PI credential provider and AD authentication failure

marcinl · March 28, 2022, 10:44am

Hello,
I am newbie to privacyIDEA and struggling with PI credential provider due to a user authentication failure against AD. No problems noticed with OWA and 2FA with the same UserIdResolver (AD), user and TOTP token.

My setup:

Serwer: PI 3.6.3 on CentOS, ldapsresolveruser - > AD (Win Server 2016), authentication policy: otpin → userstore, TOTP token for a user.
Client: privacyidea-cp 3.1.2 on Win10, registry settings two_step_hide_otp, two_step_send_password, debug_log, log_sensitives are on

When a user tries to log on to win10 and PI server sends his credential to AD controller, the following entries are shown in /var/log/privacyidea/privacyidea.log

[INFO][privacyidea.lib.user:238] userid resolved to 'e811c0be-466c-4ecd-84ba-fecf5e1cb289'
[INFO][privacyidea.lib.user:404] User 'testuser@testdomain.net' from realm 'realm1' tries to authenticate
[WARNING][privacyidea.lib.resolvers.LDAPIdResolver:370] failed to check password for 'e811c0be-466c-4ecd-84ba-fecf5e1cb289'/'CN=testuser,OU=Domain-Users,DC=testdomain,DC=net': Exception('Wrong credentials',)

Simultaneously, AD controller shows under security logs audit failure entries with ID 4776 (Error Code: 0xC000006A) and ID 4625 (Status: 0xC000006D Sub Status: 0xC000006A), which means unknown user name or bad password
The password is correct according to PICredentialProviderLog.txt on Win10 machine with log_sensitives setting enabled.

I’ve installed another PI server from pacakges on Ubuntu 20.04 LTS. Unfortunately the same error occurs when ‘testuser’ tries to authenticate using privacyidea-cp.

Could you please provide me with hints on how to solve that problem?

cornelinux · March 28, 2022, 7:44pm

Welcome to privacyIDEA!

There is no need to send the password by the CP.

Use otppin=none as the policy, if you have TOTP tokens.
You are problably authenticating via RDP? These is an issue that this would mangle the windows password and thus a wrong password is verified by privacyIDEA due to otppin=userstore.

marcinl · March 29, 2022, 1:53pm

Hi,
Many thanks for the quick reply!

I don’t connect via RDP but directly to Win10 console (locally).
You’re right, your solution works when otpin=none.

I followed your video guide and PDF doc when setting up my PI server and CP. These are clear and consistent for me while authentication policy is set to otpin=userstore, rather than otpin=none.

According to your PI documentation otpin=false means “The user does not have to pass any fixed password. Authentication is only done via the OTP value”. In fact, a user have to provide both: proper AD password and OTP value to authenticate.

I would be grateful if you could explain in a few words the mechanism of action for this setting.
Thank you in advance.

cornelinux · March 29, 2022, 7:29pm

The user always ever has to provide the windows password independent of the privacyIDEA server.
Only after that, the privacyidea server is involved. Thus the privacyIDEA server should only check the OTP.
See Introduction — privacyIDEA Credential Provider 2.2 documentation