Where are user accounts stored for computers that are in a workgroup

This tutorial will explain to you exactly how to connumber WebADM/OpenOTP servers and OpenOTP Credential Provider for Windows to authenticate regional individuals utilizing 2-variable authentication. We will certainly additionally explain just how to authenticate your customers via OpenOTP and OpenOTP Credential Provider for Windows on a computer out of the doprimary.

You watching: Where are user accounts stored for computers that are in a workgroup

Both scenarios require an LDAP server to keep user metainformation (Token metainformation requirements to be stored on a user account in WebADM also for local account authentication).

Each scenario need OpenOTP Credential Provider for Windows. The OpenOTP Credential Provider for Windows is a component that integrates the vr-tab-quebec.com OpenOTP one-time password authentication right into the Windows login process. vr-tab-quebec.com OpenOTP Authentication Server is a WebApp that is tightly coupbrought about the vr-tab-quebec.com WebADM application server.

2. General Prerequisites

For this recipe, you will certainly must have WebADM/OpenOTP installed and also configured. Please, describe WebADM Installation Guide and WebADM Manual to carry out it.

2.1 Prerequisites for Local Users Authentication


In this scenario, users credentials (Username and also password) will be checked locally on the Windows machine and the OTP will certainly be checked remotely on the OpenOTP server. To inspect the OTP password, OpenOTP has to understand which user is trying to authenticate to have the ability to examine Token metainformation on the user account. That’s why a concordance in between the regional user and the LDAP user need to be current. This concordance is done by the username indevelopment.

To have actually a WebADM instance functioning properly, an LDAP datasave configured with WebADM is mandatory. In this scenario, we will certainly display you how to authenticate Windows regional individuals through a WebADM/OpenOTP circumstances currently configured with an LDAP server.

We can determine 3 scenarios :

User account exist on the Windows makers (local account) and also in WebADM. You can configure the Remote LDAP password examine establishing to No to keep password validation and policies on Windows only. If Remote LDAP password check is set to Yes, then the local password will certainly be sent out to OpenOTP and also according to the configured plans on WebADM, the password have the right to be proved as LDAP password for the matching WebADM account.

Users account exist on the Windows machines yet not on WebADM. In this instance, you will have to develop a WebADM account. From an business allude of check out, you deserve to produce a fresh Organizational Unit, and produce your “regional users” in this OU to be able to determine “neighborhood and LDAP” individuals easily.

The user account exist in WebADM however not on Windows. In that situation, you deserve to permit the setting Auto Create Local Account in the time of the Credential Provider installation. When OpenOTP server will certainly respond with a success response for an authentication, if the account doesn’t exist on Windows, the Credential Provider will auto-create it via the username and password offered throughout the authentication process. In the Windows regisattempt, auto_develop worth equal to 0 implies auto develop local account establishing is enabled.The user password validated by OpenOTP will certainly override the local user password on the Windows at each login. That way, you don’t have to preserve password on Windows.


For regional user accounts, the password is not inevitably the same on both side bereason the user password will not be checked by OpenOTP yet locally by the Windows machine.

In some circumstance, the authentication have the right to be a success on one side and a failure on the various other side. This will certainly prevent you to login so, be mindful on how you configure Credential Provider and policies.

When this part is done, you deserve to assign a Token to the user account. To do this, please follow this documentation.

3. Authenticate a Windows Local User

3.1 OpenOTP Credential Provider Configuration

You deserve to check out the Credential Provider documentation, and also follow the installation and configuration part till the Configuration 3/4 screenswarm. When you are at the 3/4 configuration step, you can uncover a setting named “Remote LDAP password Check”. Set this establishing to “No” choose below:


That indicates, the LDAP password will certainly not be sent to OpenOTP and also will be checked locally by the Windows machine. In the registry, the essential concerned this setting is check_ldap. This essential is collection to 1 to send the -LDAP flag to OpenOTP. When 0 is set, the user password provided during the authentication will certainly be sent out by the Credential Provider to OpenOTP.

Click on the Next, Install and Finish butlots to complete the installation.You can currently proceed through the WebADM configuration.

See more: Dell Latitude E7240 Drivers Windows 10, 8, Dell Latitude E7240 Download Drivers And Specs

3.2 WebADM Configuration

3.2.1 Windows Machine in a Domain

If the Windows machine wbelow the OpenOTP Credential Provider is mounted is in a Windows domajor, you have nothing to adjust in WebADM configuration. Your default configuration have to be enough. If the authentication failed, please have actually a look in webadm logs, the a lot of common error is “Doprimary not found”. If you enrespond to this error, please review the next component and also add the domajor discovered in the WebADM logs in the doprimary aliases field in your regional domain configuration.

3.2.2 Windows Machine out of Domain

If the Windows machine wbelow the OpenOTP Credential Provider is mounted is NOT in a Windows domain, you have to percreate some change with the WebADM GUI because, in the authentication request sent to OpenOTP, the doprimary name (by default) or the Workteam (once no domain is configured on the taracquire machine) is passed. In this scenario, the Workteam will be passed in the authentication research.

To percreate these alters, log in on the WebADM GUI as super_admin, click on the Admin tab, Local Domains. Now you have 2 possibilities:

Scenario 1:Create a brand-new WebADM doprimary, name it prefer your workteam name and also configure the user search base of your “local user” OU.

To percreate this, click on Add Domain button.


I named my brand-new doprimary like my workgroup (by default it’s WORKGROUP), and I click on Proceed and also Create Object.


You are currently on the local doprimary configuration web page.The only settings who interest us here are the User Search Base and also the Domajor Name Aliases.



I formerly configure a fresh Organizational Unit on my LDAP server and also include my local user accounts in this fresh OU. I’ve chose to put my regional users in a specific OU for an business allude of check out.

Here, my user search base will certainly be OU=localuser,DC=yovr-tab-quebec.com,DC=com.

In the Doprimary Name Aliases area, I put every Windows workgroup of my makers.


If a Windows machine is in the workteam named WORKGROUP4, I have to add WORKGROUP4 in the Domain Name Aliases area else, you will have an error in WebADM logs saying “domain not found”.

This is the correct way to perform this integration.

Scenario 2:

The various other means is sindicate to add eexceptionally workteam names in the default doprimary configuration. Be careful through the User Search Base.

See more: Whea Logger Event 17 Windows 10, Access Denied

4. Auto Create Local Account

OpenOTP Credential Provider for Windows is able to auto create a regional account when you perdevelop a login.


That means, once you connumber this setting to Yes, the Credential Provider will instantly develop the very same account locally if the account is not already current in situation of the remote authentication is a success.