Checked the clocks? I had a similar one where Duo was returning a timestamp too far away from the guaca server.
Cheers On 1 Nov 2017 08:17, "beezel" <[email protected]> wrote: > I'm still running 9.12, so I hope that I am not shooting myself in the foot > with this already (and the Duo jar is also 9.12). > > We have Guac successfully installed on centos 7, and have configured it > according to the official docs, using AJP to forward from Apache back to > Tomcat and also using 443 to 8443 and 80 to 8443 in our server.xml tomcat > configuration. > > Guac is working fine, until we attempt to use Duo. > > I followed this guide > https://www.cb-net.co.uk/linux/enabling-duo-dual-multi- > factor-authentication-mfa-for-guacamole-docker/ > to setup Duo with Web SDK access, and everything 'appears' to work. IE, in > Duo I see users register, I get push notifications, and you get a > successful > login and our Guac page acknowledges when you accept the 2FA via Duo > Mobile. > > However, it just hangs there at "Success! Logging you in..." > > Console view shows: > POST https://remote.domain.com/api/tokens 400 (Bad Request) > angular.js:9902 > > In Chrome DevTools Network, I also see: > > invalid (failed) VM1051 preauth.js?v=31dcc:1 > > > To make sure it wasn't some redirect problem, I am accessing it internally > (no firewall) and have disabled the 443->8443 and 80->8443 redirects that > were present in my server.xml. I am also trying to use > https://remote.domain.com:8443/ specifically to bypass any redirection > issues. > > I did setup mod_proxy_wstunnel just to be safe - but we're using the Web > SDK > which I do not think uses this method. > > It seems to be that /api/tokens is not accessible (I see 403 Forbiddens to > that url when logging in). > > When removing the duo.jar and commenting out the duo- lines in > guacamole.properties I still receive the /api/tokens 403 Forbidden when > loading the guac login page, but everything works successfully, so I am > unsure if this is related or not. > > Any suggestions? > > > > -- > Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/ >
