mbcmike
commented
5 years ago I have the same problem with v1.17.0. When I revert back to v1.16.0 everything is work fine again.
Closed wilcosec closed 5 years ago
mbcmike
commented
5 years ago I have the same problem with v1.17.0. When I revert back to v1.16.0 everything is work fine again.
kfattig
commented
5 years ago Reviewing the changes in 1.17.0, I don't see anything that should impact Duo, but I don't have a Duo environment to test against.
Can one/both of you try clearing out existing settings, logging in with '-v' flag, and report back (be sure to review for 'sensitive' information before posting):
aws-adfs reset
aws-adfs -v login ...That will give a better idea of what's going on.
wilcosec
commented
5 years ago I agree it is strange. Below is the output with the -v flag.
I'm pretty sure the duo auth module it not getting invoked when it should. Strange though because it works with everything up through v1.16.
user@grow:~$ @grow:~$ aws-adfs --version
1.17.0
user@grow:~$ date
Mon Jul 22 11:58:13 MDT 2019
user@grow:~$ aws-adfs reset
Profile: 'default' has been wiped out
user@grow:~$ rm -r ~/.aws/
user@grow:~$ aws-adfs -v login --adfs-host adfs.[REDACTED].com
2019-07-22 11:48:17,616 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2019-07-22 11:48:17,620 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-call.apigateway to before-call.api-gateway
2019-07-22 11:48:17,621 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2019-07-22 11:48:17,623 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2019-07-22 11:48:17,623 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2019-07-22 11:48:17,624 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2019-07-22 11:48:17,625 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2019-07-22 11:48:17,627 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2019-07-22 11:48:17,628 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2019-07-22 11:48:17,629 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2019-07-22 11:48:17,629 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2019-07-22 11:48:17,630 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2019-07-22 11:48:17,633 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-call.apigateway to before-call.api-gateway
2019-07-22 11:48:17,634 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2019-07-22 11:48:17,639 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2019-07-22 11:48:17,640 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2019-07-22 11:48:17,640 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2019-07-22 11:48:17,642 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2019-07-22 11:48:17,646 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2019-07-22 11:48:17,647 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2019-07-22 11:48:17,647 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2019-07-22 11:48:17,648 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2019-07-22 11:48:17,649 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2019-07-22 11:48:17,654 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-call.apigateway to before-call.api-gateway
2019-07-22 11:48:17,655 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2019-07-22 11:48:17,660 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2019-07-22 11:48:17,661 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2019-07-22 11:48:17,662 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2019-07-22 11:48:17,663 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2019-07-22 11:48:17,667 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2019-07-22 11:48:17,668 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2019-07-22 11:48:17,668 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2019-07-22 11:48:17,669 [hooks hooks.py:_alias_event_name] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2019-07-22 11:48:17,671 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Attempt to load authentication cookies into session failed. Re-authentication will be performed. The error: [Errno 2] No such file or directory: '/home/user/.aws/adfs_cookies'
2019-07-22 11:48:17,674 [connectionpool connectionpool.py:_new_conn] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Starting new HTTPS connection (1): adfs.[REDACTED].com:443
2019-07-22 11:48:18,036 [connectionpool connectionpool.py:_make_request] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: https://adfs.[REDACTED].com:443 "POST /adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices HTTP/1.1" 302 0
2019-07-22 11:48:18,145 [connectionpool connectionpool.py:_make_request] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: https://adfs.[REDACTED].com:443 "GET /adfs/ls/wia?loginToRp=urn:amazon:webservices&client-request-id=38aa238a-4925-46e6-aa00-0080000000e8 HTTP/1.1" 401 0
2019-07-22 11:48:18,146 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Request:
* url: https://adfs.[REDACTED].com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
* headers: {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Accept-Language': 'en', 'Cookie': 'MSISSamlRequest=QmFzZVVybD1odH[REDACTED]TNk'}
Response:
* status: 401
* headers: {'Content-Length': '0', 'Server': 'Microsoft-HTTPAPI/2.0', 'WWW-Authenticate': 'Negotiate, NTLM', 'Date': 'Mon, 22 Jul 2019 17:48:17 GMT'}
* body:
2019-07-22 11:48:18,152 [authenticator authenticator.py:authenticate] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Cannot extract roles from request's response:
* url: https://adfs.[REDACTED].com:443/adfs/ls/wia?loginToRp=urn:amazon:webservices&client-request-id=38aa238a-4925-46e6-aa00-0080000000e8
* headers: {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Accept-Language': 'en', 'Cookie': 'MSISSamlRequest=[REDACTED]TNk'}
Response:
* status: 401
* headers: {'Content-Length': '0', 'Server': 'Microsoft-HTTPAPI/2.0', 'WWW-Authenticate': 'Negotiate, NTLM', 'Date': 'Mon, 22 Jul 2019 17:48:17 GMT'}
* body:
2019-07-22 11:48:18,157 [authenticator authenticator.py:authenticate] [23094-MainProcess] [140073857673024-MainThread] - ERROR: Cannot extract roles from response
2019-07-22 11:48:18,157 [authenticator authenticator.py:authenticate] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Roles along with principals found after authentication: None
Username: [REDACTED]@[REDACTED].com
Password:
2019-07-22 11:48:26,337 [connectionpool connectionpool.py:_new_conn] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Starting new HTTPS connection (1): adfs.[REDACTED].com:443
2019-07-22 11:48:26,676 [connectionpool connectionpool.py:_make_request] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: https://adfs.[REDACTED].com:443 "POST /adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices HTTP/1.1" 302 0
2019-07-22 11:48:26,785 [connectionpool connectionpool.py:_make_request] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: https://adfs.[REDACTED].com:443 "GET /adfs/ls/wia?loginToRp=urn:amazon:webservices&client-request-id=2898dcdc-d8d4-409f-e301-0080000000dc HTTP/1.1" 401 0
2019-07-22 11:48:26,787 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Request:
* url: https://adfs.[REDACTED].com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
* headers: {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Accept-Language': 'en', 'Cookie': 'MSISSamlRequest=QmFzZVVybD1odH[REDACTED]TNk'}
Response:
* status: 401
* headers: {'Content-Length': '0', 'Server': 'Microsoft-HTTPAPI/2.0', 'WWW-Authenticate': 'Negotiate, NTLM', 'Date': 'Mon, 22 Jul 2019 17:48:26 GMT'}
* body:
2019-07-22 11:48:26,792 [authenticator authenticator.py:authenticate] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Cannot extract roles from request's response:
* url: https://adfs.[REDACTED].com:443/adfs/ls/wia?loginToRp=urn:amazon:webservices&client-request-id=2898dcdc-d8d4-409f-e301-0080000000dc
* headers: {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Accept-Language': 'en', 'Cookie': 'MSISSamlRequest=QmFzZVVybD1odH[REDACTED]TNk'}
Response:
* status: 401
* headers: {'Content-Length': '0', 'Server': 'Microsoft-HTTPAPI/2.0', 'WWW-Authenticate': 'Negotiate, NTLM', 'Date': 'Mon, 22 Jul 2019 17:48:26 GMT'}
* body:
2019-07-22 11:48:26,796 [authenticator authenticator.py:authenticate] [23094-MainProcess] [140073857673024-MainThread] - ERROR: Cannot extract roles from response
2019-07-22 11:48:26,796 [authenticator authenticator.py:authenticate] [23094-MainProcess] [140073857673024-MainThread] - DEBUG: Roles along with principals found after authentication: None
This account does not have access to any roles
user@grow:~$Thanks @twillowman. I think you're correct - the code that parses an HTML response for duo related objects is not being called. It's only run when a 200 response is received. You're getting 401's, so there is no body to parse.
I suspect its something in the request header - Do you know where the cookie in your first request is coming from? The reset & rm you ran should have purged any existing cookies, no?
wilcosec
commented
5 years ago Yeah - the reset and rm should have removed all cookies. And I can change aws-adfs back to v1.16.0 and run the same commands and I get a 200 and it works without error.
user@grow:~$ aws-adfs --version
v1.16.0
user@grow:~$ date
Mon Jul 22 13:16:59 MDT 2019
user@grow:~$ aws-adfs reset
Profile: 'default' has been wiped out
user@grow:~$ rm -r ~/.aws/
user@grow:~$ aws-adfs -v login --adfs-host adfs.[REDACTED].com
2019-07-22 13:17:25,570 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2019-07-22 13:17:25,575 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-call.apigateway to before-call.api-gateway
2019-07-22 13:17:25,576 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2019-07-22 13:17:25,580 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2019-07-22 13:17:25,580 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2019-07-22 13:17:25,581 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2019-07-22 13:17:25,583 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2019-07-22 13:17:25,586 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2019-07-22 13:17:25,587 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2019-07-22 13:17:25,587 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2019-07-22 13:17:25,588 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2019-07-22 13:17:25,590 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2019-07-22 13:17:25,593 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-call.apigateway to before-call.api-gateway
2019-07-22 13:17:25,594 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2019-07-22 13:17:25,596 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2019-07-22 13:17:25,597 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2019-07-22 13:17:25,598 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2019-07-22 13:17:25,600 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2019-07-22 13:17:25,602 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2019-07-22 13:17:25,603 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2019-07-22 13:17:25,604 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2019-07-22 13:17:25,604 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2019-07-22 13:17:25,605 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2019-07-22 13:17:25,609 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-call.apigateway to before-call.api-gateway
2019-07-22 13:17:25,610 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2019-07-22 13:17:25,612 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2019-07-22 13:17:25,612 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2019-07-22 13:17:25,613 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2019-07-22 13:17:25,614 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2019-07-22 13:17:25,617 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2019-07-22 13:17:25,617 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2019-07-22 13:17:25,618 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2019-07-22 13:17:25,619 [hooks hooks.py:_alias_event_name] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2019-07-22 13:17:25,620 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Attempt to load authentication cookies into session failed. Re-authentication will be performed. The error: [Errno 2] No such file or directory: '/home/user/.aws/adfs_cookies'
2019-07-22 13:17:25,623 [connectionpool connectionpool.py:_new_conn] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Starting new HTTPS connection (1): adfs.[REDACTED].com:443
2019-07-22 13:17:31,099 [connectionpool connectionpool.py:_make_request] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: https://adfs.[REDACTED].com:443 "POST /adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices HTTP/1.1" 200 17289
2019-07-22 13:17:31,151 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [29994-MainProcess] [140570475857728-MainThread] - DEBUG: Request:
* url: https://adfs.[REDACTED].com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
* headers: {'User-Agent': 'python-requests/2.22.0', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Accept-Language': 'en', 'Content-Length': '37', 'Content-Type': 'application/x-www-form-urlencoded'}
Response:
* status: 200
* headers: {'Cache-Control': 'no-cache,no-store', 'Pragma': 'no-cache', 'Content-Length': '17289', 'Content-Type': 'text/html; charset=utf-8', 'Expires': '-1', 'Server': 'Microsoft-HTTPAPI/2.0', 'X-Frame-Options': 'DENY', 'P3P': "ADFS doesn't have P3P policy, please contact your site's admin for more details", 'Set-Cookie': 'MSISSamlRequest=QmFzZVVybD1odH[REDACTED]YVDQlM2Q=; path=/adfs; HttpOnly; Secure', 'Date': 'Mon, 22 Jul 2019 19:17:31 GMT'}
* body: <!DOCTYPE html>
... trimmed for length ...And then it prompts for user / password and I get a duo prompt and it works.
wilcosec
commented
5 years ago Sorry - to answer your question I have no idea where that cookie might be coming from. The rm certainly removes the adfs_cookies file within ~/.aws/
This was ran after a successful login with v1.16:
... trimmed a successful login ...
Prepared ADFS configuration as follows:
* AWS CLI profile : 'default'
* AWS region : 'eu-central-1'
* Output format : 'json'
* SSL verification of ADFS Server : 'ENABLED'
* Selected role_arn : 'arn:aws:iam::[REDACTED]'
* ADFS Server : 'adfs.[REDACTED].com'
* ADFS Session Duration in seconds : '43200'
* Provider ID : 'urn:amazon:webservices'
* S3 Signature Version : 'None'
* STS Session Duration in seconds : '3600'
user@grow:~$
user@grow:~$ ls ~/.aws/
adfs_cookies config credentials
user@grow:~$ ls -las ~/.aws/
total 20
4 drwx------ 2 user user 4096 Jul 22 13:25 .
4 drwxr-xr-x 20 user user 4096 Jul 22 13:25 ..
4 -rw------- 1 user user 3431 Jul 22 13:25 adfs_cookies
4 -rw------- 1 user user 335 Jul 22 13:26 config
4 -rw------- 1 user user 1016 Jul 22 13:26 credentials
user@grow:~$ aws-adfs reset
Profile: 'default' has been wiped out
user@grow:~$ rm -r ~/.aws/
user@grow:~$ ls -las ~/.aws/
ls: cannot access '/home/user/.aws/': No such file or directory
user@grow:~$I think you might be onto something with the request header. This error is happening for everyone at my company, MacOS and Linux (aws-adfs hasn't worked with Duo on Windows for a while).
Any idea where the cookie could be coming from? I'm looking through the code and the recent commits, but am not very familiar with python or this project.
kfattig
commented
5 years ago The user-agent header you're sending is different (python-requests), and the code that controls that was changed.
Can you try specifying '--no-sspi' at the command line? That should get you the python-requests header again.
wilcosec
commented
5 years ago After clearing old cookies and doing a profile reset, it works as long as I include the --no-sspi flag. Thank you very much for the prompt help!
I'll close this issue. If you have time for a follow-up question; what is the no-sspi flag really doing? Is it less secure in some way?
kfattig
commented
5 years ago SSPI is a collection of windows native authentication protocols. In our case it allows windows users that are logged into a domain joined machine to authenticate seamlessly without re-entering credentials.
This functionality was added a while back, and it defaults to 'on' . The way it was implemented at that time, if you're not on windows it silently fails to load a dependency and continues without sspi. Specifically, this line is never run when sspi is enabled and 'requests_negotiate_sspi' is not available.
In the latest release I changed the way that no-sspi was handled, to make it more like other options (store it in a config file, etc). In doing so I ensured the header would be set when sspi is enabled.
IMO There's two problems here:
Vague/Inconsistent handling of the 'sspi' options across OS's
Inconsistent handling of the 'user-agent' header across OS's and authenticators . The user-agents accepted by ADFS are configurable, and will be different across time and environments. Given this it seems they should be handled more as a user-configurable setting, rather than hardcoded in multiple places.
I'm going to mull these things over for a bit, and will enter an issue or two in a few days.
kfattig
commented
5 years ago @mbcmike Please try setting '--no-sspi' and see if it fixes the issue for you as well
@twillowman You mentioned this utility has been broken for a while on Windows in your environment. Perhaps the SSPI change mentioned above inadvertently broke it? If you've got the bandwidth try setting '--no-sspi' on Windows and see what you get.
mbcmike
commented
5 years ago Yes that fixes it for me as well. Thanks.
kphanik38
commented
1 year ago Hi Sorry, this seems to be a very persistent/repeating issue and hence had to approach here. Also, pardon me, I am new to all these, so not even sure if I am doing it the right way.
Please help. It used to work like 6 months ago. Does it have anything to do with Python packages? I checked above comments and downgraded my aws-adfs to 1.16, included --no-sspi switch.. nothing works for me.
$ aws --version
aws-cli/1.27.85 Python/3.10.10 Linux/3.10.0-1160.83.1.el7.x86_64 botocore/1.29.85
$ aws-adfs --version
v1.16.0
$ python3.10 --version
Python 3.10.10
$ ls
adfs_cookies config credentials
$ rm -rf *
$ aws-adfs reset
Profile: 'default' has been wiped out
$ ls
config credentials
$ cat config
$ cat credentials
$ aws-adfs -v login --no-sspi --adfs-host sts.[MySite].com
2023-03-07 15:50:57,359 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2023-03-07 15:50:57,361 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-call.apigateway to before-call.api-gateway
2023-03-07 15:50:57,362 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2023-03-07 15:50:57,364 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2023-03-07 15:50:57,364 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2023-03-07 15:50:57,364 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2023-03-07 15:50:57,365 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2023-03-07 15:50:57,368 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2023-03-07 15:50:57,368 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2023-03-07 15:50:57,368 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2023-03-07 15:50:57,368 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2023-03-07 15:50:57,370 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2023-03-07 15:50:57,372 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-call.apigateway to before-call.api-gateway
2023-03-07 15:50:57,373 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2023-03-07 15:50:57,374 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2023-03-07 15:50:57,375 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2023-03-07 15:50:57,375 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2023-03-07 15:50:57,376 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2023-03-07 15:50:57,379 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2023-03-07 15:50:57,379 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2023-03-07 15:50:57,379 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2023-03-07 15:50:57,379 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2023-03-07 15:50:57,380 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2023-03-07 15:50:57,383 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-call.apigateway to before-call.api-gateway
2023-03-07 15:50:57,384 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2023-03-07 15:50:57,385 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2023-03-07 15:50:57,385 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2023-03-07 15:50:57,386 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2023-03-07 15:50:57,387 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2023-03-07 15:50:57,389 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2023-03-07 15:50:57,390 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2023-03-07 15:50:57,390 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2023-03-07 15:50:57,390 [hooks hooks.py:_alias_event_name] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2023-03-07 15:50:57,391 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Attempt to load authentication cookies into session failed. Re-authentication will be performed. The error: [Errno 2] No such file or directory: '/.aws/adfs_cookies'
2023-03-07 15:50:57,393 [connectionpool connectionpool.py:_new_conn] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Starting new HTTPS connection (1): sts.[MySite].com:[MyPort]
2023-03-07 15:50:57,956 [connectionpool connectionpool.py:_make_request] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: https://sts.[MySite].com:[MyPort] "POST /adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices HTTP/1.1" 403 1233
2023-03-07 15:50:57,956 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Request:
* url: https://sts.[MySite].com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
* headers: {'User-Agent': 'python-requests/2.28.2', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Accept-Language': 'en', 'Content-Length': '37', 'Content-Type': 'application/x-www-form-urlencoded'}
Response:
* status: 403
* headers: {'Content-Type': 'text/html', 'Server': 'Microsoft-IIS/10.0', 'Date': 'Tue, 07 Mar 2023 14:50:57 GMT', 'Content-Length': '1233'}
* body: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
2023-03-07 15:50:57,957 [authenticator authenticator.py:authenticate] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Cannot extract roles from request's response:
* url: https://sts.[MySite].com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
* headers: {'User-Agent': 'python-requests/2.28.2', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Accept-Language': 'en', 'Content-Length': '37', 'Content-Type': 'application/x-www-form-urlencoded'}
Response:
* status: 403
* headers: {'Content-Type': 'text/html', 'Server': 'Microsoft-IIS/10.0', 'Date': 'Tue, 07 Mar 2023 14:50:57 GMT', 'Content-Length': '1233'}
* body: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
2023-03-07 15:50:57,957 [authenticator authenticator.py:authenticate] [28486-MainProcess] [139761767130944-MainThread] - ERROR: Cannot extract roles from response
2023-03-07 15:50:57,957 [authenticator authenticator.py:authenticate] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Roles along with principals found after authentication: None
**Username: [MyID]@[MySite].com
Password: [MyPassword]**
2023-03-07 15:51:11,050 [connectionpool connectionpool.py:_new_conn] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Starting new HTTPS connection (1): sts.[MySite].com:[MyPort]
2023-03-07 15:51:11,524 [connectionpool connectionpool.py:_make_request] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: https://sts.[MySite].com:[MyPort] "POST /adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices HTTP/1.1" 403 1233
2023-03-07 15:51:11,524 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Request:
* url: https://sts.[MySite].com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
* headers: {'User-Agent': 'python-requests/2.28.2', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Accept-Language': 'en', 'Content-Length': '100', 'Content-Type': 'application/x-www-form-urlencoded'}
Response:
* status: 403
* headers: {'Content-Type': 'text/html', 'Server': 'Microsoft-IIS/10.0', 'Date': 'Tue, 07 Mar 2023 14:51:10 GMT', 'Content-Length': '1233'}
* body: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
2023-03-07 15:51:11,525 [authenticator authenticator.py:authenticate] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Cannot extract roles from request's response:
* url: https://sts.[MySite].com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
* headers: {'User-Agent': 'python-requests/2.28.2', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Accept-Language': 'en', 'Content-Length': '100', 'Content-Type': 'application/x-www-form-urlencoded'}
Response:
* status: 403
* headers: {'Content-Type': 'text/html', 'Server': 'Microsoft-IIS/10.0', 'Date': 'Tue, 07 Mar 2023 14:51:10 GMT', 'Content-Length': '1233'}
* body: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
2023-03-07 15:51:11,525 [authenticator authenticator.py:authenticate] [28486-MainProcess] [139761767130944-MainThread] - ERROR: Cannot extract roles from response
2023-03-07 15:51:11,525 [authenticator authenticator.py:authenticate] [28486-MainProcess] [139761767130944-MainThread] - DEBUG: Roles along with principals found after authentication: None
This account does not have access to any roles
$
@kphanik38
Apologies, I have not worked with this tool or ADFS generally in several years and no longer have the ability to meaningfully assist. I do see from your dump though that you're getting 403's, while the header issue described here was 401's. That's a meaningful difference and likely caused by a different configuration - details on response codes here.
Unfortunately issues like this are really difficult to troubleshoot due to the opaque & variable nature of the server(s). I'd suggest starting with whoever manages your ADFS/IIS implementation and see if you can trace where/why that response code is generated. They should be able to trace your requests given what you posted here, and recommend modifications accordingly. My first guess would be something like a WAF or other security policy/appliance treating you like a bot, but it's hard to say.
kphanik38
commented
1 year ago Thank you, will check and get back here if anything is worth sharing back.
Once I upgraded aws-adfs to v1.17.0 (via pip), I get errors extracting roles from response as I never get a Duo prompt to approve.
Let me know what information I can collect, and how to get verbose output from aws-adfs.
OS: MacOS 10.14.5. Also happens with Ubuntu 18.04. Python version: 3.6.8 aws-adfs version with error: 1.17.0 from pip ADFS version 4.0 (10.0.14393.3053) (Windows Server 2016) Duo Connector version 1.2.0.17