Windows auth fail with pass + totp

Hello!
I`m trying to test the integration pi with ad.

When entering totp CP does not combine password with otp to send POST request, that you can see from log
I did set parametrs:

two_step_hide_otp = 1
two_step_send_password = 1 
policy otppin=userstore

I tried on different versions of CP the result is the same.
If I set policy otppin=none authorization passes.
and it confuses me in the log "408 Request Time-out"

[28-04-2023 16:18:02] [CCredentialProviderFilter.cpp:39] CSample_CreateInstance - FILTER START
[28-04-2023 16:18:02] [CCredentialProviderFilter.cpp:108] CCredentialProviderFilter::CCredentialProviderFilter
[28-04-2023 16:18:02] [CCredentialProviderFilter.cpp:122] CCredentialProviderFilter::UpdateRemoteCredential
[28-04-2023 16:18:02] [CCredentialProviderFilter.cpp:61] CCredentialProviderFilter::Filter CPUS_UNLOCK_WORKSTATION
[28-04-2023 16:18:02] [CCredentialProviderFilter.cpp:68] Filter disabled by registry setting!
[28-04-2023 16:18:02] [CProvider.cpp:82] CProvider::SetUsageScenario: CPUS_UNLOCK_WORKSTATION - AUTHENTICATION START
[28-04-2023 16:18:02] [Configuration.cpp:144] -----------------------------
[28-04-2023 16:18:02] [Configuration.cpp:145] CP Version: 3.2.0
[28-04-2023 16:18:02] [Configuration.cpp:147] Windows Version: 10.0.17763
[28-04-2023 16:18:02] [Configuration.cpp:148] ------- Configuration -------
[28-04-2023 16:18:02] [Configuration.cpp:149] Hostname: mfa.local
[28-04-2023 16:18:02] [Configuration.cpp:125] Resolve timeout: 60
[28-04-2023 16:18:02] [Configuration.cpp:125] Connect timeout: 60
[28-04-2023 16:18:02] [Configuration.cpp:125] Send timeout: 60
[28-04-2023 16:18:02] [Configuration.cpp:125] Receive timeout: 60
[28-04-2023 16:18:02] [Configuration.cpp:138] Login text: privacyIDEA Login
[28-04-2023 16:18:02] [Configuration.cpp:138] OTP failure text: Wrong One-Time Password!
[28-04-2023 16:18:02] [Configuration.cpp:162] Hide domain/full name: false/false
[28-04-2023 16:18:02] [Configuration.cpp:163] SSL ignore unknown CA/invalid CN: true/true
[28-04-2023 16:18:02] [Configuration.cpp:166] 2step enabled/send empty/domain password: true/false/true
[28-04-2023 16:18:02] [Configuration.cpp:167] Debug Log: true
[28-04-2023 16:18:02] [Configuration.cpp:168] Log sensitive data: true
[28-04-2023 16:18:02] [Configuration.cpp:169] No default: false
[28-04-2023 16:18:02] [Configuration.cpp:170] Show domain hint: false
[28-04-2023 16:18:02] [Configuration.cpp:125] Offline refill threshold: 0
[28-04-2023 16:18:02] [Configuration.cpp:138] Default realm: ib.dit
[28-04-2023 16:18:02] [Configuration.cpp:189] -----------------------------
[28-04-2023 16:18:02] [Shared.cpp:30] Shared::IsRequiredForScenario
[28-04-2023 16:18:02] [Shared.cpp:138] Session is remote
[28-04-2023 16:18:02] [Shared.cpp:66] Checking for Provider, CPUS_UNLOCK_WORKSTATION, remote, entry=0e
[28-04-2023 16:18:02] [CProvider.cpp:120] SetUsageScenario result: 0x0
[28-04-2023 16:18:02] [CProvider.cpp:142] CProvider::SetSerialization
[28-04-2023 16:18:02] [CProvider.cpp:178] Serialization found from remote
[28-04-2023 16:18:02] [CProvider.cpp:214] SetSerialization result: 0x0
[28-04-2023 16:18:02] [CProvider.cpp:226] CProvider::Advise
[28-04-2023 16:18:02] [CProvider.cpp:345] CProvider::GetCredentialCount
[28-04-2023 16:18:02] [Shared.cpp:138] Session is remote
[28-04-2023 16:18:02] [CProvider.cpp:370] Setting AutoLogon to true
[28-04-2023 16:18:02] [CProvider.cpp:385] CProvider::GetCredentialAt
[28-04-2023 16:18:02] [CProvider.cpp:392] Checking if already serialized credentials are present
[28-04-2023 16:18:02] [CProvider.cpp:529] CProvider::_GetSerializedCredentials
[28-04-2023 16:18:02] [CProvider.cpp:450] Initializing CCredential
[28-04-2023 16:18:02] [CCredential.cpp:73] CCredential::Initialize
[28-04-2023 16:18:02] [CCredential.cpp:107] Username from provider: myuser
[28-04-2023 16:18:02] [CCredential.cpp:108] Domain from provider: SOME.DOMAIN
[28-04-2023 16:18:02] [CCredential.cpp:111] Password from provider: xun1BMQpyqToIK
[28-04-2023 16:18:02] [CCredential.cpp:146] Init result: 0x0
[28-04-2023 16:18:02] [CProvider.cpp:476] Returning interface to credential
[28-04-2023 16:18:02] [CProvider.cpp:499] GetCredentialAt result 0x0
[28-04-2023 16:18:02] [CProvider.cpp:267] CProvider::GetFieldDescriptorCount
[28-04-2023 16:18:02] [CCredential.cpp:323] CCredential::GetBitmapValue
[28-04-2023 16:18:02] [CCredential.cpp:370] (long) 0
[28-04-2023 16:18:02] [CCredential.cpp:384] CCredential::GetSubmitButtonValue
[28-04-2023 16:18:02] [CCredential.cpp:749] CCredential::Connect: CREDENTIAL SUBMITTED - step 1
[28-04-2023 16:18:02] [Utilities.cpp:627] Utilities::CopyInputsToConfig
[28-04-2023 16:18:02] [Utilities.cpp:714] Loading password from GUI, value:
[28-04-2023 16:18:02] [Utilities.cpp:717] xun1BMQpyqToIK
[28-04-2023 16:18:02] [Utilities.cpp:738] Loading OTP from GUI, from '' to ''
[28-04-2023 16:18:02] [CCredential.cpp:804] 1st step: Sending windows pass
[28-04-2023 16:18:02] [PrivacyIDEA.cpp:96] PrivacyIDEA::ValidateCheck
[28-04-2023 16:18:02] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/check
[28-04-2023 16:18:02] [Endpoint.cpp:72] Request parameters:
[28-04-2023 16:18:02] [Endpoint.cpp:79] pass=xun1BMQpyqToIK
[28-04-2023 16:18:02] [Endpoint.cpp:79] realm=SOME.DOMAIN
[28-04-2023 16:18:02] [Endpoint.cpp:79] user=myuser
[28-04-2023 16:18:17] [JsonParser.cpp:120] [json.exception.parse_error.101] parse error at line 1, column 1: syntax error while parsing value - invalid literal; last read: '<'
[28-04-2023 16:18:17] [Endpoint.cpp:367] <html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>

[28-04-2023 16:18:17] [JsonParser.cpp:224] JsonParser::ParseResponseForOfflineData
[28-04-2023 16:18:17] [JsonParser.cpp:45] [json.exception.parse_error.101] parse error at line 1, column 1: syntax error while parsing value - invalid literal; last read: '<'
[28-04-2023 16:18:17] [JsonParser.cpp:53] JsonParser::ParsePIResponse
[28-04-2023 16:18:17] [JsonParser.cpp:61] [json.exception.parse_error.101] parse error at line 1, column 1: syntax error while parsing value - invalid literal; last read: '<'
[28-04-2023 16:18:17] [CCredential.cpp:878] Authentication complete: false
[28-04-2023 16:18:17] [CCredential.cpp:879] Connect - END
[28-04-2023 16:18:17] [CCredential.cpp:588] CCredential::GetSerialization
[28-04-2023 16:18:17] [Utilities.cpp:329] SetScenario: SECOND_STEP
[28-04-2023 16:18:17] [Utilities.cpp:480] Utilities::SetFieldStatePairBatch
[28-04-2023 16:18:17] [CCredential.cpp:713] CPGSR_NO_CREDENTIAL_NOT_FINISHED
[28-04-2023 16:18:17] [CCredential.cpp:719] CCredential::GetSerialization - END
[28-04-2023 16:18:30] [CCredential.cpp:749] CCredential::Connect: CREDENTIAL SUBMITTED - step 2
[28-04-2023 16:18:30] [Utilities.cpp:627] Utilities::CopyInputsToConfig
[28-04-2023 16:18:30] [Utilities.cpp:714] Loading password from GUI, value:
[28-04-2023 16:18:30] [Utilities.cpp:717] xun1BMQpyqToIK
[28-04-2023 16:18:30] [Utilities.cpp:738] Loading OTP from GUI, from '' to '398903'
[28-04-2023 16:18:30] [CCredential.cpp:814] Sending OTP
[28-04-2023 16:18:30] [PrivacyIDEA.cpp:141] PrivacyIDEA::OfflineCheck
[28-04-2023 16:18:30] [PrivacyIDEA.cpp:96] PrivacyIDEA::ValidateCheck
[28-04-2023 16:18:30] [Endpoint.cpp:164] Endpoint::SendRequest to /validate/check
[28-04-2023 16:18:30] [Endpoint.cpp:72] Request parameters:
[28-04-2023 16:18:30] [Endpoint.cpp:79] pass=398903
[28-04-2023 16:18:30] [Endpoint.cpp:79] realm=some.domain
[28-04-2023 16:18:30] [Endpoint.cpp:79] user=myuser
[28-04-2023 16:18:30] [Endpoint.cpp:367] {
    "detail": {
        "message": "wrong otp pin",
        "threadid": 140414543017472
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "REJECT",
        "status": true,
        "value": false
    },
    "signature": "rsa_sha256_pss:a503643656e2828697c6bee25cd68d842cf093e58520819805216f0d234f1f7b7bed079540bee5742cee01bbe72c3bf82a55b5a5fe2f4637923f9a614ee9bcc4fa8f1549fde6e37c121fa721230a3f15a0609df69223c90560c47be574f4d2df811b7ab657642cf8c420ce8f9d8f410f1fd58fc42d79a2cdf63fcc3852b1956dfc08b243bc7fddcb8bc4377f4272835504c6e37a05d8878dade08beac863cdb60a4b28e79e4a36fd26ff569a0c1f73422e77593fa291301559554e90020571e7cd77b979d9a0a64cc337396d0a210cd4081578208300637162fc4678eccd59711e646fbd436b3aeeb85b35e7557336c79ba79098b575d1fde3d6ab107d89e322",
    "time": 1682687910.9009624,
    "version": "privacyIDEA 3.7.3",
    "versionnumber": "3.7.3"
}
[28-04-2023 16:18:30] [JsonParser.cpp:224] JsonParser::ParseResponseForOfflineData
[28-04-2023 16:18:30] [JsonParser.cpp:53] JsonParser::ParsePIResponse
[28-04-2023 16:18:30] [CCredential.cpp:878] Authentication complete: false
[28-04-2023 16:18:30] [CCredential.cpp:879] Connect - END
[28-04-2023 16:18:30] [CCredential.cpp:588] CCredential::GetSerialization
[28-04-2023 16:18:30] [Utilities.cpp:762] Utilities::ResetScenario
[28-04-2023 16:18:30] [Utilities.cpp:329] SetScenario: SECOND_STEP
[28-04-2023 16:18:30] [Utilities.cpp:480] Utilities::SetFieldStatePairBatch
[28-04-2023 16:18:30] [Utilities.cpp:436] Utilities::Clear
[28-04-2023 16:18:30] [CCredential.cpp:713] CPGSR_NO_CREDENTIAL_NOT_FINISHED
[28-04-2023 16:18:30] [CCredential.cpp:719] CCredential::GetSerialization - END
[28-04-2023 16:18:36] [CCredential.cpp:246] CCredential::SetDeselected
[28-04-2023 16:18:36] [Utilities.cpp:436] Utilities::Clear
[28-04-2023 16:18:36] [Utilities.cpp:762] Utilities::ResetScenario
[28-04-2023 16:18:36] [Utilities.cpp:329] SetScenario: SECOND_STEP
[28-04-2023 16:18:36] [Utilities.cpp:480] Utilities::SetFieldStatePairBatch
[28-04-2023 16:18:49] [CProvider.cpp:244] CProvider::UnAdvise - AUTHENTICATION END
[28-04-2023 16:18:49] [Utilities.cpp:436] Utilities::Clear

Hello,
using two_step_send_password = 1 is for triggering token before the user is asked for the OTP. It does NOT mean they are concatenated. By default, TOTP is not a challenge-response token, so to use it that way, you have to create a policy in privacyidea to make it work like challenge-response. Then, two_step_send_password = 1 will trigger the token with the first request (only password) and the user can respond to the challenge by entering the OTP.

1 Like

Hello,
You are rigth this is work correct now. I see that PI waiting response with otp from API . When i use loggon in windows i don understood why my first request get 408 time-out and it’s all time when i try loggon. First request get 408 time-out, second correct.

Hello,
I understood what was wrong. CP needed set hostname in configuration where is work radius server and all work great now. Thanks.