Sending blank username to PI from ADFS farm #17
Comments
|
Thinking of it, I don't believe the realm is stored in the session, is it? So the lost session does not explain the blank realm sent. |
|
To my understanding the username is passed as hidden field to the login form? |
|
Not really possible, as they wouldn't then be authenticated (in order to get to the OTP step). |
|
So the username should be a hidden field in the login dialog. Did you check the source code of the otp login html page, if the username is actually contained? So that you can narrow down, where the username gets lost? |
|
The issue is that I cannot reproduce is, although it has been reported 4 times by my colleagues who are testing. I did verify that they entered the correct code (it is logged on our BIG-IP proxy): Missing username, realm and trans: I believe it happens on those webview popups (Outlook, Skype and OneDrive - the thick clients) in which you cannot see the source code. Although not consistently, as they work 9/10 times. |
|
In addition I have also tested every ADFS directly to filter out any faulty farm members - all of them works/have the correct code in place. |
|
Maybe you can also log the User-Agent in the Big IP, so you can be sure, if this problem only occurs on certain clients. |
|
Unfortunately I have no proxy in front of those ADFS's (thats a long story about two separate companies sharing a 365 environment). Only in front of the PI server. |
|
Can the big IP only log parameters? Can't you log header information of the http request? |
|
I can, but the requests to the PI is the adfs plug-in doing that, not the client :)
On 28 Dec 2018, at 11:06, Cornelius Kölbel <notifications@github.com<mailto:notifications@github.com>> wrote:
CAUTION: This email originated from outside the organization. Do not click on a link or open an attachment unless you recognize the sender and know the content is safe.
Can the big IP only log parameters? Can't you log header information of the http request?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#17 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AFxgSQ2m4O4MXQoRltQoc91ctgISm9pcks5u9e0ggaJpZM4ZjmwQ>.
|
|
Oh. You are right. My bad! I should have studied this system better ;-) |
|
Hey! So I try to recap the issue: In some (use)cases the username and realm field in the OTP-Auth.-Webview is empty. This behavior can not be reproduced but mostly shows up on/requests from Office client software. In my opinion the issue occurs if the username and the "realm" are not a part of the SAML-Token/Claim. In this case the username and realm(domain) is empty and this leads to such a behavior. Please check the EventLog for errors and exceptions. In this case a event (exception) should be logged. For debugging and testing I'll prepare a "debug" version for you, so I can get a better understanding why and where the error occurs. |
|
Here is the debug version: Download |
Thank you, sbidy. We installed the debug version on the ADFS servers yesterday - so now we wait for more failures :) I don't believe if it's connected to the debug version or not - but it seems to sometimes not being able to authenticate to PI. Best regards, |
|
Hey Teddy, I can reproduce the error if I define a wrong username and password combination in the provider configuration file. Can you please check your config and the user? In this case the DebugView should also provide the exception message: |
|
If sbidy is right and the credentials of the service account are wrong, then you should see a failed ``auth`` request in the audit log.
null
|
|
We do use the trigger, as we are using SMS messages. I have verified that the user/pwd is correct on all 4 ADFS servers and I have also tested them directly one by one. |
|
I did have a few cases I wanted to collect log data from. But correct me if I'm wrong: I need to have the debugviewer.exe running while testing in order to collect any of the log output? Does the log data exist in the event log or in any text files? Best regards, |
|
Yes, you must run the debugview tool in the capture mode open.
Unfortunately the debugview.exe must be running and in capture mode all the time. |
|
Thank you, sbidy. I will ask my overseas colleagues to have the program running in capture mode on the servers for now and then wait until this bug occurs again (if ever). |
Hi Sbidy,
A couple of times we have experienced that a blank username, realm and transaction_id is sent to PI. I wonder if this happens on an ADFS farm if the connection is not persistent and therefore:
Is there a way (or maybe this is already happening) to capture the actual username also when submitting the OTP, or does this only happen on the step before reaching the OTP screen?
This probably happened 4 times during 50 logins. We are still testing with just around 15 people. We will however roll out to 18.000 users shortly (hopefully).
Best regards,
Teddy
The text was updated successfully, but these errors were encountered: