2FA fails in LDAP

[JSuenram]

Whenever we enable TOTP for a user, login is no longer possible. Using Mail or Auth-App or Securitykey does not make a difference.

System asks for 2nd FA and just fails back to login. Debug-Mode shows AUTHLOG: Failed password for undefined from IP-ADRESS port 12839, Browser: Chrome/124.0.0.0, OS: Mac OS/10.15.7

To Reproduce Steps to reproduce the behavior:

1. Use LDAP (Active Directory for example)
2. Enable any 2FA
3. Tray login

Expected behavior User should be able to login.

Server Software (please complete the following information):

• OS: Debian
• Virtualization: LXC
• Network: LAN/WAN behind NGINX-Reverse-Proxy on opnsense
• Version: 1.1.22
• Node: 20.11.0

Client Device (please complete the following information):

• Device: Macbook
• OS: MacOS Sonoma 14.4.1
• Network: any
• Browser: Brave

Your config.json file

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "cert": "mesh.it-ngo.com",
    "ignoreAgentHashCheck" : true,
    "_WANonly": true,
    "_LANonly": true,
    "sessionKey": "ASessionKey&Co.KG",
    "port": 443,
    "aliasPort": 443,
    "redirPort": 80,
    "redirAliasPort": 80,
    "relayPort": 453,
    "agentsInRam": true,
    "trustedproxy": ["10.255.14.1"],
    "_tlsOffload": "10.255.14.1",
    "desktopMultiplex": false,
    "authlog": "/etc/meshcentral/auth.log",
    "plugins": true,
    "WebRTC": false,
    "Compression": true,
    "WsCompression": true,
    "AgentWsCompression": true,
    "AllowLoginToken": true,
    "_AllowFraming": true,
    "CookieIpCheck": false,
    "CookieEncoding": "hex",
    "_noAgentUpdate": "1",
    "autoBackup": {
      "mysqlDumpPath": "/etc/bin"
                  },
    "webrtcConfig": {
      "iceServers": [
        { "urls": "stun:stun.services.mozilla.com" },
        { "urls": "stun:stun.l.google.com:19302" }
      ]
    },
     "mySQL": {
            "host": "10.255.14.101",
            "port": "3306",
            "user": "meshcentral",
            "password": "aPassword",
            "database": "meshcentral"
        }
         },
    "domains": {
    "": {
      "titlehtml": "",
      "title": "ATITLEG - Remotesupport",
      "title2": " - RemoteSupportTool - V 0.01a",
      "titlepicture": "title-mycompany.png",
      "welcomeText": "Willkommen zum Fernwartungs und Webmeetingportal.",
      "welcomePicture": "welcome.png",
      "LoginPicture": "welcome.png",
      "GeoLocation": false,
      "CookieIpCheck": false,
      "x-frame-options": "allow-from *",
      "agentConfig": [ "skipmaccheck=1" ],
      "agentCustomization": {
         "displayName": "itNGO - QuickSupport Agent",
         "description": "itNGO - QuickSupport Agent background service",
         "companyName": "itNGO GmbH & Co. KG",
         "serviceName": "itNGO - Agent",
     "foregroundColor": "#FFFEFE",
         "backgroundColor": "#464646",
         "image": "welcome.png",
         "remoteMouseRender": true,
         "fileName": "itNGO-Agent"
      },
      "userConsentFlags": {
        "desktopnotify": true,
        "terminalnotify": true,
        "desktopprompt": false,
        "terminalprompt": false,
        "desktopprivacybar": true
      },
      "desktopPrivacyBarText": "{1} - ist mit Ihrem System verbunden!",
      "minify": true,
      "_newAccounts": true,
      "_userNameIsEmail": true,
      "AllowHighQualityDesktop": true,
      "CertURL": "https://anjURL:443",
      "ManageAllDeviceGroups": [ "User1","User2" ],
      "agentInviteCodes": true,
      "passwordRequirements": {
        "msg2factor": true
      },
      "AgentSelfGuestSharing": true,
      "mstsc": true,
      "ssh": true,
      "auth": "ldap",
      "ldapUserName": "sAMAccountName",
      "_ldapUserBinaryKey": "objectSid",
      "ldapUserKey": "sAMAccountName",
      "ldapOptions": {
        "url": [ "ldaps://aserver1:636", "ldaps://anotherserver2:636" ],
        "bindDN": "############",
        "bindCredentials": "###########-:",
        "searchBase": "DC=someSeearchBase",
        "searchFilter": "(&(sAMAccountName={{username}})(objectClass=organizationalPerson))",
        "tlsOptions": { "rejectUnauthorized": false },
        "reconnect":true
      },
      "_altmessenging": {
          "_name": "Ticket",
          "_url": "https://helpdesk.it-ngo.com/index.php?section=bug&sub=edit&init=1&backTo=main"
      },
    "customui": {

                "desktopButtons": {
                 "exec5": {
                  "name": "Leistung erfassen",
                  "action": "dialog:dialog1"
                          }
                                  },
                "terminalButtons": {
                 "exec6": {
                  "name": "Leistung erfassen",
                   "action": "dialog:dialog1"
                          }
                                  },
          "dialogs": {
           "dialog1": {
             "logmsg": "Leistungsdialog Eingabe",
             "title": "Schnellerfassung Leistung",
             "text": "Bitte getane Arbeiten dokumentieren...",
             "buttons": 1,
             "elements": {
               "test1": {
                 "name": "Titel",
                 "type": "text"
                          }
                                }
                           }
                         }
                       }

    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "anadress",
    "names": "aDNS-Name",
    "production": false
  },
  "smtp": {
           "host": "ansmtpserver",
           "port": 587,
           "from": "adress",
           "user": "anotheradress",
           "pass": "############-:",
           "tls": false
  }
}

[si458]

what LDAP provider are you using?

do you get the prompt asking for 2FA code?

ive just checked my Authentik to setup LDAP, and it says When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. so can you try MYPASSWORD;123456?

[JSuenram]

what LDAP provider are you using?

do you get the prompt asking for 2FA code?

ive just checked my Authentik to setup LDAP, and it says When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. so can you try MYPASSWORD;123456?

Hi, we use Windows Active Directory and the Token is requested but never accepted. It just goes back to login screen.

[si458]

How are u doing 2fa with active directory? Is it an external provider or built in? Never done 2fa with AD before?

[JSuenram]

How are u doing 2fa with active directory? Is it an external provider or built in? Never done 2fa with AD before?

Like always... Logon to mesh and enable TOTP/2FA. This has already worked in the past. There was no need to anything "extra" in AD for this. The whole thing was done by MeshCentral in the past. It is just a "user" in the MeshCentral-Database which has its source in LDAP-Sync.

[si458]

@JSuenram oh sorry! im having one of those days! why would AD do 2FA, when MC does the 2FA 🤦 ill get my test environment setup again with ldap and give it a try and find out whats up!

[si458]

side note: http://info.meshcentral.com/downloads/meshcentral-config-schema.json doesnt exist you should change it to https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json

also x-frame-options isnt a valid option, it should be set under httpHeaders

"httpHeaders": {
  "x-frame-options": "SAMEORIGIN"
 }

[si458]

@JSuenram just tried it here and it seems to work? setup ldap in docker, added ldap options in config.json, first user created with my ldap user, setup 2fa, logged out, then logged in, asked for 2fa, gave it 2fa, logged in? can u share an example of a users 'identifier' thats not working? my example is user/ldaptest/simon

[JSuenram]

@JSuenram just tried it here and it seems to work? setup ldap in docker, added ldap options in config.json, first user created with my ldap user, setup 2fa, logged out, then logged in, asked for 2fa, gave it 2fa, logged in? can u share an example of a users 'identifier' thats not working? my example is user/ldaptest/simon

Sure.

Is is showing this: user//J.Suenram

[si458]

@JSuenram theres that bloody annoying . again! i bet its that! is the any chance u could update ur instance to the docker master image OR do a git pull of the master branch OR npm install Ylianst/MeshCentral and let it use the latest code and see if it works?

[JSuenram]

@JSuenram theres that bloody annoying . again! i bet its that! is the any chance u could update ur instance to the docker master image OR do a git pull of the master branch OR npm install Ylianst/MeshCentral and let it use the latest code and see if it works?

Not so easy... this is a highly productive installation with 750 Clients and dozens of users.... Maybe you can point me to the code change that might be needed?

Currently running 1.1.22

[si458]

ok just tested it here with user/ldaptest/fred.smith and it still works? im very confused now. one thing you can try is remove the 2fa all together for that user and setup 2fa again? node node_modules/meshcentral --resetaccount 'user//J.Suenram'

[JSuenram]

ok just tested it here with user/ldaptest/fred.smith and it still works? im very confused now. one thing you can try is remove the 2fa all together for that user and setup 2fa again? node node_modules/meshcentral --resetaccount 'user//J.Suenram'

Maybe the double slash is a problem? //

Even delete and recreate account in MeshCentral does not change the behavior.

[si458]

@JSuenram the double slash is OK, it's just the separator. user/domain/username So in my case I created another domain in config.json called ldaptest for the ldap testing. But I will try setting the default blank domain to ldap and see if it makes any difference

[si458]

@JSuenram nope, tried with user//fred.smith and the 2fa still works! one thing u can try is removing "CookieEncoding": "hex", the default is base64 restart meshcentral, clear users 2fa, clear all your cookies from ur browser, login, setup 2fa, logout, try logging in?

edit: also run meshcentral with web debug and watch what it does when adding the 2fa and then logging in etc node node_modules/meshcentral --debug web

[JSuenram]

@JSuenram nope, tried with user//fred.smith and the 2fa still works! one thing u can try is removing "CookieEncoding": "hex", the default is base64 restart meshcentral, clear users 2fa, clear all your cookies from ur browser, login, setup 2fa, logout, try logging in?

edit: also run meshcentral with web debug and watch what it does when adding the 2fa and then logging in etc node node_modules/meshcentral --debug web

Yep! Thats it! No need to recreate 2FA... just works instant after comenting CoockieEncodig out.

"_CookieEncoding": "hex",

But WHY?

[si458]

im guessing, the cookie is not being encoded correctly either in browser or server side when its set as hex ??? i just spotted it when looking at your config.json then checked the defaults and wondered if it would make any difference? but guess it does! so you have found a bug! plz can u close this issue then as its working and then open another one issue (follow template hehe), explain that using hex as cookieencoding seems to break 2fa i can have a look at that in my freetime

[si458]

@JSuenram dont worry about opening a new issue, just pushed the fix for you! https://github.com/Ylianst/MeshCentral/commit/323ef2d50a17b16965dc89bbb65f9394551bb2b4 basically it was encoding the sessions with either hex or base64, but if u specified hex, it was then decoding with base64 only, doh!