Product Documentation

This document is an installation guide specifically for the OpenOTP Credential Provider for Windows. Therefore, the installation or configuration of WebADM, including token registration, is not covered here. For detailed installation and usage guides for WebADM, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide, available through the RCDevs documentation.

Product Overview

The OpenOTP Credential Provider for Windows integrates RCDevs OpenOTP authentication into the Windows login process.
To proceed with this setup, ensure that WebADM/OpenOTP is installed and configured. Refer to the WebADM Installation Guide and Manuals for detailed instructions.

System Requirements

The OpenOTP Credential Provider runs on any x86/x64 Windows platforms starting with Windows Vista and Windows Server 2008 versions.

Your environment should meet the following requirements:

  • x86/x64 Windows 2008 Server/Vista or later.
  • Computer joined to an AD domain or in a Workgroup. For computers out of an AD domain, please refer to the dedicated documentation for configuration details.
  • Network access.
  • An instance of WebADM and OpenOTP running in your network.
  • Connection to OpenOTP web service.

The OpenOTP Credential Provider operates on Server editions with Desktop Experience or Core edition. All features of OpenOTP-CP are supported with Desktop Experience, unlike Core editions.

The Core version supports the following local and Remote Desktop login scenarios:

  • The RunAs scenario functions if the App Compatibility feature on demand has been installed. In this scenario, you can browse a program through explorer.exe, then right-click on it, and select "RunAs OtherUser".

The following scenarios are not supported with Core editions:

  • Offline login support.
  • RunAs scenarios from PowerShell or CMD.

Preliminary Information

Administrative/elevated permissions are necessary on any computer to correctly set up and/or change the OpenOTP Credential Provider’s configuration.

To set up the provider correctly, please gather the following information which will be required during the installation process:

  • The URI(s) of the OpenOTP web-service(s) (mandatory):
    These URIs are mandatory because the client needs to know where the OpenOTP SOAP network API can be reached. They should be entered as a comma-separated list. At least one URI is necessary.

  • Your local domain (optional):
    This is needed to specify a domain that is not the default on the OpenOTP side.

  • Custom login text or tile caption (optional):
    Text displayed on the Windows login pane.

  • Client ID (optional):
    An identifier to distinguish a particular client on the server-side.

  • Certificate Authority (CA) file (optional)

  • Certificate file (optional)

  • Certificate’s password (optional)

  • SOAP timeout delay (optional)

The login mode LDAP+OTP must be configured on the server-side in WebADM, as the Windows Domain Controller (DC) requires the complete credentials (including LDAP password) to issue a Kerberos ticket.

Installation and Configuration

The setup and configuration of the Credential Provider can be completed in approximately 5 minutes using the installer, which handles both setup and configuration. The provider can also be automatically deployed to your clients, a process covered later.

Administrative/elevated permissions are required on any workstation to correctly set up and modify the OpenOTP Credential Provider’s configuration. To proceed, please run Windows PowerShell or Command Prompt as Administrator. Right-click on Windows PowerShell and select "Run as Administrator".

Local Installation

First, you need to download the OpenOTP Credential Provider for Windows for either x86 or x64 architecture.

After downloading, extract the files from the archive onto your Windows machine(s). Locate and run the MSI file, then click on Next to proceed with the installation.

cp

Accept the End-User License Agreement and click on Next.

cp

Now, you need to select which features to install. The Core Components are mandatory. Additionally, you can choose to install the Credential Provider as either default login or Smartcard login. Please note that Smartcard login is supported starting from Windows 8 or Windows Server 2012 and requires a 64-bit system.

You may also adjust the default installation directory as desired. Once you have made your selections, click Next to proceed.

Installing the provider as default disables all other credential providers on the target system. Only Credential Providers provided by RCDevs will be available for login. In case of any issues, you can still log in using other providers using Windows failsafe boot. It is also possible to configure OTP login in failsafe mode, which will be discussed later.

To log in to a Windows Server via RDP client with a One-Time Password, the OpenOTP Credential Provider must be installed by default on the remote host to enable OTP login.

During testing, do not install OpenOTP Credential Provider as the default provider initially. Perform a login test before choosing OpenOTP Credential Provider as the default provider.

cp

On the first configuration page, you need to configure the following elements:

cp
  • WebADM URL settings:

    • If you select Auto, fill the WebADM URL with at least one of your WebADM server URLs (e.g., https://your-webadm-ip-address-or-dns-name). Click on Configure, which will automatically populate the Server URL, additional Server URL, and Certificate Authority file fields. Note: If your WebADM URL is defined as https://your_webadm_server, it will attempt to access https://your_webadm_server:443/srvurl/openotp. If defined as https://your_webadm_server:8443, it will try https://your_webadm_server:8443/srvurl/openotp.
  • Server URL (Manual mode):

    • If you select Manual, configure at least the Server URL setting with one of your OpenOTP SOAP URLs. Example: https://your_webadm_server:8443/openotp.
  • Loading Text (optional):

    • This text is displayed during a connection attempt to WebADM. It can be useful for prompting the user, especially when using push login. For example, you could remind the user to check their mobile phone.
  • Login Text (optional):

    • Optionally, define a login text that will be displayed to the user during authentication.
  • Client ID (optional): you can also define a Client ID referring to a client policy in WebADM.

Click on Next

cp

On the second configuration page, you can configure the following elements:

  • Certificate Authority File: This must contains the CA file of your WebADM servers. The file will be automatically copied into the installation folder of OpenOTP Windows Credential Provider.

  • API Key(optional): if you configured OpenOTP to require an API Key, you can set it with these settings.

  • Certificate File Certificate Password and Confirm Passwordoptional): if you configured OpenOTP to require a client certificate, you can set it with these settings.

One of these two client authentication methods must be configured if you intend to publish and use the OpenOTP Web Service through WAProxy or your reverse proxy.

OpenOTP Credential Provider will automatically download the CA certificate on the default WebADM server port if you are using the automatic configuration. You can also obtain it manually with https://mywebadmserver/cacert.

Click on Next

cp

On the third configuration page, you can configure the following elements:

  • SOAP Timeout (Default to 30) : this is the timeout for connection to the Server URL.
  • Server Selection Policy (Default to Ordered) : If you have more than one webadm server, this is the way the Windows OpenOTP Credential Provider will contact them.
    • Ordered : the first server is always preferred
    • Balanced : the server is chosen randomly for each request
    • Consistent : the server selection depends on the user ID

Click on Next.

cp

On the fourth configuration page, you can configure the following elements:

  • Authentication form (Default to Simple). You have 2 choices:
    • Simple: On the Windows login page, you will have 2 fields in the first step (Username and Password LDAP), after pressing login, you will have a second screen with the OTP field.
    • Normal: With this option, you will have 3 fields on the login page, one for the Username, one for the LDAP password and the last one for the OTP.
  • Login Tile Image (optional) : the path of the image on the filesystem displayed on the login page (must be a 128x128px 24 bit bitmap file)
  • Http Proxy Host and Port (optional) : this config is for HTTP proxy. If you are running OpenOTP behind an HTTP proxy you need to set the host and the port of the proxy.
  • Remote LDAP Password Check (Default to Yes) : enable this option if your OpenOTP server does not use your AD or if this host is not connected to the Windows Domain.
  • Auto Create Local Accounts (optional): this can be enabled when the host is not connected to a Windows domain, and you want the Credential Provider to create user accounts at first login. You can also select local groups to be populated by these auto-created local accounts.

Click on Next.

cp

On the fifth configuration page, you can configure the following elements:

  • RDP Client ID (optional). RDP client ID can be used if you want to match a different client policy for RDP sessions.
  • Local Alias (optional): when attempting a local login, the domain part of the username will be automatically replaced by the local alias before sending the OpenOTP request.
  • Offline Mode Support (Default to Yes): enable this option if you want to use the offline mode of Windows Credential Provider. This will permit you to authenticate to your machine even if webadm is not reachable.
  • Max hours to bypass MFA (Default to Disabled): this setting can be used to define for how much time the OpenOTP Windows Credential Provider will not ask for a MFA since the last login.
  • Whitelist (optional): List of user SID separated by ; that won’t be asked for 2FA/MFA to login, skipping any OpenOTP calls.
  • Protected Principals (optional): List of security principals SID (users and groups) separated by ; which for the OpenOTP call will be enforced. This is basically the opposite of the above whitelist setting, and is only useful if you have whitelisted groups.
    Tip : You can get a user SID using this command from a cmd prompt :
wmic useraccount where (name='Username' and domain='Domain') get sid

Click on Next.

cp

If you selected the Credential Provider Filter feature, you will be presented a sixth page.

  • Credential Providers Filter Whitelist (optional): If you are installing OpenOTP Credential Provider as default, no other providers will be available during login. Use this setting to override this behavior and allow specific credential providers to be used.
    Please keep in mind that the login process will only be as secure as the least secure of the available credential providers!
    This is a list of the allowed Credential Providers CLSID separated by ";", a CLSID is of the form {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}.
    All the CLSID of the registered Credential Providers on your machine can be found in the following registry location :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\

This will change depending on your Windows version and if you have installed other third party Credential Providers.

  • Use the Credential Provider Filter in CREDUI (optional): this option is to force or bypass the MFA check using RDP from the machine when the OpenOTP Windows Credential Provider is installed as the default credential provider. That means when this setting is disabled, you are able to select the default Windows credential provider during an RDP authentication.

The setting Credential Provider Filter in CREDUI includes all other scenarios different from the local login.
For example RunAsDifferentUser or RunAsAdministrator on a program or on an installer will trigger the RDP scenario.
If that setting is enabled, and you use Windows Remote Desktop tool to log in on a remote machine, then the OpenOTP Credential Provider will be triggered locally during the login process. If the OpenOTP-CP is also installed on the remote host as default provider, then it will also be triggered on the remote host during the login purpose. So in that scenario, the OpenOTP call will happens twice and 2 authentications will be performed with OpenOTP.

In RDP login scenario, the domain value is not automatically passed to Windows like for local logins scenario. Windows will then refuse the login if no domain value is passed in RDP scenario. This behavior is the expected behavior. If the domain value was automatically retrieved then we would encountered issues to login on a remote host which is not in the same domain.
In that scenario, you must use DOMAIN\username in username field to perform the login and target the correct domain according to where your are trying to login.

Click on Next

If you selected the Smartcard login feature, you will be presented a seventh page.

  • Enable additional MFA for smartcard login (Default to false). Specify whether you want an additional second factor authentication after a successful smartcard login
cp

Click on Next

cp

Configuration is done, you can click on Install and Finish after the installation.

cp

Configuration for Smartcard logins

Requirements :

  • Windows 8 and later for workstations or Windows Server 2012 and later
  • 64 bits architecture

To achieve smartcard login with maximum compatibility, the OpenOTP Credential Provider is actually wrapping the builtin Microsoft Smartcard Credential Provider. Therefore, you should check first you are able to log in with the builtin smartcard CP before using the OpenOTP CP Smartcard Login feature.

With Microsoft PKI

You can use certificates generated by Windows, to configure all the Windows PKI infrastructure please refer to the following Microsoft documentation.
Before continuing, make sure you are able to log with the Microsoft Smartcard Credential Provider.

In order to use the OpenOTP Credential Provider with smartcard you will need some additional configuration :

If you look into your user object, you should notice WebADM automatically detected your certificate, but the CA is not trusted.

cp

To resolve this, first you will have to export your CA certificate into a base64 encoded X509 certificate.
This can be done via certlm, Right click > All Tasks > Export. Select the second format option.

cp

Once done, in your WebADM Admin tab, click on Trusted CA Certificates

cp

Click Import CA Certificate.

cp

On the next screen, select your file and import it. You can also paste its content with the method 2:

cp

The CA is imported, you should see in your trusted CA list:

cp

The CA is now trusted and your user object should reflect this

cp

You should now be able to log in with the OpenOTP Credential Provider and a smartcard.

With WebADM PKI

You can also generate user certificates directly with WebADM and then transfer them on your smartcard. The generated certificate meet by default all the requirements to be used with the Microsoft smartcard logon workflow, so you should not have to override them in a GPO.

On your user object, click on Create certificate, select User usage and fill the information then click Create Cert.

cp

Click on Create cert button.

cp
cp

You will then be prompted to download the certificate, do it. Note the password, you will need it to store the private key.
You will now have to store this certificate with its private key on your smartcard. The method to do so depends of your smartcard manufacturer so please consult their technical documentation.

You should now be able to see your newly generated certificate on your user object.

cp

You will now need your WebADM CA certificate. It can be retrieved in your Admin tab, with the Download WebADM CA certificate link or in the Trusted CA Certificates section.

Lastly you will need some additional configuration on Windows side. Please follow those Microsoft configuration instructions, at this point you should only have to do steps 2 and 3.

In summary the WebADM CA certificate should be in the Trusted Root Certification Authorities store of all workstations (this can be automated via a Group Policy) and in the NTAuth store of Active Directory.
This documentation provides additional information for the latter.

If everything is correctly configured you should now be able to log in with a smartcard with the builtin Microsoft Smartcard Credential Provider. Please make sure this is the case and then you can install the OpenOTP Credential Provider with the smartcard login feature.

Modifying the Configuration

If you are under Testing

To configure the OpenOTP Credential Provider, navigate to the “Windows Control Panel” and select “Programs and Features”. Search for “RCDevs OpenOTP-CP Credential Provider for Windows” and click “Change”. Now the installer shows up. Select “Change” and modify the provider’s configuration as you need.

If OpenOTP Credential Provider is running in Production

To configure the OpenOTP Credential Provider, you must get the MSI installer file, for the example on your Desktop. Run command line as administrator:

  1. Click Start, click All Programs, and then click Accessories.
  2. Right-click Command prompt, and then click Run as administrator.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

Run the installer, and click “Change” to update settings.

Automatic Deployment / Quiet Installation

The MSI installer package is prepared to take all configuration parameters that can be set during local installation for auto-deployment in quiet mode. Hence, you can deploy the setup to any clients and automatically install the Credential Provider without user interaction.

Example of quiet installation with PowerShell:

msiexec /qb /i OpenOTP_CredentialProvider.msi SERVER_URL=https://webadm1.rcdevsdocs.com:8443/openotp/ CA_FILE=c:\ca.crt OFFLINE_MODE=1 CLIENT_ID=windows

The parameters are as follows:

Parameter Value
SERVER_URL URL pointing to one OpenOTP web‐service.Example: https://webadm1.rcdevsdocs.com:8443/openotp/ Mandatory.
SERVER_URL_2 URL pointing to the second node of your OpenOTP cluster. Optional.
USER_IDENTIFIER_TYPE This option defines what the Credential Provider sends as the username to OpenOTP. 1: UPN: Combination of username and domain (username@domain.com) is sent. This must correspond to the users userPrincipalName attribute. 2: Username (Default): Username is sent separately and should correspond to users samAccountName attribute. Note : Depreciated. Prefer using the 'UPN Mode' WebADM setting
LOADING_TEXT The text to display during a connection attempt to Webadm. If you are using push login, it could be useful to remind the user here to check his mobile phone.
LOGIN_TEXT A text that is displayed on the Windows login page.
CLIENT_ID Client ID which is sent to OpenOTP in the login requests. This client ID will appear in the WebADM audit database. Optional.
CA_FILE The file-system path to a Certificate Authority (CA) file. Mandatory. e.g: c:\ca.crt
CERT_FILE The file-system path to a user certificate. Optional.
CERT_PASSWORD The user certificate’s password. Optional.
API_KEY Allow to provide an API Key value issued from WebADM when client authentication is required in your policies. Optional.
SOAP_TIMEOUT Request timeout when connecting to OpenOTP Authentication Server URL. The default is 30 seconds (If empty it will be the 30s). Optional.
LOGIN_METHOD There are two login methods available:
  • 0: simple (Default): Only username and password inputs are displayed during login, and if needed a Challenge appears on a next step.
  • 1: Normal: Username, password and OTP inputs are displayed during login.
  • Simple mode uses the OpenOTP SimpleLogin method where the semantic of the password input is handled by the OpenOTP server and based on the user login policy. Optional.
    V1_BITMAP_PATH The path of the image on the filesystem displayed on the login page.
    Valid for versions 2.x
    Optional.
    V2_BITMAP_PATH The path of the image on the filesystem displayed on the login page.
    Valid for versions 3.x
    Optional.
    CHECK_LDAP Enable this option if your OpenOTP server does not use your AD or if this host is not connected to the Windows Domain.
    By default, the LDAP password is checked by OpenOTP first and checked by the credential provider at session start. When disabled, the LDAP check is performed locally only.
    • 0: disabled
    • 1: enabled (Default)
    AUTO_CREATE You can enable this option when this host is not connected to the Windows Domain and you want the Credential Provider to create users accounts at first login. The local LDAP password is transparently reset at each login.
    • 0: disabled (Default)
    • 1: enabled
    Note: This option is only available if the Remote LDAP Password Check Option is enabled.
    LOCAL_ALIAS You can enable this option when the host is not part of the Windows Domain and you want that the OpenOTP Credential Provider send a static value (WORKGROUP name) in order to match a WebADM domain. Sometime, the Windows API is returning the hostname which is sent as Domain value in the OpenOTP call. Configure that setting will prevent that behavior.
    POLICY Routing Policy. If two server URLs are defined in server URL, you can configure a request routing policy (ie. the server selection policy).
    There are three policies available:
    • 1: Ordered (Default): The first server is always preferred. When it does not respond, the second server is used.
    • 2: Balanced: The server is chosen randomly for each request. When it does not respond, the other is used.
    • 3: Consistent: The server selection depends on the user ID. A request for one specific user is also always routed to the same server. If it does not respond, the other server is used.
    PROXY_HOST
    PROXY_PORT
    This config is for HTTP proxy. If you are running OpenOTP behind an HTTP proxy you need to set the host and the port of the proxy.
    OFFLINE_MODE According to this option OpenOTP will permit users to log in when server/network is not reachable, using the OpenOTP Token mobile Application.
    • 0: disabled (Default)
    • 1: enabled
    PS: this mode requires at least one online login using push service to fetch its offline information.
    DEBUG_MODE This setting enables or not the debug logs of the OpenOTP Credential Provider for Windows, and how verbose it should be
    • 0: disabled (Default)
    • 1: Error
    • 2: Warning
    • 3: Infos
    • 4: Debug
    F2A_BYPASS_TIMER This setting can be used to define for how much time in seconds the OpenOTP Windows Credential Provider will not ask for MFA since the last login, Max : 86400 (24h).
    • Set a positive integer in seconds (e.g. 3600, 7200)
    • 0: disabled (Default)
    RDP_CLIENT_ID RDP client ID can be used if you want to match a different client policy for RDP sessions.
    RDP_DEFAULT_ENABLED This option is to force or bypass the MFA check using RDP from the machine when the OpenOTP Windows Credential Provider is installed as the default credential provider. That means when this setting is disabled, you are able to select the default Windows credential provider during an RDP authentication.
    • 0: disabled (Default)
    • 1: enabled
    WHITELIST (optional) : List of user SID separated by ; that won’t be asked for 2FA/MFA to login, skipping any OpenOTP calls.
    PROTECTED_PRINCIPALS : List of security principals SID (users and groups) separated by ; which for the OpenOTP call will be enforced. This is basically the opposite of the above whitelist setting, and is only useful if you have whitelisted groups
    CP_FILTER_WHITELIST (optional) : Only relevant if you have selected the InstallAsDefault feature. List of the credential providers CLSID separated by ';' that should still be enabled, overriding the filter. All the CLSID of the registered Credential Providers on your machine can be found in the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
    SMARTCARD_MFA : Only present if you have installed the SmartcardLogin feature. If enabled, an additional authentication factor will be required after a successful smartcard login.

    In order to set the OpenOTP Windows Credential Provider as the default credential provider in case of silent or remote deployment, the option ADDLOCAL=InstallAsDefault must be added to the msiexec command line:

    msiexec /qb /i OpenOTP_CredentialProvider.msi SERVER_URL=https://webadm1.rcdevsdocs.com:8443/openotp/ ADDLOCAL=InstallAsDefault CA_FILE=c:\ca.crt OFFLINE_MODE=1 CLIENT_ID=windows
    

    You can also specify the SmartcardLogin feature, e.g. ADDLOCAL=SmartcardLogin or ADDLOCAL=InstallAsDefault,SmartcardLogin.

    Windows FailSafe Mode

    In order to force the use of the OpenOTP Credential Provider even in Windows failsafe mode, some registry changes need to be made.

    In case of failure during the provider configuration or unreachable network, even failsafe mode will not help you to log in to a workstation that is set-up to force the use of the Credential Provider.

    To register the Credential Provider enforcement, copy the following text to a new text file, name it register.reg and execute it.

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers]
    "ProhibitFallbacks"=dword:1
    

    To disable and unregister the failsafe enforcement copy the following text.

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers]
    "ProhibitFallbacks"=-
    

    Online Authentication Test

    With OTPs/Push

    You are now able to log in your Windows machine using MFA with OpenOTP. Please log out and enter your LDAP Credentials on the first screen.

    cp

    You should have a WebADM account activated and an OTP Token enrolled on your account. Follow this documentation to User Activation & Token enrollment documentation

    On the next screen, your OTP is asked to finish the authentication.
    Enter your OTP and you are logged in.

    cp

    With Smartcards

    Insert your smartcard. If it is detected and the stored certificate can be used for logon, you will now have a new credential tile for smartcard logon.
    Select it and enter your PIN code.

    If you have enabled the additional MFA authentication during installation, you will then be prompted for the configured additional factor (OTP/Push/FIDO etc). Enter what is required.

    You are now logged in.

    cp

    With Fido

    The client policy must be configured for FIDO authentication in order to use your FIDO key. Enter your LDAP credentials and you will be invited to touch your FIDO device:

    cp

    Once you successfully respond to the FIDO challenge, you will be authenticated, and your session will be opened.

    Offline Authentication Test

    Important information for offline logins

    One online login with OTP or FIDO is required to enable offline login mode! This is specific to the user and computer where the login is made, which means, if computers are shared in the company, all users needs to perform an online login on a specific machine to enable the offline logins for their accounts on this computer.
    Procedure must be repeated on all machines they want to enable the offline login mode.
    Compatible token must be registered first on the user account in order to be able to use that feature (OpenOTP Token application or FIDO key).
    Push login infrastructure is mandatory to use the offline mode with OpenOTP Token application.

    If both kind of tokens (OTP with OpenOTP Token app and FIDO keys) are registered on the user account before the online login, OpenOTP will send back offline information to the OpenOTP Credential Provider for the 2 types of devices and after one online login you will be able to login offline with all compatible devices registered on the user account.

    With OpenOTP token application and Tokens registered in Push mode, only the first push token (generally registered on slot 1 on the user account) is usable in offline mode!

    With FIDO keys, all registered FIDO keys will work in offline mode but only one key must be plugged to the Windows machine during the authentication process.

    In Offline mode, the user password is verified during the process by Windows, so in case of a Domain joined machine, please ensure that the GPO setting Interactive logon: Number of previous logons to cache (in case domain controller is not available) is configured to allow caching of credentials.

    If you activated the options KeyUpdate or Token Expiration Time in the OpenOTP configuration, the offline mode won't work anymore once the token key has been rotated by the server.
    To resolve this issue you need to perform an online login in order to renew the Offline state on the concerned machines and for all concerned users.

    With OTPs/QRCode

    Offline authentication is available for Windows and macOS login, and requires at least the following versions: WebADM 1.6, OpenOTP 1.3.6, OpenOTP Token 1.4 and OpenOTP Credential Provider 1.2.

    When your laptop is offline, you are now able to log in with an OTP or a fido key. So for this test, I disable the network adapter to simulate the offline mode.
    Like above, enter your LDAP Credentials on the first screen.

    cp

    OpenOTP Credential Provider is not able to contact OpenOTP server so, it will switch automatically to the offline mode. The offline mode will prompt you a QRCode if using an OTP or to touch your fido key.
    You have to scan the QRCode with the OpenOTP Token application.

    cp

    Open your OpenOTP Token application, press on the camera button and scan the QRCode.

    After scanning the QRCode, a window with an OTP is displayed on your smartphone like below:

    cp

    Enter your OTP and you are logged in.

    To be sure the offline mode is enabled on a specific machine for a specific user, you can check in your Registry Editor if offline metadata are present.

    In your AD, it should be possible to find this offline_otp string in the file of the user concerned by going in the Registry Editor and following this path:

    HKEY_LOCAL_MACHINE/SOFTWARE/RCDevs/OpenOTP-CP/UserData
    
    cp

    With Smartcards

    Smartcard login is currently not supported in offline mode.

    With Fido

    With FIDO authentication method, the offline authentication is working similarly to online mode.
    To be sure that you are in offline mode, you can check in your Registry Editor if there is an offline_fido string.

    In your AD, it should be possible to find this offline_fido string in the file of the user concerned by going in the Registry Editor and following this path:

    HKEY_LOCAL_MACHINE/SOFTWARE/RCDevs/OpenOTP-CP/UserData
    
    cp

    Troubleshooting

    Troubleshooting steps depend on the specific issue you are facing. Please consult the following chapters for instructions.

    Authentication Issues

    In case of failed authentication, the first check should be the webadm.log on the OpenOTP/WebADM server. This can be found on the server at /opt/webadm/logs/webadm.log or in the WebADM web-interface under Databases > WebADM Server Log Files.

    This log should have a trace of the OpenOTP authentication and its result. In case the OpenOTP authentication is successful, but the Windows login fails, the reason is typically a missing local account or wrong local Windows password.

    If the login fails and there is no trace of it in the webadm.log, then the installation is not correct. Please see chapter 8.3

    Offline Authentication Issues

    Offline authenticate requires a successful online login using mobile push-based authentication and RCDevs OpenOTP mobile soft token. This login must be done on the same Windows machine and with the same user account. If this prerequisite is not complete then you will receive error message: "Offline login is not available for this user."

    To configure push-based authentication, please refer to RCDevs Push mecanisisms documentation.

    Installation Issues

    Windows settings and permissions can cause the installation to fail for various reasons. While debugging your installation and OpenOTP environment, take a look at the Windows Event Viewer.

    If the installation is completed but CP is not working, please check the following items:

    • You should have an entry in the registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\RCDevs\OpenOTP-CP\ If not please check that the user you are running the installer as has got write permissions to the registry folder: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\
    • You should also have these two files, if not then check the effective access of the installation user to the System32 folder:
    C:\Windows\System32\OpenOTPCredentialProvider.dll
    C:\Windows\System32\OpenOTPCredentialProviderFilter.dll
    

    You can use this command via PowerShell, which will generate a log file if you encounter errors during the MSI installation :

    PS C:\Windows\system32> msiexec /i "C:\Users\user1\Desktop\OpenOTPCredentialProviderSetup-3.0.10.0-x64.msi" /L*V "C:\RCDevsLogs\CP-Logs"
    

    Unable to login at all

    In case you have installed the OpenOTP Credential Provider as the default credential provider and are unable to login at all, you stil have the following options to gain access to the machine again:

    Remote registry modification

    If you can manage the registry of the machine in question remotely, for example in case of a domain joined machine, you can remove the default credential provider registration. Remotely access the registry of the server in question and delete the below registry key:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{5AE8C610-7541-4FF8-9845-C363410D574C}]
    @="OpenOTPCredentialProviderFilter"
    

    Boot to Windows "Safe mode"

    As long as you have not enabled CP also for safe mode and can boot to it, you can use it to remove or modify credential provider Please refer to Microsoft documentation on how to boot to Safe Mode. Once in safe mode, rename or remove the two below files and reboot to log in with the regular Windows login.

    C:\Windows\System32\OpenOTPCredentialProvider.dll
    C:\Windows\System32\OpenOTPCredentialProviderFilter.dll
    

    Mount disk drive on other system

    In case Safe Mode boot is not available (for example on cloud deployed Windows), you need to shut down the machine, mount the C: drive and rename/remove the two DLL files in previous step. After that you should be able to boot into regular login.

    Push Login issue

    If you have increased the Mobile response timeout setting under OpenOTP configuration, then you also have to increase the Windows 10 lock screen timeout and the RDP login timeout on the Windows machine.
    The SOAP timeout value at the OpenOTP Credential Provider level must be also configured in adequation of the mobile response timeout.

    e.g : If my mobile response timeout under OpenOTP is configured to 45 seconds, then I have to configure the SOAP timeout and Windows timeouts to 60 seconds.

    For the Windows lock screen timeout, you have to create a new registry key in the following container :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\
    

    Simply add a new DWORD value named IdleTimeout in that container and configure the timeout value in milliseconds. If your push timeout is configured to 45 seconds, then the value of the new IdleTimeout key must be at least 60 seconds.
    60 seconds is equal to 60000 ms in decimal and EA60 in hexadecimal.

    For the Windows RDP timeout, you have to create a new registry key in the following container only if NLA is enabled on the Windows side for RDP login :

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\
    

    Simply create a new DWORD key named LogonTimeout, containing the timeout value in seconds. Restart the Terminal Services service to changes takes effect.

    Could not be authenticated

    Server Sent No Response

    Error example

    cp

    Possible reasons/Solutions :

    • OpenOTP URL/port configured during Credential Provider installation are invalid or not reachable from the Windows machine.
    • CA file is missing, incorrect or not usable.

    Check server URL and CA path through Windows registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\RCDevs\OpenOTP-CP.

    Wrong Username or Password?

    error example

    cp
    • Double check that the username and password are correct.
    • Check WebADM logs, if you can see the authentication request in logs with the following error :
    [2020-04-21 10:48:09] [192.168.3.68] [OpenOTP:386DCN2T] Domain 'rcdevsdocs.com' not existing
    

    Please refer to part Troubleshooting documentation to solve it.

    Endpoint could not be initialized

    To troubleshoot that kind of error, you need to enable the debug logs of the OpenOTP Credential Provider for Windows.

    Enable Debug Logs

    For advanced troobleshooting, debug mode can be enabled through Windows registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\RCDevs\OpenOTP-CP\debug_mode=4.

    This option can be set from 0 (disabled) to 4, depending on how verbose you want it to be.

    cp

    Debug logs are accessible by default in C:\RCDevsLogs\CP-Logs. If you have redefined the location using the debug_log_file registry key, the logs will be written to the specified location.

    Perform a new authentication after debug_mode enabled and check debug logs.

    Debug Logs

    Open C:\RCDevsLogs\CP-Logs file and check logs :

    [21-04-2020 11:02:51] [5724-6044] [INFO] CProvider::CProvider
    [21-04-2020 11:02:51] [5724-6044] [INFO] Configuration::Init
    [21-04-2020 11:02:51] [5724-6044] [INFO] Configuration::Default
    [21-04-2020 11:02:51] [5724-6044] [INFO] Configuration::Read
    [21-04-2020 11:02:51] [5724-6044] [INFO] Data::Provider::Init
    [21-04-2020 11:02:51] [5724-6044] [INFO] CProvider::SetUsageScenario
    [21-04-2020 11:02:51] [5724-6044] [INFO] CProvider::Advise
    [21-04-2020 11:02:51] [5724-6044] [INFO] CProvider::GetCredentialCount
    [21-04-2020 11:02:51] [5724-6044] [INFO] No serialized creds set
    [21-04-2020 11:02:51] [5724-6044] [INFO] CProvider::GetCredentialAt
    [21-04-2020 11:02:51] [5724-6044] [INFO] Checking for serialized credentials
    [21-04-2020 11:02:51] [5724-6044] [INFO] No serialized creds set
    [21-04-2020 11:02:51] [5724-6044] [INFO] No serialized creds set
    [21-04-2020 11:02:51] [5724-6044] [INFO] No serialized creds set
    [21-04-2020 11:02:51] [5724-6044] [INFO] Checking for missing credentials
    [21-04-2020 11:02:51] [5724-6044] [INFO] Looking-up missing user name from session
    [21-04-2020 11:02:51] [5724-6044] [INFO] Looking-up missing domain name from session
    [21-04-2020 11:02:51] [5724-6044] [INFO] Data::General::Init
    [21-04-2020 11:02:51] [5724-6044] [INFO] GetFieldStatePairFor
    [21-04-2020 11:02:51] [5724-6044] [INFO] CCredential::Initialize
    [21-04-2020 11:02:51] [5724-6044] [INFO] Copying user_name to credential
    [21-04-2020 11:02:51] [5724-6044] [INFO] Copying domain to credential
    [21-04-2020 11:02:51] [5724-6044] [INFO] rcdevsdocs
    [21-04-2020 11:02:51] [5724-6044] [INFO] Init result:
    [21-04-2020 11:02:51] [5724-6044] [INFO] OK
    [21-04-2020 11:02:51] [5724-6044] [INFO] Checking for successful initialization
    [21-04-2020 11:02:51] [5724-6044] [INFO] Checking for successful instantiation
    [21-04-2020 11:02:51] [5724-6044] [INFO] Returning interface to credential
    [21-04-2020 11:02:51] [5724-6044] [INFO] Non-CredUI: returning an IID_IConnectableCredentialProviderCredential
    [21-04-2020 11:02:51] [5724-6044] [INFO] Hook::CredentialHooks::GetBitmapValue
    [21-04-2020 11:02:51] [5724-6044] [INFO] Hook::CredentialHooks::GetSubmitButtonValue
    [21-04-2020 11:02:51] [5724-6044] [INFO] GetFieldStatePairFor
    [21-04-2020 11:02:51] [5724-6044] [INFO] CCredential::Advise
    [21-04-2020 11:02:51] [5724-6044] [INFO] CCredential::SetSelected
    [21-04-2020 11:02:51] [5724-6044] [INFO] Hook::Serialization::EndpointInitialization
    [21-04-2020 11:02:51] [5724-6044] [INFO] Endpoint::Init
    [21-04-2020 11:02:51] [5724-6044] [INFO] Endpoint::Default
    [21-04-2020 11:02:51] [5724-6044] [INFO] Hook::Serialization::EndpointDeinitialization
    [21-04-2020 11:02:51] [5724-6044] [INFO] Endpoint::Deinit
    [21-04-2020 11:02:51] [5724-6044] [INFO] Endpoint::Default
    [21-04-2020 11:02:54] [5724-6044] [INFO] CCredential::Connect
    [21-04-2020 11:02:54] [5724-6044] [INFO] Hook::Serialization::Initialization
    [21-04-2020 11:02:54] [5724-6044] [INFO] Hook::Serialization::EndpointInitialization
    [21-04-2020 11:02:54] [5724-6044] [INFO] Endpoint::Init
    [21-04-2020 11:02:54] [5724-6044] [INFO] Endpoint::Default
    [21-04-2020 11:02:54] [5724-6044] [INFO] DataInitialization
    [21-04-2020 11:02:54] [5724-6044] [INFO] Data::Gui::Init
    [21-04-2020 11:02:54] [5724-6044] [INFO] Data::Gui::Default
    [21-04-2020 11:02:54] [5724-6044] [INFO] Hook::Serialization::ManageUpnMode
    [21-04-2020 11:02:54] [5724-6044] [INFO] Helper::SeparateUserAndDomainName
    [21-04-2020 11:02:54] [5724-6044] [INFO] Loading domain from external credentials
    [21-04-2020 11:02:54] [5724-6044] [INFO] Loading password from GUI
    [21-04-2020 11:02:54] [5724-6044] [INFO] Loading OTP from GUI
    [21-04-2020 11:02:54] [5724-6044] [INFO] Loading challenge from GUI
    [21-04-2020 11:02:54] [5724-6044] [INFO] Hook::Serialization::EndpointLoadData
    [21-04-2020 11:02:54] [5724-6044] [INFO] Copy username to epPack
    [21-04-2020 11:02:54] [5724-6044] [INFO] Copy ldapPass to epPack
    [21-04-2020 11:02:54] [5724-6044] [INFO] Copy domain to epPack
    [21-04-2020 11:02:54] [5724-6044] [INFO] Endpoint::Call
    [21-04-2020 11:02:54] [5724-6044] [INFO] Endpoint::ShowInfoMessage
    [21-04-2020 11:02:54] [5724-6044] [INFO] Endpoint::ShowInfoMessage
    [21-04-2020 11:02:54] [5724-6044] [INFO] Endpoint::Concrete::OpenOTPInit
    [21-04-2020 11:02:55] [5724-6044] [INFO] Unable to read certification authority "C:\Program Files\RCDevs\OpenOTP Credential Provider\caa.crt"
    

    The last line of logs interest us :

    [21-04-2020 11:02:55] [5724-6044] [INFO] Unable to read certification authority "C:\Program Files\RCDevs\OpenOTP Credential Provider\caa.crt"
    

    Possible reasons/Solutions :

    OpenOTP Credential Provider for Windows is not able to read the CA file.

    • Double check if CA file configured is the correct one and coming from your WebADM server. WebADM CA file can be downloaded from a web browser by accessing the following addresses :

      • https://webadm_server/cacert
      • https://webadm_server:8443/cacert

    If you have multiple WebADM servers configured in cluster mode, the CA must be identical on all nodes. If for any reasons you have different CA certificates within the same WebADM cluster, then your WebADM setup is incorrect and you have to re-do WebADM slave setup on node(s) where the CA is incorrect.

    • Check the CA path. Here the CA name configured in the registry is wrong, and it prevents the CP to access it.

    Normally, the CA file is automatically downloaded during the Credential Provider setup. If not, you can manually download and configure it.
    The CA file must be accessible by OpenOTP Credential Provider that is why it is advised to move the CA file in the installation folder of OpenOTP Credential Provider after CP installation.
    The default OpenOTP Credential Provider installation folder is:

    C:\Program Files\RCDevs\OpenOTP Credential provider\
    

    This is required ONLY if CA file is not automatically downloaded. Registry key for CA file location must also be adapted through the registry after CA file has been moved to installation folder :

    cp
    cp

    In offline mode, the CA file cannot be stored or accessed via a shared folder or network path like \\STORAGE\ca.crt. For offline authentication to work, the CA file must be locally accessible on the machine.

    Disable RDP auto-reconnect bypassing OpenOTP authentication

    Starting with Windows 10 version 1803 and Windows Server 2019, Microsoft introduced local client caching for credentials when reconnecting to a locked RDP session. This behavior prevents the Credential Provider from re-authenticating the user as it did in earlier versions of Windows.

    To address this, you need to disable the automatic reconnection setting in the machine's registry. This can be accomplished using the Group Policy feature in Windows:

    • For machines not part of a domain, use the Local Group Policy Editor.
    • For domain-joined machines, use the Group Policy Management Console.

    Open the following path in the policy edition:

    Computer Configuration>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host>Connections, and double-click on Automatic reconnection, then switch to Disabled, press OK, and close all group policy windows.

    cp

    You may need to restart the machine or update Group Policy Objects (GPO) on remote machines for the settings to take effect.