Problem with windows authentication provider and RDP

Hi, We have a problem with windows authentication provider.using Microsoft Remote Desktop. It seems that the provider does not recognize correctly the username passed throught the client. Instead when we try to authenticate directly from inside the remote desktop window, all goes fine! Can anyone help us?


Welcome to privacyIDEA.

You need to provide more information.

Reread your post as if you do not know, what you have done!

you are right. my apologizes.
I’m trying to connect from a windows 10 machine (machine A) to another windows 10 machine (B), where privacy idea credential provider is installed successfully (I can authenticate from the console). If i want to connect from A to B, using microsoft remote desktop application, i have to type username, domain and password before click the connect button. When i click connect, the credential provider on B ask for second factor, but authentication fails everytime. After the first failed attempt, the provider ask for username, password and second factor, directly in the remote session. In this manner authetication works. It seems that rdp application from A does not provide the correct informations (username or password) to credential provider on B. When i give data directly to credential provider all goes fine.
I hope i explained it well this time.
Thank you very much

After intalling credential provider debug version and enable log_sensitive we saw in the log that the password is encrypted when we connect via rdp session.

I fix password decryption based on this:

You can find a fork version of patched credential provider

OK, you are using NLA when connecting to the remote machine B.

Note the following:

  1. You need to isntall the CP on machine B, not A.
  2. On machine B configure the CP correctly:
    • 2step authentication
    • do NOT check "send (windows) password. (I guess you have enabled this!!!)
    • I assume you are using a token like TOTP
  3. When you get the 2FA login and you are rejected! CHECK THE PRIVCAYIDEA AUDIT LOG!!! The server will give you more information, what goes wrong here.

You should not do that!

Could you further explain what you mean?
Thank you in advance.

Of course you can fork the project and do what you want to. Cool, that you managed to do so.

But there are two possibilities, which I recommend to look at first:

a) you “misconfigured” you CP. After all, this is a common scenario which works at a lot of installations. As already stated: the might be a setting like “send …password” or no “2step”, which would lead to problems with NLA.

b) there is a bug in the privacyIDEA CP - then it would be great, if you actually would open an issue and create a pull request. In the long run this makes more sense, than create a fork that works for you.

But no problem - from a legal or license standpoint you can of course do that! :wink:

Hi, do you have 2step enabled?

Finally we figured out what we were wrong: following your tutorial video ( you configured a policy with otppin userstore value and 2step enabled with send windows password. This cause to have encrypted password in NLA context and so the misconfiguration. In fact we were wondering why it didn’t work.
Now all works fine, we have modified the authentication policy without otppin flagged and reinstalled CP with 2step enabled and no other flag checked as you said.
Thank you very much.

1 Like