TLS 1.3 SSLHandshakeException Protocol error
Trying this again..
Hello,
I'm trying to get oidc to work with TLS 1.3 on the authentication endpoint.
When I had TLS 1.2 as an enabled protocol it worked with no problems. As
soon as I enabled TLS 1.3 only, the authentication fails with the following
error:
Rejected invalid OpenID token: JWT processing failed. Additional details:
[[17] Unable to process JOSE object (cause:
org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable
verification key for JWS w/ header
{"alg":"RS256","kid":"be8eba","typ":"JWT"} due to an unexpected exception
(javax.net.ssl.SSLHandshakeException: Received fatal alert:
protocol_version) while obtaining or using keys from JWKS endpoint at
https://auth.domain.tld/jwks.json)
I would appreciate some help.
Thanks
TLS 1.3 SSLHandshakeException Protocol error
Hello,
I'm trying to get oidc to work with TLS 1.3 on the authentication endpoint.
When I had TLS 1.2 as an enabled protocol it worked with no problems. As
soon as I enabled TLS 1.3 only, the authentication fails with the following
error:
Rejected invalid OpenID token: JWT processing failed. Additional details:
[[17] Unable to process JOSE object (cause:
org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable
verification key for JWS w/ header
{"alg":"RS256","kid":"be8eba","typ":"JWT"} due to an unexpected exception
(javax.net.ssl.SSLHandshakeException: Received fatal alert:
protocol_version) while obtaining or using keys from JWKS endpoint at
https://auth.domain.tld/jwks.json)
I would appreciate some help.
Thanks
Guacamole on Docker, Postgresql The authentication type 10 is not supported.
When trying to launch Guacamole on Docker using postgresql, we get the following error: The authentication type 10 is not supported Looking at the following Guacamole Jira issue, it indicates that it has been Resolved: https://issues.apache.org/jira/browse/GUACAMOLE-1433 However, this does not seem to be the case because pulling the latest Guacamole image still has the same error. The only way to get around this issue is to edit the pg_hba.conf and set the following line: host all all scram-sha-256 to host all all trust and the error goes away. Am I missing something here or has the fix not trickled to the latest Guacamole image? Thanks
RE: Duo LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT
* I think this may just be incorrect logging of an error. Additional logging was introduced recently which was intended to point out when an internal error blocks authentication, but an invalid Duo code is not an internal error and doesn't block auth from working. * Except for this error appearing in the logs, do things work as expected? * - Mike Actually no. The I never get the Duo prompt. I get the following message with a Continue button: LOGIN.INFO_DUO_AUTH_REQUIRED Once I click the Continue button, I get logged in to Guacamole.
Duo LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT
As the subject implies, I'm getting the following error trying to authenticate through Duo. The actual error log is below: 20:41:02.883 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "Duo TFA Authentication Backend" loaded. 20:41:55.912 [http-nio-8080-exec-3] WARN o.a.g.e.AuthenticationProviderFacade - The "duo" authentication provider has been skipped due to an internal error. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging: LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT I have Duo authentication working on another installation using LDAP as authentication. In this installation, I'm simply trying to use database (postgresql) authentication. Is this not possible? Do I need to use LDAP with Duo or am I doing something wrong here? I've checked and double checked my config and everything looks as it should. This is guacamole on Docker btw if it makes any difference. Thanks in advance
RE: Guacamole 1.1.0 and LDAP binding on M$ AD
Here's my config which works in Win 2k12 AD domain. It's for docker but you'll get the idea: #LDAP Authentication LDAP_HOSTNAME: dc.domain.tld LDAP_PORT: 389 LDAP_ENCRYPTION_METHOD: none#Allowed Values are none ssl or starttls LDAP_SEARCH_BIND_DN: CN=guacamole,OU=Guacamole Users,DC=domain.tld,DC=tld LDAP_SEARCH_BIND_PASSWORD: super_secret_pass LDAP_USER_BASE_DN: OU=Guacamole Users,DC=domain,DC=tld LDAP_USERNAME_ATTRIBUTE: sAMAccountName Created a "Guacamole Users" OU and I moved users that need to authenticate to guacamole in it. Then I created guacamole user in that same OU with the "super_secret_password" above and then I created same user with NO password in guacamole Web GUI, gave admin access to it. Then I logged into guacamole Web GUI with the guacamole user AD creds. Then I was able to see the users in the "Guacamole Users" OU. I verified that users in that OU were able to login to Guacamole with their AD creds. Hope this helps. -Original Message- From: Caleb Crawford Sent: Friday, March 20, 2020 3:12 PM To: user@guacamole.apache.org Subject: Re: Guacamole 1.1.0 and LDAP binding on M$ AD First thing to check: Is 'uid' what you want there? The property in our AD is 'uidNumber' - though I think what you actually want there is 'sAMAccountName'. I also don't immediately see the config setting 'ldap-user-attributes' in the documentation which might be breaking things. Here's a comparison to my config which is working without issue: ldap-hostname: ldap.ad.mydomain ldap-port: 389 ldap-user-base-dn: OU=MYOU=,DC=MY,DC=DOMAIN ldap-search-bind-dn: cn=ldapuser,ou=Users,OU=MYOU,DC=MY,DC=DOMAIN ldap-search-bind-password: myldapuserpassword ldap-username-attribute: sAMAccountName ldap-user-search-filter: (&(objectClass=user)(!(objectClass=computer))(CustomString2=*)(!(CustomString2=/nonexistent))) ldap-group-base-dn: OU=Guacamole Access Groups,OU=MYOU,DC=MY,DC=DOMAIN On 3/20/20 6:35 AM, Niubbo75 wrote: > Hello all, I'm going crazy trying to connect to Guacamole via LDAP > using M$ AD users. > here my LDAP configuration into guacamole.properties: (some personal > data > omitted) > > > # LDAP Configuration > ldap-hostname: 192.168.1.249 > ldap-port: 389 > ldap-encryption-method: none > ldap-search-bind-dn: CN=Administrator,CN=Users,DC=DOMAIN,DC=local > ldap-search-bind-password: S3cr3t! > ldap-user-base-dn: CN=Users,DC=DOMAIN,DC=local > ldap-username-attribute: uid > ldap-user-attributes: sAMAccountName > ldap-config-base-dn: CN=Guacamole,CN=Users,DC=DOMAIN,DC=local > > > I use Administrator as bind user, I have create it also into > Guacamole's MySQL user and I can login w/out any problem (I have > create the user using the same password as domain user have), when I > log in with Administrator in Guacamole and I go under settings => > Users I can't see domain users, if I try to log in with a domain user > different from Administrator I got this: > > 14:21:44.191 [http-nio-8080-exec-6] WARN > o.a.g.r.auth.AuthenticationService > - Authentication attempt from 192.168.1.73 for user "mydomainuser" failed. > > LDAP module is correctly loaded from what I can read in catalina.out, > also bind seems to be correct because I can't see any error or > warnings related, I have this messages: > > Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new > driver class is `com.mysql.cj.jdbc.Driver'. The driver is > automatically registered via the SPI and manual loading of the driver class > is generally unnecessary. > 14:15:26.414 [http-nio-8080-exec-3] INFO > o.a.d.a.l.c.o.DefaultLdapCodecService - > MSG_06000_REGISTERED_CONTROL_FACTORY > (1.3.6.1.4.1.18060.0.0.1) > 14:15:26.415 [http-nio-8080-exec-3] INFO > o.a.d.a.l.c.o.DefaultLdapCodecService - > MSG_06000_REGISTERED_CONTROL_FACTORY > (2.16.840.1.113730.3.4.7) > 14:15:26.415 [http-nio-8080-exec-3] INFO > o.a.d.a.l.c.o.DefaultLdapCodecService - > MSG_06000_REGISTERED_CONTROL_FACTORY > (2.16.840.1.113730.3.4.2) > 14:15:26.416 [http-nio-8080-exec-3] INFO > o.a.d.a.l.c.o.DefaultLdapCodecService - > MSG_06000_REGISTERED_CONTROL_FACTORY > (1.2.840.113556.1.4.319) > 14:15:26.416 [http-nio-8080-exec-3] INFO > o.a.d.a.l.c.o.DefaultLdapCodecService - > MSG_06000_REGISTERED_CONTROL_FACTORY > (2.16.840.1.113730.3.4.3) > 14:15:26.417 [http-nio-8080-exec-3] INFO > o.a.d.a.l.c.o.DefaultLdapCodecService - > MSG_06000_REGISTERED_CONTROL_FACTORY > (2.16.840.1.113730.3.4.18) > 14:15:26.417 [http-nio-8080-exec-3] INFO > o.a.d.a.l.c.o.DefaultLdapCodecService - > MSG_06000_REGISTERED_CONTROL_FACTORY > (1.2.840.113556.1.4.473) > 14:15:26.418 [http-nio-8080-exec-3] INFO > o.a.d.a.l.c.o.DefaultLdapCodecService - > MSG_06000_REGISTERED_CONTROL_FACTORY > (1.2.840.113556.1.4.474) > 14:15:26.418 [http-nio-8080-exec-3] INFO > o.a.d.a.l.c.o.DefaultLdapCodecService - >
RE: Docker with LDAP and TOTP
I seem to be having similar issue. I cannot get LDAP to work with the docker image at all. The only way I can get any error if I purposely misconfigure the LDAP settings and try go login and then I get a LDAP error. Otherwise I get nothing in the logs about successful logon. Is there a debug mode for the logs in the docker image? LDAP support seems to be enabled: 12:24:27.296 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded. From: Guilherme Carvalho Sent: Wednesday, March 18, 2020 9:21 AM To: user@guacamole.apache.org Subject: Docker with LDAP and TOTP Hey guys, i´m having problems with connection with my guacamole 1.1.0 running on docker, and LDAP and TOTP, how can i run the command to connection?? i´m using this: docker run --name guacamole --link guacd:guacd --link guac-mysql:mysql \ -e MYSQL_DATABASE='guacamole' \ -e MYSQL_USER='guacamole' \ -e MYSQL_PASSWORD='MySQLPassword' \ -e LDAP-HOSTNAME='IP-LDAP-WINDOWS' \ -e LDAP-PORT='389' \ -e LDAP-USER-BASE-DN='DC=redisul,DC=com,DC=br' \ -e LDAP-SEARCH-BIND-DN='CN=Guilherme Carvalho,OU=Engenharia,OU=Usuarios,OU=Sede,DC=redisul,DC=com,DC=br' \ -e LDAP-SEARCH-BIND-PASSWORD='MyPasswordFromAd' \ -e LDAP-USERNAME-ATTRIBUTE='sAMAccountName' \ -d -p 8080:8080 guacamole/guacamole This information from LDAP is working find from guacamole running on Ubuntu, but not working from Docker, what could be?? How install the TOTP to second authentication?? Thanks Guilherme Carvalho
