search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.3k stars 574 forks source link

--logintokenkey and LDAP, maybe an issue? #3704

Open JSuenram opened 2 years ago

JSuenram commented 2 years ago

As we are using LDAP in config.json there seems to be in issue with token-usage. We generated a token with --logintokenkey but it does not get accepted and ends in the Login-Screen.

MC in DebugMode gives:

/?login=*CHANGED*$*CHANGED*=&gotonode=BA499A02932F209EB1CB79735608D87C                                                                                                                                                                                        512A3C1CF0D4221F71CC83ED22C2CC04791112272BB3BEEA3BBE8BD976F8D97C0&viewmode=11&hide=31
COOKIE: ERR: Bad AESGCM cookie due to exception: Error: Unsupported state or unable to authenticate data
COOKIE: Decoded AESSHA cookie: {"a":3,"u":"user//bilbobob","time":1645728156000,"dtime":329}

Related to https://github.com/wh1te909/tacticalrmm/issues/987

Ylianst commented 2 years ago

The cookie error you have above is normal. There are two ways to encode a login cookie, the AESGCM way and the AESSHA way. By default, I always use AESGCM, but sometimes I ran into problems where GCM is not supported (like in C#) and I had to create an alternative way to create a cookie.

MeshCentral will try to decode using AESGCM, it failed and tried AESSHA and it worked. So, all is good.

Are you sure "user//bilbobob" is the correct user identifier? Obviously, if that user does not exist in the database, this will not work.

JSuenram commented 2 years ago

The cookie error you have above is normal. There are two ways to encode a login cookie, the AESGCM way and the AESSHA way. By default, I always use AESGCM, but sometimes I ran into problems where GCM is not supported (like in C#) and I had to create an alternative way to create a cookie.

MeshCentral will try to decode using AESGCM, it failed and tried AESSHA and it worked. So, all is good.

Are you sure "user//bilbobob" is the correct user identifier? Obviously, if that user does not exist in the database, this will not work.

Just replaced the Username before pasting..... Yes.... username is the one, which also exist in MC and comes from LDAP/ActiveDirectory....

Ylianst commented 2 years ago

Ok, if it matches the user identifier here:

image

Also, do you have this line in the settings section of the config.json?

"AllowLoginToken": true
JSuenram commented 2 years ago

Yes, Username matches and AllowLoginToken is true in config.json..... And all is in default domain.

JSuenram commented 2 years ago

Is there a way for me to debug the logon-progress?

montoner0 commented 1 year ago

For the sake of those who will face the issue: user ID for LDAP-based authentication does NOT match your login name. The id will be something like user//01050000000000051500000026fd51fd6802fd66fdfd21fdfd070000. These digits are hex-encoded user's SID because a default value for ldapUserBinaryKey in config.json is objectSid (as stated here).