Hi all,
we have implemented OTP authentication a few months ago and it works fine most of the time. I had two users where I had to reset the OTP because they were unable to authenticate but were fine afterwards. However, now I have a completely different issue: A user who is activated for OTP can only login with "normal" password without appending the OTP code. If he appends the code, his AD account gets locked because of a bad password. I consider this a quite serious issue because it renders OTP useless. At least for this one user. Does any of you have an idea why this might be happening?
Update: Just as I write this, the issue has been resolved. This is a flaw in implementation I think. The user was initially created with upper-case first character of first and lastname like John.Doe. But in AD the username was changed to all lower-case some time afterwards. Now the UTM is case-sensitive at that point obviously and not seeing john.doe as activated for OTP while he can still authenticate to backend LDAP of course. So we deleted the user on UTM and let him auto-create again with all lower-case and everything is back to normal. As said, in my eyes this is a flaw that needs to be fixed because it allows for easy circumvent OTP authentication.
Best regards,
Daniel
This thread was automatically locked due to age.
