Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting SEC_E_LOGON_DENIED error #104

Open
DanBrk opened this issue Jul 29, 2021 · 5 comments
Open

Getting SEC_E_LOGON_DENIED error #104

DanBrk opened this issue Jul 29, 2021 · 5 comments

Comments

@DanBrk
Copy link

DanBrk commented Jul 29, 2021

I am using node-expose-sspi: "0.1.59" with NodeJs version 12.21
The machine is Windows Server 2016 and it is part of Active Directory domain.

My application which includes node-expose-sspi runs with node.exe and it is behind IIS reverse proxy site.
The IIS site is configured with 'Windows Authentication' (In the sites's authentication settings)

The SSO client is sends command with Negotiate header to the IIS. From the IIS logs I can see that the context user is correct. In my case '[email protected]'
The following line include the IIS logs and you can see that the user '[email protected]' is successfully authenticated by the IIS:

2021-07-28 06:20:27 172.16.3.118 GET /service/user/ X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=71bdc519-e623-4dea-ac7a-45d854512e72&SERVER-STATUS=400 9711 [email protected] 212.143.74.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/92.0.4515.107+Safari/537.36+Edg/92.0.902.55 https://saml-tst.storenext.co.il/purple-land/ 400 0 0 0

node-expose-sspi in my node application throws:
UnauthorizedError: SEC_E_LOGON_DENIED. (incorrect login/password, or account disabled, or locked, etc.). Protocol Message = Kerberos_1.

Is there a way to see 'node-expose-sspi' debug info from my server console ?
What can cause that error and how can I make it work ?
@jlguenego
Copy link
Owner

You are using Kerberos. Sometimes, a delay is required before your credentials are synchronized between your windows account session and the Active Directory. May be a logout/login would refresh your credentials ?

@jlguenego
Copy link
Owner

Can you also test the node website without the reverse proxy. Because may be your reverse proxy do not send the right HTTP header to the node webserver.

@DanBrk DanBrk closed this as completed Aug 1, 2021
@DanBrk DanBrk reopened this Aug 1, 2021
@DanBrk
Copy link
Author

DanBrk commented Aug 1, 2021
edited

Can you also test the node website without the reverse proxy. Because may be your reverse proxy do not send the right HTTP header to the node webserver.

Everything works fine when connected directly without the IIS reverse proxy.

My reverse proxy configuration is:

<rewrite>
    <rules>
        <rule name="ReverseProxyInboundRule1" stopProcessing="true">
            <match url="(.*)" />
            <action type="Rewrite" url="http://localhost:2525/{R:1}" />
        </rule>
    </rules>
</rewrite>

Any advise what can it be ?

Thanks

@jlguenego
Copy link
Owner

jlguenego commented Aug 1, 2021 via email

@DanBrk
Copy link
Author

DanBrk commented Aug 2, 2021

The Authorization header exist and it looks fine.
I opened DEBUG and this is what I get when I am behind the reverse proxy:

node-expose-sspi:auth Kerberos_1 details:  {
  principalName: '[HTTP/tst.store.com]',
  realm: '[My Domain]'
} +0ms
  node-expose-sspi:auth input just before calling AcceptSecurityContext {
  credential: '0x000002823819c510.0x000001f7835d4b80',
  SecBufferDesc: { ulVersion: 0, buffers: [ [ArrayBuffer] ] }
} +0ms
  node-expose-sspi:auth serverSecurityContext just after AcceptSecurityContext {
  contextHandle: '0x0000000000000000.0x0000000000000000',
  contextAttr: [],
  SecBufferDesc: { ulVersion: 0, buffers: [ [ArrayBuffer] ] },
  SECURITY_STATUS: 'SEC_E_LOGON_DENIED'
} +0ms
Error: tag not yet implemented (decimal): 0
    at Function.getLabel (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\TagDecoder.js:11:23)
    at readSimple (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\codec\ber\decoder\BERDecoder.js:116:43)
    at Object.BERDecode (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\codec\ber\decoder\BERDecoder.js:27:12)
    at Function.parseMsg (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\ASN1.js:24:33)
    at Object.getKerberosResponseDetails (D:\Portal\Purple-UI-Services\node_modules\node-expose-sspi\dist\sso\kerberos.js:26:34)
    at D:\Portal\Purple-UI-Services\node_modules\node-expose-sspi\dist\sso\auth.js:119:67
    at D:\Portal\Purple-UI-Services\node_modules\node-expose-sspi\dist\sso\auth.js:190:11
    at Layer.handle [as handle_request] (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:317:13)
    at D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:335:12)
    at next (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:275:10)
    at D:\Portal\Purple-UI-Services\index.js:25:2
    at Layer.handle [as handle_request] (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:317:13)
    at D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:335:12)
    at next (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:275:10)
    at expressInit (D:\Portal\Purple-UI-Services\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:317:13)
    at D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:284:7
  node-expose-sspi:adConnection openADConnection: counter:  1 +28s
  node-expose-sspi:adConnection closeADConnection: counter:  0 +16ms
  node-expose-sspi:mutex acquire +28s

When not behind reverse proxy the only difference is that I get 'SEC_E_OK':

node-expose-sspi:auth serverSecurityContext just after AcceptSecurityContext {
  contextHandle: '0x0000028238531150.0x000001a2c85f7170',
  contextAttr: [
    'ASC_RET_CONFIDENTIALITY',
    'ASC_RET_CONNECTION',
    'ASC_RET_INTEGRITY'
  ],
  SecBufferDesc: { ulVersion: 0, buffers: [ [ArrayBuffer] ] },
  SECURITY_STATUS: 'SEC_E_OK'

}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jlguenego @DanBrk