Overview
This tutorial will guide you through configuring WebADM/OpenOTP servers and the OpenOTP Credential Provider for Windows to authenticate local users using two-factor authentication (2FA). We'll cover both scenarios: authenticating local users within a domain and authenticating users with OpenOTP and the OpenOTP Credential Provider for Windows on a non-domain computer.
Note that both scenarios require an LDAP server to store user metadata. Even for local account authentication, token metadata must be stored in a user account within WebADM.
For both scenarios, the OpenOTP Credential Provider for Windows is essential. This component integrates RCDevs OpenOTP one-time password authentication into the Windows login process. The RCDevs OpenOTP Authentication Server is a web application closely linked to the RCDevs WebADM application server
General Prerequisites
Before proceeding, ensure that WebADM and OpenOTP are installed and configured. Please refer to the appropriate documentation for guidance on these steps, as token registration is not covered in this guide.
Prerequisites for Local Users Authentication
In this scenario, user credentials (username and password) will be verified locally on the Windows machine based on the Remote LDAP password Check option. Second-factor authentication (2FA) will be checked remotely on the OpenOTP server. To validate 2FA, OpenOTP needs to identify the user attempting to authenticate to verify token metadata in the user's account. Therefore, a correspondence between the local user and the LDAP user is required, typically established using username information.
A properly functioning WebADM instance necessitates an LDAP datastore configured with WebADM. This scenario demonstrates how to authenticate Windows local users using a WebADM/OpenOTP instance already configured with an LDAP server.
We can identify 3 scenarios:
-
User account exists on both the Windows machine (local account) and in WebADM: You can configure the Remote LDAP password check setting to No to keep password validation and policies on Windows only. If set to Yes, the local password will be sent to OpenOTP for verification against WebADM policies, potentially treating it as an LDAP password for the corresponding WebADM account.
-
User account exists on the Windows machine but not in WebADM: Create a WebADM account for the user. Consider creating a separate Organizational Unit for local users to distinguish them from LDAP users.
-
User account exists in WebADM but not on Windows: Enable the Auto Create Local Account setting during Credential Provider installation. If OpenOTP successfully authenticates a user, and the account doesn't exist on Windows, the Credential Provider will automatically create it using the username and password provided during authentication. The user password validated by OpenOTP will override the local user password on Windows at each login, eliminating the need for manual password maintenance. The Credential Provider can also automatically populate selected local groups.
Note that for local user accounts, the password is not necessarily the same on both sides, as the user password will be checked locally by the Windows machine and not by OpenOTP.
In some cases, authentication might succeed on one side but fail on the other, preventing login. Exercise caution when configuring the Credential Provider and policies to avoid such issues.
Authenticate a Windows Local User
OpenOTP Credential Provider Configuration
Refer to the Credential Provider documentation for detailed installation and configuration instructions. Follow the steps up to the Configuration 3/4 screenshot. At this configuration step, locate the setting named Remote LDAP password Check and set it to 'No'.
This means that the LDAP password will not be sent to OpenOTP and will only be verified locally by the Windows machine. The registry key associated with this setting is check_ldap. Setting this key to 0 disables LDAP password checking by OpenOTP. A value of 1 indicates that the user password provided during authentication will be sent to OpenOTP for verification.
Click Next
, Install
, and Finish
to complete the installation. You can now proceed with the WebADM configuration.
WebADM Configuration
Windows Machine in a Domain
If the Windows machine where the OpenOTP Credential Provider is installed is in a Windows domain, no changes are typically required to the WebADM configuration. Your default settings should suffice. If authentication fails, check the WebADM logs for errors. A common error is 'Domain not found.' If you encounter this error, refer to the next section and add the domain listed in the WebADM logs to the domain aliases field in your local domain configuration.
Windows Machine out of Domain
If the Windows machine where the OpenOTP Credential Provider is installed is NOT in a Windows domain, you'll need to make some changes in the WebADM GUI. By default, the authentication request sent to OpenOTP includes the domain name or workgroup name. If the machine is not in either a domain or workgroup, the computer name is used. In this scenario, the workgroup or computer name will be passed in the authentication request.
To make these changes, log in to the WebADM GUI as super_admin, click on the 'Admin' tab, and then select 'Local Domains.' You have two options:
Scenario 1:
- Create a new WebADM domain, name it like your workgroup name and configure the user search base of your "local user" OU.
To perform this, click on Add Domain
button.
I named my new domain like my workgroup (by default it is WORKGROUP), and I click on Proceed
and Create Object
.
You are now on the local domain configuration page.
The only settings who interest us here are the User Search Base
and the Domain Name Aliases
.
As previously configured, your local user accounts are located in a dedicated Organizational Unit (OU) on your LDAP server: OU=localuser,DC=yorcdevs,DC=com
.
In the Domain Name Aliases
field, you've correctly added all the Windows workgroup names of your machines. For example, if a Windows machine is in the workgroup named WORKGROUP4, you must include WORKGROUP4
in the Domain Name Aliases field
to avoid the 'domain not found' error in WebADM logs.
This approach represents the correct way to integrate local users in this scenario.
Scenario 2:
The other way is simply to add every workgroup names in the default domain configuration. Be careful with the User Search Base.
Auto Create Local Account
OpenOTP Credential Provider for Windows is able to auto create a local account when you perform a login.
When this setting is enabled to 'Yes,' the Credential Provider will automatically create the corresponding local account if it doesn't already exist, provided remote authentication is successful. Additionally, you can select specific local groups to be populated by these auto-created local accounts. The local password will also be transparently reset at each login using the provided password. For this reason, this setting is only available when the Remote LDAP Password Check option is enabled.