I have been testing PrivacyIDEA together with the Credential Provider in order to secure RDP with MFA.
The setup works as expected, but I have noticed that login is only successful when users sign in using the format: contoso.td\username
If the user instead tries to log in with the format: username@contoso.td the login does not work.
My question is therefore:
Is there a configuration option or a workaround that would allow logins using the username@contoso.td format as well?
Hint: You may check within the privacyIDEA Server which username and realm appears in the Audit log.
The user types something in the login field. The Credential Provider and the privacyIDEA Server are involved in interpreting this as a username and a realm.
Thus this might result in unknown realms or unknown usernames.
You will see the explicit error message in the audit log.
Look there!
I just checked the audit log in the webportal. It is not clear here what the error is.
The username and realm is correct in the audit logs e.g username and contoso.td.
So if user sign in with username@contoso.td with RDP. The first sign in is ok. The user has to input TOTP. It says TOTP is incorrect and then it prompts the user for password again.
If a user sign in with contoso.td\username with RDP the sign in is ok. It prompts the user for TOTP and the TOTP is working first time.
I will look in the logs for Credential Provider to investigate further.
So my local domain is contoso.local and my user upn is username@contoso .com
I want users to authenticate over RDP with username@contoso .com instead of contoso\username
So the CP is trying to authenticate with contoso.com\username but the real domain is contoso.local.
In the PrivacyIdea server my realm name is contoso .com and the LDAP resolver resolves to local domain contoso.local.
I tried do to mappings with Credential Provider in the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Netknights GmbH\PrivacyIDEA-CP]
“default_realm”=“contoso.com”
[HKEY_LOCAL_MACHINE\SOFTWARE\Netknights GmbH\PrivacyIDEA-CP\realm-mapping]
“contoso”=“contoso. com”
“contoso.local”=“contoso .com”
Here is a snippet of the log.
[03-09-2025 10:16:11] [CCredential.cpp:464] (long) 0
[03-09-2025 10:16:11] [CCredential.cpp:478] CCredential::GetSubmitButtonValue
[03-09-2025 10:16:11] [CCredential.cpp:190] CCredential::Advise
[03-09-2025 10:16:11] [CCredential.cpp:659] SetMode: New Mode=USERNAME, old Mode=NO_CHANGE, passkey = 0, offlineFIDO = 0
[03-09-2025 10:16:11] [Utilities.cpp:355] Utilities::SetFieldStatePairBatch
[03-09-2025 10:16:11] [CCredential.cpp:879] Enabling fido online link to offer passkey in first step
[03-09-2025 10:16:11] [CCredential.cpp:2108] CCredential::Connect Mode=USERNAME
[03-09-2025 10:16:11] [Utilities.cpp:504] Utilities::CopyInputFields
[03-09-2025 10:16:11] [Utilities.cpp:548] Copying user and domain from GUI: ‘username’
[03-09-2025 10:16:11] [Utilities.cpp:561] Changing user from ‘cghaadm’ to ‘username’
[03-09-2025 10:16:11] [Utilities.cpp:576] Domain is empty, keeping old value: ‘contoso .com’
[03-09-2025 10:16:11] [Utilities.cpp:594] Copying password from GUI, value:
[03-09-2025 10:16:11] [Utilities.cpp:607] [Hidden] has value
[03-09-2025 10:16:11] [Utilities.cpp:617] Loading OTP from GUI, from ‘’ to ‘’
[03-09-2025 10:16:11] [Utilities.cpp:628] New PIN empty, keeping old value
[03-09-2025 10:16:11] [CCredential.cpp:1543] CCredential::CheckExcludedAccount
[03-09-2025 10:16:11] [CCredential.cpp:1615] NetUserGetLocalGroups failed for user ‘contoso .com\username’ with error: 1355
[03-09-2025 10:16:11] [CCredential.cpp:1627] User username is not in excluded group: sg_mfabypass
[03-09-2025 10:16:11] [CCredential.cpp:2165] 1st step: Sending empty pass
[03-09-2025 10:16:11] [PrivacyIDEA.cpp:146] PrivacyIDEA::ValidateCheck
[03-09-2025 10:16:11] [Endpoint.cpp:180] Endpoint::SendRequest to /validate/check
[03-09-2025 10:16:11] [Endpoint.cpp:73] Request parameters:
[03-09-2025 10:16:11] [Endpoint.cpp:97] pass parameter is not logged
[03-09-2025 10:16:11] [Endpoint.cpp:93] user=username
Is it possible to achieve that the actual domain is contoso.local and the upn is username@contoso . com and authenticate?
i am not sure if i understand correctly where the problem lies: Does the authentication with privacyIDEA work, and it is just about replacing “contoso.com” to “contoso.local” in the credential provider for the login?
The problem is that if users connect with RDP and uses contoso.local\username the authentication and logon is working perfectly.
But I would like to use UPN notation as well. So I want users to login with username@contoso.com but keep in mind that the actual domain is contoso.local and not contoso.com
I tried to test a lot of stuff yesterday and tried to use mangle in authentication. But no matter what it seems like Credential Provider is detecting UPN syntax and is splitting username @ domain from the UPN.
So no matter what I cannot get the upn to work with contoso.local
yeah i think something needs to be done in the credential provider, because the logon will be attempted with “contoso.com” as splitted from the input. there is currently no step to “resolve” this to “contoso.local”.
Yeah and as I said it seems like CP is always doing its thing with splitting and using that exact domain from UPN when UPN is detected. Guess I will try to look into your code
i have added an issue: resolve the domain when UPN is used · Issue #202 · privacyidea/privacyidea-credential-provider · GitHub
will be done in the next version
That sounds very promising and thank you 