New User Activation doesnt forward to Set Password

[jason.e...@gmail.com]

When using user activation it doesnt seem to allow the user to set a new password, it just forwards them to the login screen, using PWM 1.9.1

Maybe a bug or something needs to be set? It was working in previous builds

[jeve...@bshp.edu]

Updated to latest master, it happens as well, it actually happens intermittently, the error logged when it happens is below,

2020-04-03T15:38:33Z, ERROR, auth.SessionAuthenticator, {hyGjm} ldap error during search: 5001 ERROR_WRONGPASSWORD (attempt to authenticate with null password) [0:0:0:0:0:0:0:1]

2020-04-03T15:38:34Z, ERROR, state.CryptoCookieLoginImpl, {hyGjm} 5015 ERROR_INTERNAL (unexpected error reading session cookie: 5001 ERROR_WRONGPASSWORD (attempt to authenticate with null password)) [0:0:0:0:0:0:0:1]

2020-04-03T15:38:34Z, ERROR, state.CryptoCookieLoginImpl, {hyGjm} 5015 ERROR_INTERNAL (unexpected error authenticating using crypto session cookie: 5015 ERROR_INTERNAL (unexpected error reading session cookie: 5001 ERROR_WRONGPASSWORD (attempt to authenticate with null password))) [0:0:0:0:0:0:0:1]

[jason.e...@gmail.com]

I made a screen capture of the process and what happens, I just don't want to post here publicly so if there is a place I can send it

[jason.e...@gmail.com]

Somehwere after this commit, https://github.com/pwm-project/pwm/commit/db3f78a81c5e11f5b0b8e36c90b48ae48813c7c2 , is when it started to happen, when activating an account it will intermittently take them to the login screen instead of setting a password and the error I posted before is logged. Using a build before that commit, the one im testing now, https://github.com/pwm-project/pwm/commit/f889434fd93f7cda2841903b185da730f2affdba works flawlessly. I have done 15 activations in a row without the issue described. As soon as I pull that commit it starts to have issues. 

[s.w.g...@gmail.com]

Is there a build where this issue is resolved?  I am seeing it randomly for users.  

Thanks,

Scott

[Jason Rivard]

Does changing 'Settings ⇨ Application ⇨ Session Management ⇨ Module Session Mode' to Local help this issue any?

[s.w.g...@gmail.com]

Jason - 

I changed the setting to that this morning.  I still see the issue with the resulting errors in PWM

2021-05-03T17:48:14Z, ERROR, state.CryptoCookieLoginImpl, {yHWvp} 5015 ERROR_INTERNAL (unexpected error authenticating using crypto session cookie: 5015 ERROR_INTERNAL (unexpected error reading session cookie: 5001 ERROR_WRONGPASSWORD (attempt to authenticate with null password))) [169.204.229.118]

Thanks,

Scott

[Paul Hodgdon]

What directory are you using and do you have SSO enabled?

-Paul

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/c094c84b-dc8b-4635-8480-13b27457c839n%40googlegroups.com.

[Scott Green]

Microsoft AD

No SSO is configured

Thanks,

Scott

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAPZVguka%2BCMDMuXc9wbFa%2Bk8gt7W9JcLpaTm1Sy70dO61xYLUg%40mail.gmail.com.

[Paul Hodgdon]

I think the only time I’ve experienced that was with a permission issue on the proxy account.  You have it set to use the proxy account for authentication right?

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CABE9p2CA67gjgFmBf9FhnV4d8_Sk3c0khs5TrwX24M2x%2BdOi2g%40mail.gmail.com.

--

Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

     

[s.w.g...@gmail.com]

I have the following set under the LDAP/Microsoft Active Directory

Use Proxy When Password Forgotten - Enabled

Allow Authentication When "Must Change Password on Next Login" Is Set - Enabled

Allow Authentication When Password Expired - Enabled

Is there something I'm missing for Activations specifically?

Thanks,

Scott

[Paul Hodgdon]

Try turning these off and see if you can recreate it.

Allow Authentication When "Must Change Password on Next Login" Is Set - Enabled

Allow Authentication When Password Expired - Enabled

Paul Hodgdon

Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)

www.identityworksllc.com

     

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/fb341535-92d1-4187-abc3-f1888be56387n%40googlegroups.com.

[Seth Stein]

I turned on TRACE level logs and it seems that at that last step in the account activation before the user changes their password - when the "Success" screen appears - the AD Proxy should be used to authenticate the user, but instead it is trying to authenticate/bind as the user, but the user has not set their password yet.  Thus that authentication fails and then the session is invalidated, thus kicking the user back to the home URL.

DEBUG, state.CryptoCookieLoginImpl, {RGdbB} triggering authentication because request contains an authenticated session but local session is unauthenticated

DEBUG, auth.LDAPAuthenticationRequest, {RGdbB} authID=23, preparing to authenticate user using authenticationType=AUTHENTICATED using strategy BIND

TRACE, auth.LDAPAuthenticationRequest, {RGdbB} authID=23, beginning testCredentials process

DEBUG, auth.LDAPAuthenticationRequest, {RGdbB} authID=23, attempt to authenticate with null password

ERROR, state.CryptoCookieLoginImpl, {RGdbB} 5015 ERROR_INTERNAL (unexpected error reading session cookie: 5001 ERROR_WRONGPASSWORD (attempt to authenticate with null password)) 

ERROR, state.CryptoCookieLoginImpl, {RGdbB} 5015 ERROR_INTERNAL (unexpected error authenticating using crypto session cookie: 5015 ERROR_INTERNAL (unexpected error reading session cookie: 5001 ERROR_WRONGPASSWORD (attempt to authenticate with null password)))

TRACE, state.CryptoCookieLoginImpl, {RGdbB} wrote LoginInfoBean={"a":false,"p":"*hidden*","t":"UNAUTHENTICATED","af":[],"rq":"2021-05-03T15:50:40Z","g":"*hidden*","c":0,"lf":[]} 

The message from auth.LDAPAuthenticationRequest where it says "preparing to authenticate user using authenticationType=AUTHENTICATED using strategy BIND" should be "preparing to authenticate user using authenticationType=AUTH_FROM_PUBLIC_MODULE using strategy ADMIN_PROXY"     If PWM would use the Proxy at this step, then I think the authentication would work and the account activation could continue.  Is there a PWM configuration setting that would control this?  Or is this just a bug that needs to be reported?

Seth

[Jason Rivard]

This trace is showing the session-resumption re-authentication code, not the ActivateUser auth session....  you'll need to look up further in the trace.   Checking the code, the attempt is made to auth from public module here:

https://github.com/pwm-project/pwm/blob/cf1c097a10cd102de527cb3a969e20062361125f/server/src/main/java/password/pwm/http/servlet/activation/ActivateUserUtils.java#L125

 Also do you have more than one PWM server?  If so - does this happen if only one server is online?

[Seth Stein]

I have just 1 PWM server.  I disabled the Node Service (Settings->Application->Session Management->Node Service Enabled) just to make sure that did not cause a problem - whether the Node Service is enabled or disabled does not change this account activation behavior.

I am sharing some TRACE level logs from an entire account activation session exhibiting the problem.  Something that jumps out to me from the logs is that when I start account activation, accept the user agreement and then move on to the "Success" account activation screen (but before change password), my session had the session ID "{6TCoc}".  Then when the browser is at that Success screen and loads some of the static resources, such as style.css, there is a message:

2021-05-12T11:53:52Z, TRACE, http.HttpEventManager, new http session created

and that session "6TCoc" is no longer used.  Then when I hit the "Continue" button on that Success screen to move forward to Change Password, a different session ID, "{AHu4n}" is used.  This different session ID was generated while loading some of the static resources.  Thus, PWM loses track that this is an authenticated user who does not know their password, and it proceeds to the Change Password thinking the user is authenticated with a password, not an authenticated user without a password (similar to forgotten password).

I looked at TRACE logs from an account activation that works, and I see the same session ID throughout, even when passing on to the Change Password screen.

What is it about loading some of the static resources on the Account Activation "Success" screen that triggers a new session instead of continuing to reuse the same session ID?

Seth

[Seth Stein]

I have isolated the source of this problem to the following code in the checkIfSessionRecycleNeeded() function in RequestInitializationFilter.java:

            pwmRequest.getHttpServletRequest().changeSessionId();

If I comment out this line, I no longer see the problem with account activation failing to redirect the user to change password.  I suppose another way of bypassing this would be to just prevent the SessionIDRecycleNeeded boolean from being set to true which would cause the if statement' that surrounds the changeSessionID() call to be bypassed.

Obviously, that code is there for a reason, so I'm not going to just comment it out.  The question I have is why the account activation session would be marked for recycling and the session ID changed at this point before the user has been successfully passed on to Change Password.

Seth

[Jason Rivard]

This is to prevent session fixation attacks.  Anytime an auth/deauth happens the session cookie ID should be changed.  I'll try to look into it.  I've yet to reproduce this myself so its something weird....

[Seth Stein]

I have been able to consistently reproduce the problem by opening up Developer Tools (F12) in Chrome or Firefox and then running through account activation.  Opening up Developer Tools is not required to cause the problem, the problem happens even without them open, just not as consistently.  I think opening up Developer Tools causes all the static content (CSS, js, images, etc) to not be cached by the browser and they are forced to be reloaded each time.  Something about the loading of the static content exacerbates this session problem.

Seth

[Jason Rivard]

The latest build: 2021-06-07T12_42_46Z / 9e9d4705b00dadbf06e004dcff84647513e28ec2 has a change that may affect the issue some folks have been having with the activation process.  Please try with this build and see if there are any changes. 

[Seth Stein]

I am still able to reproduce this problem with account activation with the latest build, 2021-06-07T12_42_46Z.

I see the change you made to checkIfSessionRecycleNeeded() to exclude the changeSessionId() call for URLs that match isResourceURL()

What if you were to also exclude URLs that match isClientApiServlet() ?  

        if ( pwmRequest.getPwmSession().getSessionStateBean().isSessionIdRecycleNeeded()

                && !pwmRequest.getURL().isResourceURL()

                && !pwmRequest.getURL().isClientApiServlet() )

I made that change and did some testing with that in place and I can no longer reproduce the problem.  I am not entirely sure the consequences of this change.

Seth

[Jason Rivard]

Looks good to me.  Updated in commit c7def1329b443634592cfc2435173b4d1481b868.

[Seth Stein]

Great, thank you.

Seth

[Graham Boniface]

https://github.com/pwm-project/pwm/commit/c7def1329b443634592cfc2435173b4d1481b868