Closed AntonT76 closed 5 months ago
dbuechel
commented
7 months ago Thanks for the report. At first glance, there is nothing suspicious in the log files. You might find relevant information in the system event logs (Event Viewer > Windows Logs > Application). Apart from that, there's unfortunately not much we can do unless you provide a way to reliably reproduce the problem.
AntonT76
commented
7 months ago Dear @dbuechel
thank you for your answer. It looks like we have found the issue but we have to test it in detail: the user uses for authentication a YubiKey (https://www.yubico.com/der-yubikey/?lang=de). It seems to be that this authentication method will not work in our SEB settings ...
Do you have any experiences by using this keys in SEB?
thanks & br, Anton
dbuechel
commented
7 months ago Unfortunately not, but you might be able to get to the root of the issue by contacting the support of YubiKey.
strau0106
commented
7 months ago @AntonT76 For a successful FIDO Identification to occur, Windows opens a Windows Hello window, which guides you through the process of inserting your Security Key and potentially entering a PIN. Windows puts this window in the foreground and kind of freezes everything else. For students to be able to authenticate with hardware tokens, which you should definitely support btw, you would probably have to just allow another the windows hello exe... If I have time I'll test this.
AntonT76
commented
7 months ago Hi @strau0106
thank you very much for your advice. We also think that a special website is being accessed during the authentication process. So, we need to add this to the whitelist in SEB so that it is also permitted by SEB. But we have to test that.
However, we are still considering whether we should generally recommend students to obtain the second factor via app or SMS during exams if FIDO causes problems.
Best regards, Anton
strau0106
commented
7 months ago I wouldn't ever have noticed so, but it could be. I'll test that if I have some time.
I wouldn't recommend my students a vendor locked or comparably insecure 2FA method.
dbuechel
commented
7 months ago If it were to be an issue with SEB blocking any application (which might well be, thanks indeed for the input @strau0106) then you should see that in the client log of the affected session.
For debugging, you could and should enable the live application log (see Security > Allow application log etc.) and then open the application log and check in real time as to whether SEB blocks anything in particular while trying to authenticate.
strau0106
commented
6 months ago I tested a bit earlier today. Although one process is started, it does not open the window required. I believe there is something missing in the config for CEF which results in this...
dbuechel
commented
6 months ago Did you check whether a particular window or process is not being suppressed by SEB? If you think that it is an issue with the browser engine, you could verify this by using the CEF sample application and test your use case with it: https://cef-builds.spotifycdn.com/index.html.
strau0106
commented
6 months ago Gotta go get my windows testing device first, but will defo try.
strau0106
commented
6 months ago PS: I couldn't reproduce the freezing. That could be MS. I tried with the YubiKey Demo Page.
strau0106
commented
6 months ago Tested with the CEF sample application, I can successfully register and authenticate there. Seems to be an application blocking issue after all.
dbuechel
commented
6 months ago Thanks for following up and the information. In the end, we'd however need a reliable way to reproduce the issue, otherwise there's not much we can do. If SEB were to block a window or process, that should as mentioned be logged in the client logs.
strau0106
commented
6 months ago I‘ll record some logs and share them here, there are some processes that are being blocked.
github-actions[bot]
commented
5 months ago This issue is stale because it has been open for 28 days with no activity. It will soon be closed automatically if there are no updates.
github-actions[bot]
commented
5 months ago This issue was closed because it has been inactive for 14 days since being marked as stale.
Dear SEB-team,
we have been using login via Microsoft OIDC (Open ID Connect) for some time now and also use multi-factor authentication (MFA) via MS Azure.
During the login, the user will be forwarded to https://login.microsoftonline.com/....... We have also configured this web address in the whitelists of SEB. This has not been a problem with any of our previous exams. However, now we had the case with one student that the login window froze when opening the SEB (I think it might be during the login process). It was no longer possible to log in. The student then restarted SEB and the computer and also changed computers, but the problem also occurred there.
I also believe that the error message "Access to "" is not allowed according to the current configuration." occurred. Unfortunately, I can't say for sure because I wasn't on site.
We are currently checking whether it might be related to the user's Windows profile or something relateing to the MFA, but it is difficult to find out. Perhaps the SEB-Config file could not be loaded correctly because the whitelisted websites were saved there?
We are using Moodle 4.1.4+ and SEB V3.5 on Windows 10. The SEB config file is saved on the computer. If someone starts SEB, this config file will be loaded.
Attached you can find the log files from the two computers where the problem occurred as a ZIP file. SEB-Logfiles.zip Perhaps you can help us find out what the problem is.
thanks & best regards Anton