search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
3.67k stars 511 forks source link

Entra ID (Azure AD) auth not working - internal server error #6213

Open amirukg opened 6 days ago

amirukg commented 6 days ago

When i attempt to log in using Microsoft account, successfully passing Auth window and MFA i see "internal server error"

Steps to reproduce the behavior:

  1. Go to Meshcentral login page
  2. Click "Microsoft icon"
  3. Fill the Authentication form with Login and password, pass MFA.
  4. See error

I expected to log in Meshcentral under my Entra ID account.

Screenshots: image

Server Software

Client Device

Additional context meshcentral-data/mesherrors.txt has errors: InternalOAuthError: Failed to obtain access token at OAuth2Strategy._createOAuthError (/root/node_modules/passport-oauth2/lib/strategy.js:423:17) at /root/node_modules/passport-oauth2/lib/strategy.js:177:45 at /root/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:196:18 at ClientRequest.<anonymous> (/root/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:166:7) at ClientRequest.emit (node:events:519:28) at TLSSocket.socketErrorListener (node:_http_client:500:9) at TLSSocket.emit (node:events:519:28) at emitErrorNT (node:internal/streams/destroy:169:8) at emitErrorCloseNT (node:internal/streams/destroy:128:3) at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

My azure app settings: API permissions: image Redirect URI: image

config.json file

{
  "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. E>
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "cert": "mydomain.example",
    "WANonly": true,
    "_LANonly": false,
    "_sessionKey": "mysessionkey",
    "port": 443,
    "aliasPort": 20443,
    "redirPort": 80,
    "redirAliasPort": 80
  },
  "domains": {
    "": {
      "title": "MeshCentral",
      "title2": "Title2",
      "minify": true,
      "newAccounts": false,
      "_userNameIsEmail": true,
      "authStrategies": {
        "azure": {
          "_callbackurl": "https://mydomain.example:20443/auth-azure-callback",
          "newAccounts": true,
          "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
          "clientid": "myclientID",
          "clientsecret": "myclientsecret",
          "tenantid": "mytenantID"
        }
      }
    }
  },
  "letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "admin@mydomain.example",
    "names": "mydomain.example",
    "skipChallengeVerification": false,
    "production": true
 }
}
si458 commented 6 days ago

i dont use azure for anything so i have no way of testing this HOWEVER the new docs say to try using oidc instead of the azure option in authStrategies can you maybe try that and see if it works? https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#azure-preset

amirukg commented 6 days ago

Hi!

Updated config.json with:

   "authStrategies": {
          "oidc": {
            "client": {
              "client_id": "myclientID",
              "client_secret": "myclientsecret"
            },
            "custom": {
              "preset": "azure",
              "tenant_id": "mytenantID"
            }
          }
        }

but getting some strange errors:

-------- 6/28/2024, 4:31:56 PM ---- 1.1.24 --------

/root/node_modules/meshcentral/webserver.js:7406 let error = new Error('OIDC: Discovery failed.', { cause: err }); ^

Error: OIDC: Discovery failed. at setupDomainAuthStrategy (/root/node_modules/meshcentral/webserver.js:7406:29) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async setupAllDomainAuthStrategies (/root/node_modules/meshcentral/webserver.js:6495:82) { [cause]: AggregateError [ETIMEDOUT]: at internalConnectMultiple (node:net:1117:18) at afterConnectMultiple (node:net:1684:7) { code: 'ETIMEDOUT',

  Error: connect ETIMEDOUT 20.190.144.163:443
      at createConnectionError (node:net:1647:14)
      at Timeout.internalConnectMultipleTimeout (node:net:1706:38)
      at listOnTimeout (node:internal/timers:575:11)
      at process.processTimers (node:internal/timers:514:7) {
    errno: -110,
    code: 'ETIMEDOUT',
    syscall: 'connect',
    address: '20.190.144.163',
    port: 443
  },
  Error: connect ENETUNREACH 2603:1047:1:188::5:443
      at createConnectionError (node:net:1647:14)
      at afterConnectMultiple (node:net:1677:16) {
    errno: -101,
    code: 'ENETUNREACH',
    syscall: 'connect',
    address: '2603:1047:1:188::5',
    port: 443

And Meshcentral server even cant start. Also IP adresses above are available from Meshcentral server.

si458 commented 6 days ago

Is the azure AD stuff free or cheap to run? I'll have to create my own AD with users etc then try and replicate ur issue, so it might take some time! Any docs/guides setting it all up?

amirukg commented 5 days ago

I have Entra ID Plan 1, not free. I used https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate and https://ylianst.github.io/MeshCentral/meshcentral/#microsoft-azure-active-directory In Meshcentral docs there is nothing about API permissions setttings, so https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis