LDAP authentication issue using pgina

Question

LDAP authentication issue using pgina

ricky1988 opened this issue 7 years ago · comments

ricky1988 commented 7 years ago

Hello Dev,

I have installed pGina(3.1.8.0) on a Windows Server 2016 machine (LDAP client). I enabled the LDAP authentication plugin and configured the LDAP server settings. I tested the simultor in pGina and it works. So here is the problem. When I log in as the user(created in LDAP Server) in RDP, it cannot login. First it says logging in and the Username and Password is incorrect. I have checked the logs, it is authenticating with LDAP but can't see any errors.

Below is the logs which I got in pGina,

2017-08-19 06:58:43,439 [1808|24|DEBUG] LdapServer: Initializing LdapServer host(s): [1XX.XX.X.XXX], port: 389, useSSL = False, verifyCert = False
2017-08-19 06:58:43,458 [1808|24|DEBUG] LdapServer: Timeout set to 10 seconds.
2017-08-19 06:58:43,462 [1808|24|DEBUG] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: Performing login process
2017-08-19 06:58:43,468 [1808|24|DEBUG] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: Authenticating user chaitra, 1 plugins available
2017-08-19 06:58:43,471 [1808|24|DEBUG] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: Calling 0f52390b-c781-43ae-bd62-553c77fa4cf7
2017-08-19 06:58:43,475 [1808|24|DEBUG] LdapPlugin: AuthenticateUser(cb47bd43-f282-443e-877b-3eeb6e32a11f)
2017-08-19 06:58:43,478 [1808|24|DEBUG] LdapPlugin: Received username: chaitra
2017-08-19 06:58:43,480 [1808|24|DEBUG] LdapPlugin: Attempting authentication for chaitra
2017-08-19 06:58:43,506 [1808|24|DEBUG] LdapServer: Attempting bind as cn=ad,dc=byta,dc=use
2017-08-19 06:58:43,514 [1808|24|DEBUG] LdapServer: Successful bind to 1XX.XX.X.XXX as cn=ad,dc=byta,dc=use
2017-08-19 06:58:43,520 [1808|24|DEBUG] LdapServer: Searching for DN using filter uid=chaitra
2017-08-19 06:58:43,526 [1808|24|DEBUG] LdapServer: Searching context dc=byta,dc=use
2017-08-19 06:58:43,531 [1808|24|DEBUG] LdapServer: Found DN: cn=chaitra M,ou=bytaurs,dc=byta,dc=use
2017-08-19 06:58:43,534 [1808|24|DEBUG] LdapServer: Attempting to bind with DN cn=chaitra M,ou=bytaurs,dc=byta,dc=use
2017-08-19 06:58:43,538 [1808|24|DEBUG] LdapServer: Attempting bind as cn=chaitra M,ou=bytaurs,dc=byta,dc=use
2017-08-19 06:58:43,541 [1808|24|DEBUG] LdapServer: Successful bind to 1XX.XX.X.XXX as cn=chaitra M,ou=bytaurs,dc=byta,dc=use
2017-08-19 06:58:43,545 [1808|24|DEBUG] LdapServer: LDAP DN cn=chaitra M,ou=bytaurs,dc=byta,dc=use successfully bound to server, return success
2017-08-19 06:58:43,552 [1808|24|DEBUG] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: 0f52390b-c781-43ae-bd62-553c77fa4cf7 Succeeded
2017-08-19 06:58:43,555 [1808|24|INFO ] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: Successfully authenticated chaitra
2017-08-19 06:58:43,561 [1808|24|DEBUG] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: Authorizing user chaitra, 1 plugins available
2017-08-19 06:58:43,564 [1808|24|DEBUG] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: Calling 0f52390b-c781-43ae-bd62-553c77fa4cf7
2017-08-19 06:58:43,572 [1808|24|DEBUG] LdapPlugin: LDAP Plugin Authorization
2017-08-19 06:58:43,584 [1808|24|INFO ] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: Successfully authorized chaitra
2017-08-19 06:58:43,590 [1808|24|DEBUG] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: Processing gateways for user chaitra, 1 plugins available
2017-08-19 06:58:43,594 [1808|24|DEBUG] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: Calling 0f52390b-c781-43ae-bd62-553c77fa4cf7
2017-08-19 06:58:43,599 [1808|24|DEBUG] LdapPlugin: LDAP Plugin Gateway
2017-08-19 06:58:43,606 [1808|24|INFO ] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: Successfully processed gateways for chaitra
2017-08-19 06:58:43,610 [1808|24|DEBUG] PluginDriver:cb47bd43-f282-443e-877b-3eeb6e32a11f: End login chain, 1 stateful plugin(s).
2017-08-19 06:58:43,614 [1808|24|DEBUG] LdapPlugin: EndChain
2017-08-19 06:58:43,618 [1808|24|DEBUG] LdapServer: Closing LDAP connection to 1XX.XX.X.XXX.
2017-08-19 06:58:43,649 [1808|25|WARN ] RemoteLog[NativeLib]: Plugins did not set a domain name, assuming local machine!
2017-08-19 06:58:43,653 [1808|26|DEBUG] RemoteLog[NativeLib]: [Credential.cpp:667] Plugins registered logon success
2017-08-19 06:58:43,659 [1808|27|DEBUG] RemoteLog[NativeLib]: [Credential.cpp:260] Credential::GetSerialization, enter
2017-08-19 06:58:43,700 [1808|28|DEBUG] RemoteLog[NativeLib]: [Credential.cpp:380] Credential::ReportResult(0xc000006d, 0x00000000) called
2017-08-19 06:59:19,432 [1808|3|DEBUG] LocalMachine: IterateCleanupUsers Eligible users:
2017-08-19 06:59:19,438 [1808|3|DEBUG] LocalMachine: IterateCleanupUsers loggedOnUsers:
2017-08-19 06:59:59,665 [1808|19|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:248] Provider::UnAdvise() - provider events callback reference released
2017-08-19 06:59:59,672 [1808|20|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:96] Stopping service state helper thread (if necessary)
2017-08-19 06:59:59,984 [1808|35|INFO ] pGina.Service.Impl: SessionChange: 2 -> RemoteDisconnect
2017-08-19 07:00:10,029 [1808|35|INFO ] pGina.Service.Impl: SessionChange: 2 -> RemoteConnect
2017-08-19 07:00:10,115 [1808|21|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:88] Starting service state helper thread
2017-08-19 07:00:10,134 [1808|23|DEBUG] RemoteLog[NativeLib]: [CredentialProviderFilter.cpp:144] CredentialProviderFilter::UpdateRemoteCredential: not implemented
2017-08-19 07:00:10,140 [1808|24|DEBUG] RemoteLog[NativeLib]: [CredentialProviderFilter.cpp:73] CredentialProviderFilter::Filter
2017-08-19 07:00:10,166 [1808|25|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:121] Provider::SetUsageScenario(1, 0x00000000)
2017-08-19 07:00:10,172 [1808|26|DEBUG] RemoteLog[NativeLib]: [CredentialProviderFilter.cpp:73] CredentialProviderFilter::Filter
2017-08-19 07:00:10,177 [1808|27|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:237] Provider::Advise(0000020565662310, 000000000000000E) - provider events callback reference added
2017-08-19 07:00:10,182 [1808|28|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:407] SerializedCredsAppearComplete: No serialized creds set
2017-08-19 07:00:10,186 [1808|29|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:407] SerializedCredsAppearComplete: No serialized creds set
2017-08-19 07:00:10,190 [1808|31|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:365] GetCredentialAt: Non CredUI - returning an IID_IConnectableCredentialProviderCredential
2017-08-19 07:00:19,479 [1808|36|DEBUG] LocalMachine: IterateCleanupUsers Eligible users:
2017-08-19 07:00:19,484 [1808|36|DEBUG] LocalMachine: IterateCleanupUsers loggedOnUsers:
2017-08-19 07:01:19,521 [1808|21|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:248] Provider::UnAdvise() - provider events callback reference released
2017-08-19 07:01:19,529 [1808|22|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:96] Stopping service state helper thread (if necessary)
2017-08-19 07:01:19,546 [1808|37|DEBUG] LocalMachine: IterateCleanupUsers Eligible users:
2017-08-19 07:01:19,550 [1808|37|DEBUG] LocalMachine: IterateCleanupUsers loggedOnUsers:
2017-08-19 07:01:20,254 [1808|37|INFO ] pGina.Service.Impl: SessionChange: 2 -> RemoteDisconnect
2017-08-19 07:01:35,989 [1808|23|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:88] Starting service state helper thread
2017-08-19 07:01:36,016 [1808|25|DEBUG] RemoteLog[NativeLib]: [CredentialProviderFilter.cpp:144] CredentialProviderFilter::UpdateRemoteCredential: not implemented
2017-08-19 07:01:36,021 [1808|26|DEBUG] RemoteLog[NativeLib]: [CredentialProviderFilter.cpp:73] CredentialProviderFilter::Filter
2017-08-19 07:01:36,022 [1808|38|INFO ] pGina.Service.Impl: SessionChange: 2 -> RemoteConnect
2017-08-19 07:01:36,072 [1808|27|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:121] Provider::SetUsageScenario(1, 0x00000000)
2017-08-19 07:01:36,077 [1808|28|DEBUG] RemoteLog[NativeLib]: [CredentialProviderFilter.cpp:73] CredentialProviderFilter::Filter
2017-08-19 07:01:36,083 [1808|29|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:237] Provider::Advise(000001A237DB1020, 000000000000000E) - provider events callback reference added
2017-08-19 07:01:36,088 [1808|30|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:407] SerializedCredsAppearComplete: No serialized creds set
2017-08-19 07:01:36,093 [1808|31|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:407] SerializedCredsAppearComplete: No serialized creds set
2017-08-19 07:01:36,097 [1808|14|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:365] GetCredentialAt: Non CredUI - returning an IID_IConnectableCredentialProviderCredential
2017-08-19 07:02:19,569 [1808|39|DEBUG] LocalMachine: IterateCleanupUsers Eligible users:
2017-08-19 07:02:19,574 [1808|39|DEBUG] LocalMachine: IterateCleanupUsers loggedOnUsers:
2017-08-19 07:03:09,730 [1808|28|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:248] Provider::UnAdvise() - provider events callback reference released
2017-08-19 07:03:09,736 [1808|29|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:96] Stopping service state helper thread (if necessary)
2017-08-19 07:03:11,135 [1808|40|INFO ] pGina.Service.Impl: SessionChange: 2 -> RemoteDisconnect
2017-08-19 07:03:19,595 [1808|40|DEBUG] LocalMachine: IterateCleanupUsers Eligible users:
2017-08-19 07:03:19,600 [1808|40|DEBUG] LocalMachine: IterateCleanupUsers loggedOnUsers:
2017-08-19 07:03:22,047 [1808|30|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:88] Starting service state helper thread
2017-08-19 07:03:22,064 [1808|7|DEBUG] RemoteLog[NativeLib]: [CredentialProviderFilter.cpp:144] CredentialProviderFilter::UpdateRemoteCredential: not implemented
2017-08-19 07:03:22,068 [1808|14|DEBUG] RemoteLog[NativeLib]: [CredentialProviderFilter.cpp:73] CredentialProviderFilter::Filter
2017-08-19 07:03:22,101 [1808|40|INFO ] pGina.Service.Impl: SessionChange: 2 -> RemoteConnect
2017-08-19 07:03:22,123 [1808|13|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:121] Provider::SetUsageScenario(1, 0x00000000)
2017-08-19 07:03:22,128 [1808|17|DEBUG] RemoteLog[NativeLib]: [CredentialProviderFilter.cpp:73] CredentialProviderFilter::Filter
2017-08-19 07:03:22,133 [1808|16|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:237] Provider::Advise(00000257AEBC1020, 000000000000000E) - provider events callback reference added
2017-08-19 07:03:22,138 [1808|15|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:407] SerializedCredsAppearComplete: No serialized creds set
2017-08-19 07:03:22,143 [1808|8|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:407] SerializedCredsAppearComplete: No serialized creds set
2017-08-19 07:03:22,147 [1808|10|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:365] GetCredentialAt: Non CredUI - returning an IID_IConnectableCredentialProviderCredential
2017-08-19 07:04:19,616 [1808|41|DEBUG] LocalMachine: IterateCleanupUsers Eligible users:
2017-08-19 07:04:19,621 [1808|41|DEBUG] LocalMachine: IterateCleanupUsers loggedOnUsers:
2017-08-19 07:04:20,713 [1808|41|INFO ] pGina.Service.Impl: SessionChange: 2 -> SessionLogon
2017-08-19 07:04:20,999 [1808|28|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:248] Provider::UnAdvise() - provider events callback reference released
2017-08-19 07:04:21,017 [1808|29|DEBUG] RemoteLog[NativeLib]: [Provider.cpp:96] Stopping service state helper thread (if necessary)
2017-08-19 07:05:19,642 [1808|40|DEBUG] LocalMachine: IterateCleanupUsers Eligible users:
2017-08-19 07:05:19,653 [1808|40|DEBUG] LocalMachine: IterateCleanupUsers loggedOnUsers: ADMINISTRATOR

I looked it this issue as well #304

When I give domain name/chaitra(user) still it gives error Unable to determine user's LDAP DN for authenication

I don't know where I am going wrong, Please help me out

ricky1988 · Answer 1 · Tue Oct 03 2017 21:49:08 GMT+0800 (China Standard Time)

Please install the latest version i.e 3.9.9.9 and link is below
https://github.com/MutonUfoAI/pgina/releases

Then set up the correct ldap credentials.
While logging as ldap users in the username given as .\username and ldap password it will authenticate the user.
But If you change the password for the ldap user then the pgina doesn't work as it is storing still the old password. using old password you can login to the RDP.
Please let me know if anyone found out the solution for this issue.

Rovindra Kumar · Answer 2 · Wed Dec 20 2017 16:01:35 GMT+0800 (China Standard Time)

Hi Guys,
To work with this workflow you have to disable the NLA(Network Level Authentication) from the remote desktop settings.
We also having the option to remove the user after logging off and scramble the password.

brain-ric012 · Answer 3 · Fri Mar 16 2018 21:26:45 GMT+0800 (China Standard Time)

ad RDP credentials and password change: With pGina 3.9.9.11 and server 2016 I have still problems with several RDP logon sessions with different logon users. turning off NLA and Credssp (rdp file: prompt for credentials:i:1,enablecredsspsupport:i:0 ) has solved similar other problems, but not these. To remove the user after logoff is working with concurrent sessions. Does a pGina logon overwrite information from other sessions?
For other customers with terminal server 2016 (heavy load) for open ldap connection we use the comtarsia client now, and there everything works fine. It seems the comtarsia client can handle the new session management of Server 2016 correct and pGina has problems? the comtarsia agent creates the AD user at right time, so the credssp problem does not exist. with win10 and server 2016 I'am not happy with pGina.

duchaquang · Answer 4 · Mon May 07 2018 19:19:38 GMT+0800 (China Standard Time)

Please, help me!
How to pgina auto simulation when user password chang on openldap server?