Quantcast

2FA Duo not redirecting back - Error 500 response

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

2FA Duo not redirecting back - Error 500 response

Tomas Maggio
Hi,

I've managed to configure 2FA using the Duo documentation. In the environment that I installed Guacamole I use a reverse NGINX proxy (all setup as per documentation and seems to work perfectly before configuring 2FA).

www ----> FW ----> Nginx ----> Tomcat/Guacamole

This is the successful result of DUO:
http://pix.toile-libre.org/upload/original/1489613233.png

This is the response that I see in the browser:
Catalina log shows:
Mar 16, 2017 10:39:52 AM org.webjars.servlet.WebjarsServlet doGet
INFO: Webjars resource requested: /META-INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js
Mar 16, 2017 10:39:52 AM org.webjars.servlet.WebjarsServlet doGet
INFO: Webjars resource requested: /META-INF/resources/webjars/angular-module-shim/0.0.4/angular-module-shim.js
Mar 16, 2017 10:40:10 AM com.sun.jersey.spi.container.ContainerResponse logException
SEVERE: Mapped exception to response: 500 (Internal Server Error)
org.apache.guacamole.rest.APIException
        at org.apache.guacamole.rest.RESTExceptionWrapper.invoke(RESTExceptionWrapper.java:187)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)


Locahost access log (tomcat) shows:
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/blob-polyfill/1.0.20150320/Blob.js HTTP/1.1" 200 6148
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/filesaver/1.3.3/FileSaver.min.js HTTP/1.1" 200 2446
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/angular-module-shim/0.0.4/angular-module-shim.js HTTP/1.1" 200 774
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/app.js?v=0.9.11-incubating HTTP/1.1" 200 289363
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/api/patches HTTP/1.1" 200 352
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/api/languages HTTP/1.1" 200 136
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/translations/en.json HTTP/1.1" 200 31949
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "POST /guacamole/api/tokens HTTP/1.1" 403 237
192.168.2.184 - - [16/Mar/2017:10:40:00 +1300] "POST /guacamole/api/tokens HTTP/1.1" 403 529
192.168.2.184 - - [16/Mar/2017:10:40:10 +1300] "POST /guacamole/api/tokens HTTP/1.1" 500 211

Wonder if any of you guys saw anything like this or can point me in the right direction.


Cheers,

Tomas Maggio
+64 22 040 9517
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 2FA Duo not redirecting back - Error 500 response

Mike Jumper
Hi Tomas,

Judging from the other error, you are also configuring LDAP, correct? It looks like you're missing one of the properties required for LDAP auth to work, "ldap-user-base-dn":


Are you using anything else besides Duo and LDAP?

- Mike


On Wed, Mar 15, 2017 at 2:46 PM, Tomas Maggio <[hidden email]> wrote:
Hi,

I've managed to configure 2FA using the Duo documentation. In the environment that I installed Guacamole I use a reverse NGINX proxy (all setup as per documentation and seems to work perfectly before configuring 2FA).

www ----> FW ----> Nginx ----> Tomcat/Guacamole

This is the successful result of DUO:
http://pix.toile-libre.org/upload/original/1489613233.png

This is the response that I see in the browser:
Catalina log shows:
Mar 16, 2017 10:39:52 AM org.webjars.servlet.WebjarsServlet doGet
INFO: Webjars resource requested: /META-INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js
Mar 16, 2017 10:39:52 AM org.webjars.servlet.WebjarsServlet doGet
INFO: Webjars resource requested: /META-INF/resources/webjars/angular-module-shim/0.0.4/angular-module-shim.js
Mar 16, 2017 10:40:10 AM com.sun.jersey.spi.container.ContainerResponse logException
SEVERE: Mapped exception to response: 500 (Internal Server Error)
org.apache.guacamole.rest.APIException
        at org.apache.guacamole.rest.RESTExceptionWrapper.invoke(RESTExceptionWrapper.java:187)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)


Locahost access log (tomcat) shows:
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/blob-polyfill/1.0.20150320/Blob.js HTTP/1.1" 200 6148
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/filesaver/1.3.3/FileSaver.min.js HTTP/1.1" 200 2446
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/angular-module-shim/0.0.4/angular-module-shim.js HTTP/1.1" 200 774
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/app.js?v=0.9.11-incubating HTTP/1.1" 200 289363
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/api/patches HTTP/1.1" 200 352
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/api/languages HTTP/1.1" 200 136
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/translations/en.json HTTP/1.1" 200 31949
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "POST /guacamole/api/tokens HTTP/1.1" 403 237
192.168.2.184 - - [16/Mar/2017:10:40:00 +1300] "POST /guacamole/api/tokens HTTP/1.1" 403 529
192.168.2.184 - - [16/Mar/2017:10:40:10 +1300] "POST /guacamole/api/tokens HTTP/1.1" 500 211

Wonder if any of you guys saw anything like this or can point me in the right direction.


Cheers,

Tomas Maggio
<a href="tel:+64%2022%20040%209517" value="+64220409517" target="_blank">+64 22 040 9517

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 2FA Duo not redirecting back - Error 500 response

Tomas Maggio
Hi Mike,

Yeah, I saw that and it's odd cause I'm not using LDAP. I'll double check it's not enabled.

I have the feeling that could be related to permissions from some file related to the 2FA extension. I'm going to go over the documentation again and make sure they have the right owners set.

Cheers


On 17 Mar 2017 3:40 p.m., "Mike Jumper" <[hidden email]> wrote:
Hi Tomas,

Judging from the other error, you are also configuring LDAP, correct? It looks like you're missing one of the properties required for LDAP auth to work, "ldap-user-base-dn":


Are you using anything else besides Duo and LDAP?

- Mike


On Wed, Mar 15, 2017 at 2:46 PM, Tomas Maggio <[hidden email]> wrote:
Hi,

I've managed to configure 2FA using the Duo documentation. In the environment that I installed Guacamole I use a reverse NGINX proxy (all setup as per documentation and seems to work perfectly before configuring 2FA).

www ----> FW ----> Nginx ----> Tomcat/Guacamole

This is the successful result of DUO:
http://pix.toile-libre.org/upload/original/1489613233.png

This is the response that I see in the browser:
Catalina log shows:
Mar 16, 2017 10:39:52 AM org.webjars.servlet.WebjarsServlet doGet
INFO: Webjars resource requested: /META-INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js
Mar 16, 2017 10:39:52 AM org.webjars.servlet.WebjarsServlet doGet
INFO: Webjars resource requested: /META-INF/resources/webjars/angular-module-shim/0.0.4/angular-module-shim.js
Mar 16, 2017 10:40:10 AM com.sun.jersey.spi.container.ContainerResponse logException
SEVERE: Mapped exception to response: 500 (Internal Server Error)
org.apache.guacamole.rest.APIException
        at org.apache.guacamole.rest.RESTExceptionWrapper.invoke(RESTExceptionWrapper.java:187)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)


Locahost access log (tomcat) shows:
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/blob-polyfill/1.0.20150320/Blob.js HTTP/1.1" 200 6148
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/filesaver/1.3.3/FileSaver.min.js HTTP/1.1" 200 2446
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/angular-module-shim/0.0.4/angular-module-shim.js HTTP/1.1" 200 774
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/app.js?v=0.9.11-incubating HTTP/1.1" 200 289363
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/api/patches HTTP/1.1" 200 352
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/api/languages HTTP/1.1" 200 136
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/translations/en.json HTTP/1.1" 200 31949
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "POST /guacamole/api/tokens HTTP/1.1" 403 237
192.168.2.184 - - [16/Mar/2017:10:40:00 +1300] "POST /guacamole/api/tokens HTTP/1.1" 403 529
192.168.2.184 - - [16/Mar/2017:10:40:10 +1300] "POST /guacamole/api/tokens HTTP/1.1" 500 211

Wonder if any of you guys saw anything like this or can point me in the right direction.


Cheers,

Tomas Maggio
<a href="tel:+64%2022%20040%209517" value="+64220409517" target="_blank">+64 22 040 9517


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 2FA Duo not redirecting back - Error 500 response

Tomas Maggio
So, LDAP was not configured BUT the extension was installed. It's now gone, and made some progress:

This error now comes back after I successfully approve the DUO push code:

http://imgur.com/84SpPdD


The error relates to the following piece of code :

-        // If signed response does not verify this user's identity, abort auth
-        if (!duoWebService.isValidSignedResponse(authenticatedUser, 
signedResponse))
-            throw new 
GuacamoleClientException("LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT");


Going to try and see if I can get more logs or find a clue on why it fails.

Cheers



Regards,

Tomas Maggio
+64 22 040 9517

On Fri, Mar 17, 2017 at 8:46 PM, Tomas Maggio <[hidden email]> wrote:
Hi Mike,

Yeah, I saw that and it's odd cause I'm not using LDAP. I'll double check it's not enabled.

I have the feeling that could be related to permissions from some file related to the 2FA extension. I'm going to go over the documentation again and make sure they have the right owners set.

Cheers


On 17 Mar 2017 3:40 p.m., "Mike Jumper" <[hidden email]> wrote:
Hi Tomas,

Judging from the other error, you are also configuring LDAP, correct? It looks like you're missing one of the properties required for LDAP auth to work, "ldap-user-base-dn":


Are you using anything else besides Duo and LDAP?

- Mike


On Wed, Mar 15, 2017 at 2:46 PM, Tomas Maggio <[hidden email]> wrote:
Hi,

I've managed to configure 2FA using the Duo documentation. In the environment that I installed Guacamole I use a reverse NGINX proxy (all setup as per documentation and seems to work perfectly before configuring 2FA).

www ----> FW ----> Nginx ----> Tomcat/Guacamole

This is the successful result of DUO:
http://pix.toile-libre.org/upload/original/1489613233.png

This is the response that I see in the browser:
Catalina log shows:
Mar 16, 2017 10:39:52 AM org.webjars.servlet.WebjarsServlet doGet
INFO: Webjars resource requested: /META-INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js
Mar 16, 2017 10:39:52 AM org.webjars.servlet.WebjarsServlet doGet
INFO: Webjars resource requested: /META-INF/resources/webjars/angular-module-shim/0.0.4/angular-module-shim.js
Mar 16, 2017 10:40:10 AM com.sun.jersey.spi.container.ContainerResponse logException
SEVERE: Mapped exception to response: 500 (Internal Server Error)
org.apache.guacamole.rest.APIException
        at org.apache.guacamole.rest.RESTExceptionWrapper.invoke(RESTExceptionWrapper.java:187)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)


Locahost access log (tomcat) shows:
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/blob-polyfill/1.0.20150320/Blob.js HTTP/1.1" 200 6148
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/filesaver/1.3.3/FileSaver.min.js HTTP/1.1" 200 2446
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/webjars/angular-module-shim/0.0.4/angular-module-shim.js HTTP/1.1" 200 774
192.168.2.184 - - [16/Mar/2017:10:39:52 +1300] "GET /guacamole/app.js?v=0.9.11-incubating HTTP/1.1" 200 289363
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/api/patches HTTP/1.1" 200 352
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/api/languages HTTP/1.1" 200 136
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "GET /guacamole/translations/en.json HTTP/1.1" 200 31949
192.168.2.184 - - [16/Mar/2017:10:39:53 +1300] "POST /guacamole/api/tokens HTTP/1.1" 403 237
192.168.2.184 - - [16/Mar/2017:10:40:00 +1300] "POST /guacamole/api/tokens HTTP/1.1" 403 529
192.168.2.184 - - [16/Mar/2017:10:40:10 +1300] "POST /guacamole/api/tokens HTTP/1.1" 500 211

Wonder if any of you guys saw anything like this or can point me in the right direction.


Cheers,

Tomas Maggio
<a href="tel:+64%2022%20040%209517" value="+64220409517" target="_blank">+64 22 040 9517



Loading...