search

jlguenego / node-expose-sspi

Expose Microsoft Windows SSPI to Node for SSO authentication.
ISC License
128 stars 19 forks source link

Getting SEC_E_LOGON_DENIED error #104

Open DanBrk opened 3 years ago

DanBrk commented 3 years ago

I am using node-expose-sspi: "0.1.59" with NodeJs version 12.21 The machine is Windows Server 2016 and it is part of Active Directory domain.

My application which includes node-expose-sspi runs with node.exe and it is behind IIS reverse proxy site. The IIS site is configured with 'Windows Authentication' (In the sites's authentication settings)

The SSO client is sends command with Negotiate header to the IIS. From the IIS logs I can see that the context user is correct. In my case 'user2b@storenext.co.il' The following line include the IIS logs and you can see that the user 'user2b@storenext.co.il' is successfully authenticated by the IIS:

2021-07-28 06:20:27 172.16.3.118 GET /service/user/ X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=71bdc519-e623-4dea-ac7a-45d854512e72&SERVER-STATUS=400 9711 user2b@storenext.co.il 212.143.74.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/92.0.4515.107+Safari/537.36+Edg/92.0.902.55 https://saml-tst.storenext.co.il/purple-land/ 400 0 0 0

node-expose-sspi in my node application throws: UnauthorizedError: SEC_E_LOGON_DENIED. (incorrect login/password, or account disabled, or locked, etc.). Protocol Message = Kerberos_1.

Is there a way to see 'node-expose-sspi' debug info from my server console ? What can cause that error and how can I make it work ?

jlguenego commented 3 years ago

You are using Kerberos. Sometimes, a delay is required before your credentials are synchronized between your windows account session and the Active Directory. May be a logout/login would refresh your credentials ?

jlguenego commented 3 years ago

Can you also test the node website without the reverse proxy. Because may be your reverse proxy do not send the right HTTP header to the node webserver.

DanBrk commented 3 years ago

Can you also test the node website without the reverse proxy. Because may be your reverse proxy do not send the right HTTP header to the node webserver.

Everything works fine when connected directly without the IIS reverse proxy.

My reverse proxy configuration is:

<rewrite>
    <rules>
        <rule name="ReverseProxyInboundRule1" stopProcessing="true">
            <match url="(.*)" />
            <action type="Rewrite" url="http://localhost:2525/{R:1}" />
        </rule>
    </rules>
</rewrite>

Any advise what can it be ?

Thanks

jlguenego commented 3 years ago

The reverse proxy should be configured to pass the authorization http header to the node sever.

On Sunday, August 1, 2021, DanBrk @.***> wrote:

Can you also test the node website without the reverse proxy. Because may be your reverse proxy do not send the right HTTP header to the node webserver.

Everything works fine when connected directly without the IIS reverse proxy. Any advise what can it be ?

Thanks

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jlguenego/node-expose-sspi/issues/104#issuecomment-890561415, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAVV6TTH4GVILHHJ5PTR6MLT2WCYLANCNFSM5BGQC2BQ .

-- Envoyé avec Gmail Mobile

DanBrk commented 3 years ago

The Authorization header exist and it looks fine. I opened DEBUG and this is what I get when I am behind the reverse proxy:

node-expose-sspi:auth Kerberos_1 details:  {
  principalName: '[HTTP/tst.store.com]',
  realm: '[My Domain]'
} +0ms
  node-expose-sspi:auth input just before calling AcceptSecurityContext {
  credential: '0x000002823819c510.0x000001f7835d4b80',
  SecBufferDesc: { ulVersion: 0, buffers: [ [ArrayBuffer] ] }
} +0ms
  node-expose-sspi:auth serverSecurityContext just after AcceptSecurityContext {
  contextHandle: '0x0000000000000000.0x0000000000000000',
  contextAttr: [],
  SecBufferDesc: { ulVersion: 0, buffers: [ [ArrayBuffer] ] },
  SECURITY_STATUS: 'SEC_E_LOGON_DENIED'
} +0ms
Error: tag not yet implemented (decimal): 0
    at Function.getLabel (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\TagDecoder.js:11:23)
    at readSimple (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\codec\ber\decoder\BERDecoder.js:116:43)
    at Object.BERDecode (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\codec\ber\decoder\BERDecoder.js:27:12)
    at Function.parseMsg (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\ASN1.js:24:33)
    at Object.getKerberosResponseDetails (D:\Portal\Purple-UI-Services\node_modules\node-expose-sspi\dist\sso\kerberos.js:26:34)
    at D:\Portal\Purple-UI-Services\node_modules\node-expose-sspi\dist\sso\auth.js:119:67
    at D:\Portal\Purple-UI-Services\node_modules\node-expose-sspi\dist\sso\auth.js:190:11
    at Layer.handle [as handle_request] (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:317:13)
    at D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:335:12)
    at next (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:275:10)
    at D:\Portal\Purple-UI-Services\index.js:25:2
    at Layer.handle [as handle_request] (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:317:13)
    at D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:335:12)
    at next (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:275:10)
    at expressInit (D:\Portal\Purple-UI-Services\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:317:13)
    at D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:284:7
  node-expose-sspi:adConnection openADConnection: counter:  1 +28s
  node-expose-sspi:adConnection closeADConnection: counter:  0 +16ms
  node-expose-sspi:mutex acquire +28s

When not behind reverse proxy the only difference is that I get 'SEC_E_OK':

node-expose-sspi:auth serverSecurityContext just after AcceptSecurityContext {
  contextHandle: '0x0000028238531150.0x000001a2c85f7170',
  contextAttr: [
    'ASC_RET_CONFIDENTIALITY',
    'ASC_RET_CONNECTION',
    'ASC_RET_INTEGRITY'
  ],
  SecBufferDesc: { ulVersion: 0, buffers: [ [ArrayBuffer] ] },
  SECURITY_STATUS: 'SEC_E_OK'

}