
[17-10-2022 15:06:39] [CProvider.cpp:499] GetCredentialAt result 0x0
[17-10-2022 15:06:39] [CProvider.cpp:267] CProvider::GetFieldDescriptorCount
[17-10-2022 15:06:39] [CCredential.cpp:324] CCredential::GetBitmapValue
[17-10-2022 15:06:39] [CCredential.cpp:371] (long) 0
[17-10-2022 15:06:39] [CCredential.cpp:385] CCredential::GetSubmitButtonValue
[17-10-2022 15:06:39] [CCredential.cpp:189] CCredential::SetSelected
[17-10-2022 15:06:39] [CCredential.cpp:196] AUTOLOGON ENABLED!
[17-10-2022 15:06:39] [CCredential.cpp:755] CCredential::Connect: CREDENTIAL SUBMITTED - step 2
[17-10-2022 15:06:39] [Utilities.cpp:629] Utilities::CopyInputsToConfig
[17-10-2022 15:06:39] [Utilities.cpp:670] Loading user and domain from GUI: 'jdoe@corp'
[17-10-2022 15:06:39] [Utilities.cpp:678] Changing user from 'jdoe' to 'jdoe'
[17-10-2022 15:06:39] [Utilities.cpp:693] Changing domain from 'corp' to 'corp'
[17-10-2022 15:06:39] [Utilities.cpp:716] Loading password from GUI, value:
[17-10-2022 15:06:39] [Utilities.cpp:719] xxxxxxxxx
[17-10-2022 15:06:39] [Utilities.cpp:740] Loading OTP from GUI, from '' to ''
[17-10-2022 15:06:39] [CCredential.cpp:784] Bypassing privacyIDEA...
[17-10-2022 15:06:39] [CCredential.cpp:589] CCredential::GetSerialization
[17-10-2022 15:06:39] [PrivacyIDEA.cpp:194] Stopping poll thread...
[17-10-2022 15:06:39] [Utilities.cpp:47] Utilities::KerberosLogon - Packing Credential with: 
[17-10-2022 15:06:39] [Utilities.cpp:57] Username: jdoe
[17-10-2022 15:06:39] [Utilities.cpp:59] Password: xxxxxxxxx
[17-10-2022 15:06:39] [Utilities.cpp:60] Domain: corp
[17-10-2022 15:06:39] [Utilities.cpp:438] Utilities::Clear
[17-10-2022 15:06:39] [CCredential.cpp:720] CPGSR_RETURN_CREDENTIAL_FINISHED
[17-10-2022 15:06:39] [CCredential.cpp:725] CCredential::GetSerialization - END
[17-10-2022 15:06:39] [CCredential.cpp:909] CCredential::ReportResult
[17-10-2022 15:06:39] [CCredential.cpp:911] ntsStatus: 0xc000006d, ntsSubstatus: 0x0
[17-10-2022 15:06:39] [CCredential.cpp:920] Complete reset!
[17-10-2022 15:06:39] [Utilities.cpp:764] Utilities::ResetScenario
[17-10-2022 15:06:39] [Utilities.cpp:346] SetScenario: LOGON_TWO_STEP
[17-10-2022 15:06:39] [Utilities.cpp:482] Utilities::SetFieldStatePairBatch
[17-10-2022 15:06:40] [CCredential.cpp:189] CCredential::SetSelected
[17-10-2022 15:06:41] [CCredential.cpp:247] CCredential::SetDeselected
[17-10-2022 15:06:41] [Utilities.cpp:438] Utilities::Clear
[17-10-2022 15:06:41] [Utilities.cpp:764] Utilities::ResetScenario
[17-10-2022 15:06:41] [Utilities.cpp:346] SetScenario: LOGON_TWO_STEP
[17-10-2022 15:06:41] [Utilities.cpp:482] Utilities::SetFieldStatePairBatch
[17-10-2022 15:06:47] [CProvider.cpp:244] CProvider::UnAdvise - AUTHENTICATION END
[17-10-2022 15:06:47] [Utilities.cpp:438] Utilities::Clear

This is because you entered your credentials wrong.

Hi Nils,

unfortunately, username and passwords are the right ones as

  • they are present in the log with the right value
  • I can use them to LDAP authentication against AD
  • I can use them to open a Windows session without PrivacyIdea Credential Provider

Password expired? Reset Policy?

(/me putting back his magic glass ball)

I am able to connect with the provided credentials on a Windows desktop with no Credential Provider, on Privacy Idea web pages and with direct ldapsearch as well

If these credentials are correct:

And you get

[17-10-2022 15:06:39] [CCredential.cpp:911] ntsStatus: 0xc000006d, ntsSubstatus: 0x0

I don’t see what we could do (or could do wrong), because there is nothing we do inbetween those things.
The login will be attempted with corp\jdoe and the password.
It is the result reported by Windows that the credentials are wrong.

@cornelinux Those errors would produce differently values für ntsStatus and ntsSubstatus.

I do confirm: credentials are rights !

How many special characters do you have in your password? Does it happen with other passwords?

Hey, I was wondering if you have been able to fix the issue in the last months?
I ran into the same problem even though my AD-Account is activated and PrivacyIDEA is able to find a matching Token for the authenticating user and states that the authentication was ‘successful’.

What does your log look like? Enable debug_log and log_sensitive to get all information logged.
As i said before, if windows reports the password is wrong and the auth package was packed with the correct password (see logs), i do not see how we could act any anything or cause an issue.

[19-06-2023 14:26:51] [CCredentialProviderFilter.cpp:40] CSample_CreateInstance - FILTER START
[19-06-2023 14:26:51] [CCredentialProviderFilter.cpp
:141] CCredentialProviderFilter::CCredentialProviderFilter
[19-06-2023 14:26:51] [CCredentialProviderFilter.cpp:62] CCredentialProviderFilter::Filter CPUS_LOGON
[19-06-2023 14:26:51] [CCredentialProviderFilter.cpp:69] Filter disabled by registry setting!
[19-06-2023 14:26:51] [CProvider.cpp:82] CProvider::SetUsageScenario: CPUS_LOGON - AUTHENTICATION START
[19-06-2023 14:26:51] [Configuration.cpp:144] -----------------------------
[19-06-2023 14:26:51] [Configuration.cpp:145] CP Version: 3.3.0
[19-06-2023 14:26:51] [Configuration.cpp:147] Windows Version: 10.0.17763
[19-06-2023 14:26:51] [Configuration.cpp:148] ------- Configuration -------
[19-06-2023 14:26:51] [Configuration.cpp:149] Hostname: myPIserver.newDomain.com
[19-06-2023 14:26:51] [Configuration.cpp:138] Login text: privacyIDEA Login
[19-06-2023 14:26:51] [Configuration.cpp:138] OTP failure text: Wrong One-Time Password!
[19-06-2023 14:26:51] [Configuration.cpp:162] Hide domain/full name: false/false
[19-06-2023 14:26:51] [Configuration.cpp:163] SSL ignore unknown CA/invalid CN: true/true
[19-06-2023 14:26:51] [Configuration.cpp:166] 2step enabled/send empty/domain password: true/false/true
[19-06-2023 14:26:51] [Configuration.cpp:167] Debug Log: true
[19-06-2023 14:26:51] [Configuration.cpp:168] Log sensitive data: true
[19-06-2023 14:26:51] [Configuration.cpp:169] No default: false
[19-06-2023 14:26:51] [Configuration.cpp:170] Show domain hint: false
[19-06-2023 14:26:51] [Configuration.cpp:125] Offline refill threshold: 0
[19-06-2023 14:26:51] [Configuration.cpp:189] -----------------------------
[19-06-2023 14:26:51] [Shared.cpp:30] Shared::IsRequiredForScenario
[19-06-2023 14:26:51] [Shared.cpp:138] Session is local
[19-06-2023 14:26:51] [Shared.cpp:66] Checking for Provider, CPUS_LOGON, local, entry=0e
[19-06-2023 14:26:51] [CProvider.cpp:120] SetUsageScenario result: 0x0
[19-06-2023 14:26:51] [CCredentialProviderFilter.cpp:40] CSample_CreateInstance - FILTER START
[19-06-2023 14:26:51] [CCredentialProviderFilter.cpp:141] CCredentialProviderFilter::CCredentialProviderFilter
[19-06-2023 14:26:51] [CCredentialProviderFilter.cpp:62] CCredentialProviderFilter::Filter CPUS_PLAP
[19-06-2023 14:26:51] [CCredentialProviderFilter.cpp:69] Filter disabled by registry setting!
[19-06-2023 14:26:51] [CProvider.cpp:226] CProvider::Advise
[19-06-2023 14:26:51] [CProvider.cpp:345] CProvider::GetCredentialCount
[19-06-2023 14:26:51] [CProvider.cpp:385] CProvider::GetCredentialAt
[19-06-2023 14:26:51] [CProvider.cpp:392] Checking if already serialized credentials are present
[19-06-2023 14:26:51] [CProvider.cpp:529] CProvider::_GetSerializedCredentials
[19-06-2023 14:26:51] [CProvider.cpp:435] Looking-up missing domain name from computer
[19-06-2023 14:26:51] [CProvider.cpp:446] Found domain:oldDomain
[19-06-2023 14:26:51] [CProvider.cpp:450] Initializing CCredential
[19-06-2023 14:26:51] [CCredential.cpp:75] CCredential::Initialize
[19-06-2023 14:26:51] [CCredential.cpp:109] Username from provider: empty
[19-06-2023 14:26:51] [CCredential.cpp:110] Domain from provider: oldDomain
[19-06-2023 14:26:51] [CCredential.cpp:113] Password from provider: empty
[19-06-2023 14:26:51] [CCredential.cpp:148] Init result: 0x0
[19-06-2023 14:26:51] [CProvider.cpp:476] Returning interface to credential
[19-06-2023 14:26:51] [CProvider.cpp:499] GetCredentialAt result 0x0
[19-06-2023 14:26:51] [CProvider.cpp:267] CProvider::GetFieldDescriptorCount
[19-06-2023 14:26:51] [CCredential.cpp:334] CCredential::GetBitmapValue
[19-06-2023 14:26:51] [CCredential.cpp:381] (long) 0
[19-06-2023 14:26:51] [CCredential.cpp:395] CCredential::GetSubmitButtonValue
[19-06-2023 14:26:51] [CCredential.cpp:191] CCredential::SetSelected
[19-06-2023 14:27:09] [CCredential.cpp:782] CCredential::Connect: CREDENTIAL SUBMITTED - step 1
[19-06-2023 14:27:09] [Utilities.cpp:636] Utilities::CopyInputsToConfig
[19-06-2023 14:27:09] [Utilities.cpp:682] Loading user and domain from GUI: 'newDomain\jonw'
[19-06-2023 14:27:09] [Utilities.cpp:690] Changing user from '' to 'jonw'
[19-06-2023 14:27:09] [Utilities.cpp:700] Changing domain from 'oldDomain' to 'newDomain' 
[19-06-2023 14:27:09] [Utilities.cpp:723] Loading password from GUI, value:
[19-06-2023 14:27:09] [Utilities.cpp:726] MyCorrectPassword341228
[19-06-2023 14:27:09] [Utilities.cpp:747] Loading OTP from GUI, from '' to ''
[19-06-2023 14:27:09] [CCredential.cpp:843] 1st step: Sending windows pass
[19-06-2023 14:27:09] [PrivacyIDEA.cpp:96] PrivacyIDEA::ValidateCheck
[19-06-2023 14:27:09] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/check
[19-06-2023 14:27:09] [Endpoint.cpp:72] Request parameters:
[19-06-2023 14:27:09] [Endpoint.cpp:79] pass=MyCorrectPassword341228
[19-06-2023 14:27:09] [Endpoint.cpp:79] user=jonw
    "detail": {
        "message": "matching 1 tokens",
        "otplen": 6,
        "serial": "TOTP00020037",
        "threadid": 140011323590208,
        "type": "totp"
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "ACCEPT",
        "status": true,
        "value": true
    },
    "signature": "rsa_sha256_pss:2c3db269df8a67151aeede0593a71ba863a35db3c397e5400e859ab65db545d6bba5f8a63974139184977ec74c8a2b2227bfb49a6858676c6c08f11476dd9d0ff056841eba173adef2210cfc31543415a8301339b15f9c9993dbca3cee66e8285491bcd6e6bec3016c998190451c1cada3393f7026684b25e2efd3cb94ae049a225d83c7e29591eb8712ce322d3d29d169d5947d58170e28782d7ed10b6104fa7117edf318359ac778104e24bb300191549560e8487c1a432dfd5bf6cb4c1c15c83a23239553110d9b9799cc789fe04fb2269a8a1d870db2c8874296967937d62258676089a95ec6de21879f9cc2d95fc732f019404c27203ed7d9e8f7cec204",
    "time": 1687177673.7343698,
    "version": "privacyIDEA 3.8.1",
    "versionnumber": "3.8.1"
}
[19-06-2023 14:27:25] [JsonParser.cpp:225] JsonParser::ParseResponseForOfflineData
[19-06-2023 14:27:25] [JsonParser.cpp:53] JsonParser::ParsePIResponse
[19-06-2023 14:27:25] [CCredential.cpp:957] Authentication complete: true
[19-06-2023 14:27:25] [CCredential.cpp:958] Connect - END
[19-06-2023 14:27:25] [CCredential.cpp:608] CCredential::GetSerialization
[19-06-2023 14:27:25] [PrivacyIDEA.cpp:186] Stopping poll thread...
[19-06-2023 14:27:25] [Utilities.cpp:47] Utilities::KerberosLogon - Packing Credential with: 
[19-06-2023 14:27:25] [Utilities.cpp:57] Username: jonw
[19-06-2023 14:27:25] [Utilities.cpp:59] Password: MyCorrectPassword341228
[19-06-2023 14:27:25] [Utilities.cpp:60] Domain: newDomain
[19-06-2023 14:27:25] [Utilities.cpp:445] Utilities::Clear
[19-06-2023 14:27:25] [CCredential.cpp:747] CPGSR_RETURN_CREDENTIAL_FINISHED
[19-06-2023 14:27:25] [CCredential.cpp:752] CCredential::GetSerialization - END
[19-06-2023 14:27:25] [CCredential.cpp:1012] CCredential::ReportResult
[19-06-2023 14:27:25] [CCredential.cpp:1014] ntsStatus: 0xc000006d, ntsSubstatus: 0x0
[19-06-2023 14:27:25] [CCredential.cpp:1023] Complete reset!
[19-06-2023 14:27:25] [Utilities.cpp:771] Utilities::ResetScenario
[19-06-2023 14:27:25] [Utilities.cpp:346] SetScenario: LOGON_TWO_STEP
[19-06-2023 14:27:25] [Utilities.cpp:489] Utilities::SetFieldStatePairBatch
[19-06-2023 14:27:28] [CCredential.cpp:191] CCredential::SetSelected
[19-06-2023 14:27:29] [CCredential.cpp:257] CCredential::SetDeselected
[19-06-2023 14:27:29] [Utilities.cpp:445] Utilities::Clear
[19-06-2023 14:27:29] [Utilities.cpp:771] Utilities::ResetScenario
[19-06-2023 14:27:29] [Utilities.cpp:346] SetScenario: LOGON_TWO_STEP
[19-06-2023 14:27:29] [Utilities.cpp:489] Utilities::SetFieldStatePairBatch
[19-06-2023 14:27:34] [CProvider.cpp:244] CProvider::UnAdvise - AUTHENTICATION END
[19-06-2023 14:27:34] [Utilities.cpp:445] Utilities::Clear

Thanks for your reply! This is what my log looks like. I just anonymized my private values (to ‘oldDomain’, ‘NewDomain’, ‘MyCorrectPassword’ and ‘jonw’). My password is transmitted correctly with the totp value. I think it’s strange. that he logs Loading OTP from GUI, from '' to '' but the privacyidea audit seems to be happy with the provided credentials…
I also tried setting otppin=none like suggested here: PI credential provider and AD authentication failure but it didn’t work for me.

I was able to solve my problem. It was a typical layer 8 problem… I wasn’t aware, that the client PC/Server has to be a domain member. After I joined the domain the credential provider worked perfectly!

1 Like