RDP window 2FA prompt for user without2fa

[comet-itmanager]

Hi,

Thank you very much for this great software!

I recently deployed multiOTP appliance and CredentialProvider internally and it is working well. However, I just realized when initiating an RDP connection that CredentialProvider prompting for a code to start the connection even though I'm logged in as a without2fa user on a workstation where multiOTPWithout2FA is enabled.

This occurs on a workstation on which multiOTPWithout2FA is enabled, but not on another workstation where it is disabled. Both have multiOTPCredentialProvider installed pointing to the same multiOTP appliance, with the following settings:

multiOTPCacheEnabled         : 1
multiOTPServerTimeout        : 5
multiOTPTimeout              : 60
multiOTPUPNFormat            : 1
two_step_hide_otp            : 1
two_step_send_password       : 0
two_step_send_empty_password : 0
cpus_logon                   : 0e
cpus_unlock                  : 0e
cpus_credui                  : 0e
multiOTPTimeoutUnlock        : 60
multiOTPDisplayLastUser      : 1
multiOTPWithout2FA           : 1

Is this expected behavior, or am I missing something?

I'm not sure if this is an issue, but I don't recall this behavior during my initial testing and deployment. It seems unnecessary, since a client connecting to a computer with CredentialProvider is challenged by CredentialProvider whether or not it is installed on the client.

Thanks again!

[multiOTP]

Hello,
If the account used on the RDP connected computer is not a "without2fa" account, it will always ask for a 2FA.
Regards,

[comet-itmanager]

Hmm, I'm logged into the workstation as a "without2fa" user, and attempting to RDP to a server using the same credentials, but it prompts for a code. The server also has CredentialProvider installed.

If I set cpus_credui = 1e, I can log into the server without being prompted for a code. In this case, I see the CredentialProvider login screen as the RDP connection completes, and I am not prompted for a code there, either. If I try logging into the same server with an account enabled for 2FA, I am prompted at the login screen for the code rather than when RDP prompts for username and password.

[multiOTP]

Could you tell us which version of multiOTP Credential Provider is installed:

• on the workstation ? ("%ProgramFiles(x86)%\multiOTP\multiotp.exe" -version)
• on the server ? ("%ProgramFiles(x86)%\multiOTP\multiotp.exe" -version)

You can also give us a full registry export of the Key HKEY_CLASSES_ROOT\CLSID{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978, for both the workstation and the server

Regards,

[multiOTP]

We will try to reproduce the issue on our side.

[multiOTP]

Hello,
we tried to produce the bug on our infrastructure without success.
Can you please update to the last version of credential provider and try again.

If the problem is still present, can you please send us the file you use for remote desktop (file with extension *.rdp)

Best regards

[multiOTP]

Closed due to inactivity during the last 30 days.