Getting SEC_E_LOGON_DENIED error
DanBrk opened this issue · comments
I am using node-expose-sspi: "0.1.59" with NodeJs version 12.21
The machine is Windows Server 2016 and it is part of Active Directory domain.
My application which includes node-expose-sspi runs with node.exe and it is behind IIS reverse proxy site.
The IIS site is configured with 'Windows Authentication' (In the sites's authentication settings)
The SSO client is sends command with Negotiate header to the IIS. From the IIS logs I can see that the context user is correct. In my case 'user2b@storenext.co.il'
The following line include the IIS logs and you can see that the user 'user2b@storenext.co.il' is successfully authenticated by the IIS:
2021-07-28 06:20:27 172.16.3.118 GET /service/user/ X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=71bdc519-e623-4dea-ac7a-45d854512e72&SERVER-STATUS=400 9711 user2b@storenext.co.il 212.143.74.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/92.0.4515.107+Safari/537.36+Edg/92.0.902.55 https://saml-tst.storenext.co.il/purple-land/ 400 0 0 0
node-expose-sspi in my node application throws:
UnauthorizedError: SEC_E_LOGON_DENIED. (incorrect login/password, or account disabled, or locked, etc.). Protocol Message = Kerberos_1.
Is there a way to see 'node-expose-sspi' debug info from my server console ?
What can cause that error and how can I make it work ?
You are using Kerberos. Sometimes, a delay is required before your credentials are synchronized between your windows account session and the Active Directory. May be a logout/login would refresh your credentials ?
Can you also test the node website without the reverse proxy. Because may be your reverse proxy do not send the right HTTP header to the node webserver.
Can you also test the node website without the reverse proxy. Because may be your reverse proxy do not send the right HTTP header to the node webserver.
Everything works fine when connected directly without the IIS reverse proxy.
My reverse proxy configuration is:
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:2525/{R:1}" />
</rule>
</rules>
</rewrite>
Any advise what can it be ?
Thanks
The Authorization header exist and it looks fine.
I opened DEBUG and this is what I get when I am behind the reverse proxy:
node-expose-sspi:auth Kerberos_1 details: {
principalName: '[HTTP/tst.store.com]',
realm: '[My Domain]'
} +0ms
node-expose-sspi:auth input just before calling AcceptSecurityContext {
credential: '0x000002823819c510.0x000001f7835d4b80',
SecBufferDesc: { ulVersion: 0, buffers: [ [ArrayBuffer] ] }
} +0ms
node-expose-sspi:auth serverSecurityContext just after AcceptSecurityContext {
contextHandle: '0x0000000000000000.0x0000000000000000',
contextAttr: [],
SecBufferDesc: { ulVersion: 0, buffers: [ [ArrayBuffer] ] },
SECURITY_STATUS: 'SEC_E_LOGON_DENIED'
} +0ms
Error: tag not yet implemented (decimal): 0
at Function.getLabel (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\TagDecoder.js:11:23)
at readSimple (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\codec\ber\decoder\BERDecoder.js:116:43)
at Object.BERDecode (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\codec\ber\decoder\BERDecoder.js:27:12)
at Function.parseMsg (D:\Portal\Purple-UI-Services\node_modules\@jlguenego\asn.1\build\src\ASN1.js:24:33)
at Object.getKerberosResponseDetails (D:\Portal\Purple-UI-Services\node_modules\node-expose-sspi\dist\sso\kerberos.js:26:34)
at D:\Portal\Purple-UI-Services\node_modules\node-expose-sspi\dist\sso\auth.js:119:67
at D:\Portal\Purple-UI-Services\node_modules\node-expose-sspi\dist\sso\auth.js:190:11
at Layer.handle [as handle_request] (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\layer.js:95:5)
at trim_prefix (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:317:13)
at D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:284:7
at Function.process_params (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:335:12)
at next (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:275:10)
at D:\Portal\Purple-UI-Services\index.js:25:2
at Layer.handle [as handle_request] (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\layer.js:95:5)
at trim_prefix (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:317:13)
at D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:284:7
at Function.process_params (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:335:12)
at next (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:275:10)
at expressInit (D:\Portal\Purple-UI-Services\node_modules\express\lib\middleware\init.js:40:5)
at Layer.handle [as handle_request] (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\layer.js:95:5)
at trim_prefix (D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:317:13)
at D:\Portal\Purple-UI-Services\node_modules\express\lib\router\index.js:284:7
node-expose-sspi:adConnection openADConnection: counter: 1 +28s
node-expose-sspi:adConnection closeADConnection: counter: 0 +16ms
node-expose-sspi:mutex acquire +28s
When not behind reverse proxy the only difference is that I get 'SEC_E_OK':
node-expose-sspi:auth serverSecurityContext just after AcceptSecurityContext {
contextHandle: '0x0000028238531150.0x000001a2c85f7170',
contextAttr: [
'ASC_RET_CONFIDENTIALITY',
'ASC_RET_CONNECTION',
'ASC_RET_INTEGRITY'
],
SecBufferDesc: { ulVersion: 0, buffers: [ [ArrayBuffer] ] },
SECURITY_STATUS: 'SEC_E_OK'
}