MutonUfoAI / pgina

pGina fork: Open Source Windows Authentication
http://mutonufoai.github.io/pgina
BSD 3-Clause "New" or "Revised" License
155 stars 38 forks source link

Login script causes user to hang on second login #103

Open martimarkov opened 6 years ago

martimarkov commented 6 years ago
  1. I uninstalled pGina 3.9.9.10

  2. Rebooted

  3. Removed the registry settings

  4. Installed pGina 3.9.9.11

  5. Rebooted

  6. Login with pgina user

  7. Logout

  8. Login with pgina user

  9. Logout

  10. Login with local machine user

  11. Configured the login script step to execute a PowerShell script: powershell.exe -executionpolicy bypass -file C:\webdavMonitor.ps1 -password %p > C:\Logs\mount_log.txt

  12. Logout

  13. Login with pgina user (script not working but I can debug with a few tries as this is not the problem i think; thou the script does have an infinite loop inside; )

  14. Logout

  15. Login with local machine user

  16. No processes or sessions are active from previous pgina user

  17. Logout

  18. Login with pgina user

  19. The screen hangs on "You will be logged in. Please wait ..." The cancel button is not responsive.

  20. The only solution is to reboot the machine. I can't attach the log as I'm not physically next to the machine.

I have the default scripts enabled thought the testing and they seem to behave fine.

MutonUfoAI commented 6 years ago

The log is mandatory to solve this issue.

martimarkov commented 6 years ago

pGina.Service.ServiceHost_log.txt pGina.Configuration_log.txt pGina.InstallUtil_log.txt

Here are all logs.

company_name is the name of the machine user (admin) and also the name of the company as the domain name pgina_user_account is the name of the pgina/ldap user

MutonUfoAI commented 6 years ago

updated the doc https://github.com/MutonUfoAI/pgina/commit/4e75f66e19f0022086c7a09109c6bc9dde2e6f7b http://mutonufoai.github.io/pgina/documentation/plugins/scripting.html

martimarkov commented 6 years ago

I'm guessing this is a changed behavior. Out of curiosity: Why/what was the reason? :)

MutonUfoAI commented 6 years ago

Nothing has changed It works's that way

martimarkov commented 6 years ago

Well, it did work without a problem in the previous .10 release. Also maybe there should be a timeout, instead of having to reboot the machine. Also the cancel button is non responsive.

martimarkov commented 6 years ago

Is there a way for the script to be visible? To check what is going inside?

martimarkov commented 6 years ago

Another piece of info. I'm now getting a message saying that a program was started not by pgina and therefore the user cannot login. I'm using this as a logon script: cmd.exe /c start ”” /i powershell.exe ....

martimarkov commented 6 years ago

Ok, so at the very least this script runs in some different session. I have mounted a webdav drive and the powershell script can list the directory but i can't access it as the user. This was definitely not the case in the previous version.

MutonUfoAI commented 6 years ago

If your script is mounting the webdav folder as a different user than only this user is able to use it. If you only need to mount a webdav folder, why not use net use ?

martimarkov commented 6 years ago

Inside the script net use is used and then does some other thing after the mount. The script runs as the current user. Again the problem here is not the script as it worked before but rather changed behaviour in the new release.

MutonUfoAI commented 6 years ago

I've verified the plugin and its working properly Add your script @ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or @ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup and test it ...........

martimarkov commented 6 years ago

Thanks, will do tonight and report.

martimarkov commented 6 years ago

Just tried it by putting the script inside C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup and it works. Anything other you can think of I can test?

I do think it is the way the invoke function was changed as previously it was running: StartUserProcessInSessionWait and the userToken there is probably different than hToken the one in StartProcessAsUserWait. We are getting it from different functions:

This seems like the only difference in the logic between the versions.

MutonUfoAI commented 6 years ago

I'm using StartUserProcessInSessionWait() now for user logon scripts and only logoff user script are using StartProcessAsUserWait() Test it with this version ..... pGinaSetup-3.9.9.11.zip

martimarkov commented 6 years ago

Just tested it. It works.