Closed JSuenram closed 4 months ago
what LDAP provider are you using?
do you get the prompt asking for 2FA code?
ive just checked my Authentik to setup LDAP, and it says
When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password.
so can you try MYPASSWORD;123456
?
what LDAP provider are you using?
do you get the prompt asking for 2FA code?
ive just checked my Authentik to setup LDAP, and it says
When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password.
so can you tryMYPASSWORD;123456
?
Hi, we use Windows Active Directory and the Token is requested but never accepted. It just goes back to login screen.
How are u doing 2fa with active directory? Is it an external provider or built in? Never done 2fa with AD before?
How are u doing 2fa with active directory? Is it an external provider or built in? Never done 2fa with AD before?
Like always... Logon to mesh and enable TOTP/2FA. This has already worked in the past. There was no need to anything "extra" in AD for this. The whole thing was done by MeshCentral in the past. It is just a "user" in the MeshCentral-Database which has its source in LDAP-Sync.
@JSuenram oh sorry! im having one of those days! why would AD do 2FA, when MC does the 2FA 🤦 ill get my test environment setup again with ldap and give it a try and find out whats up!
side note: http://info.meshcentral.com/downloads/meshcentral-config-schema.json
doesnt exist
you should change it to https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json
also x-frame-options
isnt a valid option, it should be set under httpHeaders
"httpHeaders": {
"x-frame-options": "SAMEORIGIN"
}
@JSuenram just tried it here and it seems to work?
setup ldap in docker, added ldap options in config.json, first user created with my ldap user, setup 2fa, logged out, then logged in, asked for 2fa, gave it 2fa, logged in?
can u share an example of a users 'identifier' thats not working?
my example is user/ldaptest/simon
@JSuenram just tried it here and it seems to work? setup ldap in docker, added ldap options in config.json, first user created with my ldap user, setup 2fa, logged out, then logged in, asked for 2fa, gave it 2fa, logged in? can u share an example of a users 'identifier' thats not working? my example is
user/ldaptest/simon
Sure.
Is is showing this:
user//J.Suenram
@JSuenram theres that bloody annoying .
again! i bet its that!
is the any chance u could update ur instance to the docker master
image
OR
do a git pull of the master branch
OR
npm install Ylianst/MeshCentral
and let it use the latest code and see if it works?
@JSuenram theres that bloody annoying
.
again! i bet its that! is the any chance u could update ur instance to the dockermaster
image OR do a git pull of the master branch ORnpm install Ylianst/MeshCentral
and let it use the latest code and see if it works?
Not so easy... this is a highly productive installation with 750 Clients and dozens of users.... Maybe you can point me to the code change that might be needed?
Currently running 1.1.22
ok just tested it here with user/ldaptest/fred.smith
and it still works? im very confused now.
one thing you can try is remove the 2fa all together for that user and setup 2fa again?
node node_modules/meshcentral --resetaccount 'user//J.Suenram'
ok just tested it here with
user/ldaptest/fred.smith
and it still works? im very confused now. one thing you can try is remove the 2fa all together for that user and setup 2fa again?node node_modules/meshcentral --resetaccount 'user//J.Suenram'
Maybe the double slash is a problem? //
Even delete and recreate account in MeshCentral does not change the behavior.
@JSuenram the double slash is OK, it's just the separator.
user/domain/username
So in my case I created another domain in config.json called ldaptest for the ldap testing.
But I will try setting the default blank domain to ldap and see if it makes any difference
@JSuenram nope, tried with user//fred.smith
and the 2fa still works!
one thing u can try is removing "CookieEncoding": "hex"
, the default is base64
restart meshcentral,
clear users 2fa,
clear all your cookies from ur browser,
login, setup 2fa, logout, try logging in?
edit: also run meshcentral with web debug and watch what it does when adding the 2fa and then logging in etc
node node_modules/meshcentral --debug web
@JSuenram nope, tried with
user//fred.smith
and the 2fa still works! one thing u can try is removing"CookieEncoding": "hex"
, the default is base64 restart meshcentral, clear users 2fa, clear all your cookies from ur browser, login, setup 2fa, logout, try logging in?edit: also run meshcentral with web debug and watch what it does when adding the 2fa and then logging in etc
node node_modules/meshcentral --debug web
Yep! Thats it! No need to recreate 2FA... just works instant after comenting CoockieEncodig out.
"_CookieEncoding": "hex",
But WHY?
im guessing, the cookie is not being encoded correctly either in browser or server side when its set as hex
???
i just spotted it when looking at your config.json
then checked the defaults and wondered if it would make any difference?
but guess it does! so you have found a bug!
plz can u close this issue then as its working
and then open another one issue (follow template hehe), explain that using hex
as cookieencoding seems to break 2fa
i can have a look at that in my freetime
@JSuenram dont worry about opening a new issue, just pushed the fix for you! https://github.com/Ylianst/MeshCentral/commit/323ef2d50a17b16965dc89bbb65f9394551bb2b4 basically it was encoding the sessions with either hex or base64, but if u specified hex, it was then decoding with base64 only, doh!
Whenever we enable TOTP for a user, login is no longer possible. Using Mail or Auth-App or Securitykey does not make a difference.
System asks for 2nd FA and just fails back to login. Debug-Mode shows
AUTHLOG: Failed password for undefined from IP-ADRESS port 12839, Browser: Chrome/124.0.0.0, OS: Mac OS/10.15.7
To Reproduce Steps to reproduce the behavior:
Expected behavior User should be able to login.
Server Software (please complete the following information):
Client Device (please complete the following information):
Your config.json file