After upgrade to 2.1.3 authentication through sso is failed…

  • Resolved Vyacheslav

    (@vyatcheslav)


    6 years, 2 months ago

    Hello, Team!

    After upgrade to NADI v.2.1.3 from 2.1.2, authentication through SSO is failed. When I’m downgrade NADI to 2.1.2 version, authentication work correctly.

    Users have already been imported from AD to WP…
    If enable logging and see the logs of versions 2.1.2 and 2.1.3 for the same user, the records of version 2.1.3 look very strange.

    Debug log for NADI v2.1.3
    2018-09-25 05:32:25 [INFO] NextADInt_Adi_Authentication_SingleSignOn_Service::kerberosAuth [line 193] SSO authentication triggered using Kerberos for user [email protected]
    2018-09-25 05:32:26 [INFO] NextADInt_Ldap_Connection::createConfiguration [line 104] LDAP connection is *not* encrypted
    2018-09-25 05:32:26 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] account_suffix =
    2018-09-25 05:32:26 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] base_dn = DC=corp,DC=local
    2018-09-25 05:32:26 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] domain_controllers = 192.168.N.XXX 192.168.M.YYY
    2018-09-25 05:32:26 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] ad_port = 389
    2018-09-25 05:32:26 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] use_tls =
    2018-09-25 05:32:26 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] use_ssl =
    2018-09-25 05:32:26 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] network_timeout = 5
    2018-09-25 05:32:26 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] ad_username = <out_specific_user>@corp.local
    2018-09-25 05:32:26 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] ad_password = *** protected password ***
    2018-09-25 05:32:26 [INFO] NextADInt_Adi_Authentication_LoginService::authenticate [line 132] A user tries to log in.
    2018-09-25 05:32:26 [DEBUG] NextADInt_Adi_Authentication_LoginService::getWordPressUser [line 708] Local WordPress user ‘[email protected]’ could not be found
    2018-09-25 05:32:26 [DEBUG] NextADInt_Adi_Authentication_LoginService::tryAuthenticatableSuffixes [line 236] Credentials={login=’[email protected]’,sAMAccountName=’john.doe’,userPrincipalName=’[email protected]’,netbios=”}’ with authenticatable suffixes: ‘corp.local’.
    2018-09-25 05:32:26 [ERROR] NextADInt_Adi_Authentication_LoginService::isUserAuthorized [line 489] User with GUID: ‘john.doe’ is not in an authorization group.
    2018-09-25 05:32:26 [WARNING] NextADInt_Adi_Authentication_LoginService::tryAuthenticatableSuffixes [line 255] Login for Credentials={login=’[email protected]’,sAMAccountName=’john.doe’,userPrincipalName=’[email protected]’,netbios=”} failed: none of the suffixes succeeded
    2018-09-25 05:32:26 [ERROR] NextADInt_Adi_Authentication_SingleSignOn_Service::authenticate [line 117] User could not be authenticated using SSO. The given user is invalid.

    and user can’t access to site through SSO and fallback to login page

    Debug log for NADI v2.1.2
    2018-09-25 08:58:57 [INFO] NextADInt_Adi_Authentication_SingleSignOn_Service::kerberosAuth [line 195] SSO authentication triggered using Kerberos for user [email protected]
    2018-09-25 08:58:58 [INFO] NextADInt_Ldap_Connection::createConfiguration [line 104] LDAP connection is *not* encrypted
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] account_suffix =
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] base_dn = DC=corp,DC=local
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] domain_controllers = 192.168.N.XXX 192.168.M.YYY
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] ad_port = 389
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] use_tls =
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] use_ssl =
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] network_timeout = 5
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] ad_username = <out_specific_user>@corp.local
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::createConfiguration [line 112] ad_password = *** protected password ***
    2018-09-25 08:58:58 [INFO] NextADInt_Adi_Authentication_LoginService::authenticate [line 132] A user tries to log in.
    2018-09-25 08:58:58 [DEBUG] NextADInt_Adi_Authentication_LoginService::getWordPressUser [line 703] Local WordPress user ‘[email protected]’ could not be found
    2018-09-25 08:58:58 [DEBUG] NextADInt_Adi_Authentication_LoginService::tryAuthenticatableSuffixes [line 236] Credentials={login=’[email protected]’,sAMAccountName=’john.doe’,userPrincipalName=’[email protected]’,netbios=”}’ with authenticatable suffixes: ‘corp.local’.
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::findAttributesOfUser [line 386] UserInfo for user ‘john.doe’: cn={Jonh Doe}, sn={Doe}, … <some_other_data>
    2018-09-25 08:58:58 [DEBUG] NextADInt_Ldap_Connection::findAttributesOfUser [line 386] UserInfo for user ‘john.doe’: cn={Jonh Doe}, sn={Doe}, … <some_other_data>
    2018-09-25 08:58:58 [DEBUG] NextADInt_Adi_User_Manager::createAdiUser [line 178] Created new instance of User john.doe={id=’565′, credentials=’Credentials={login=’[email protected]’,sAMAccountName=’john.doe’,userPrincipalName=’[email protected]’,netbios=”}’}
    2018-09-25 08:58:58 [DEBUG] NextADInt_Adi_Authentication_LoginService::updateUser [line 662] Checking preconditions for updating existing user User john.doe={id=’565′, credentials=’Credentials={login=’[email protected]’,sAMAccountName=’john.doe’,userPrincipalName=’[email protected]’,netbios=”}’}
    2018-09-25 08:58:58 [DEBUG] NextADInt_Adi_User_Manager::updateWordPressAccount
    2018-09-25 08:58:58 [DEBUG] NextADInt_Adi_User_Manager::updateWordPressAccount [line 384] Update User john.doe={id=’565′, credentials=’Credentials={login=’[email protected]’,sAMAccountName=’john.doe’,userPrincipalName=’[email protected]’,netbios=”}’} with this values: {“ID”:565,<some_other_values>}
    2018-09-25 08:58:58 [INFO] NextADInt_Adi_User_Manager::updateSAMAccountName [line 408] Updating sAMAccountName of user ‘565’ to ‘john.doe’
    2018-09-25 08:58:58 [INFO] NextADInt_Adi_User_Manager::updateUserRoles [line 426] Updating user roles for 565 : Mapping cd830cb4-8d68-4410-9741-beea9bc5a186={ad_security_groups='<some_user_groups_from_AD>’,wordpress_roles=”}
    2018-09-25 08:58:58 [INFO] NextADInt_Adi_Role_Manager::synchronizeRoles [line 116] Synchronizing roles of WordPress user with ID 565

    and user can access to site through SSO and already see site main page

    Could you help to solve this problem or suggest in which direction the problem should be investigated?
    Thank you in advance!

    • This topic was modified 6 years, 2 months ago by Vyacheslav.
Viewing 3 replies - 1 through 3 (of 3 total)

  • Hello @vyatcheslav,

    we currently have a bug in the SSO authentication service related to the NADI option “AUTHORIZE BY GROUP MEMBERSHIP”. Disabling this option will temporary fix this bug and SSO should work again as intended.

    We will fix this bug in NADI 2.1.4 which should be released at the end of the week.

    Best regards,
    medan123

    Thread Starter Vyacheslav

    (@vyatcheslav)

    Hello, @medan123!

    Thank you for the information. We’ll look forward to version 2.1.4.
    And thank you very much for the excellent plugin!

    Fixed with NADI 2.1.4

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘After upgrade to 2.1.3 authentication through sso is failed…’ is closed to new replies.