Duo silently failing at "Success, Logging you in..." Reboot fixes it, happens several times a day (.9.14 and .9.12)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Duo silently failing at "Success, Logging you in..." Reboot fixes it, happens several times a day (.9.14 and .9.12)

beezel
We upgraded to .9.14 a week or two ago, and immediately started having
failures with our Duo 2FA. We attempted to diagnose, but could not find any
logs or signs pointing to the issue. We had taken a cold snapshot prior to
the upgrade, so we restored from there.

We continue to have Duo failures every few hours, unfortunately.

I have scoured catalina.out, but unfortunately it shows no problems.

Our logs show succesful login, but then do not show anything else (usually
you'd see it create an RDP session, etc)

    Jul  9 17:09:01 remote server: 17:09:01.680 [http-bio-8443-exec-13] INFO
o.a.g.r.auth.AuthenticationService - User "zach.lucas" successfully
authenticated from 172.16.19.195.

I have double checked the time to make sure it is 100%, and it is (we've had
issues with timesync producing the same errors). We are using CentOS 7.3,
installed locally (not a container).

Any help would be greatly appreciated!



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Duo silently failing at "Success, Logging you in..." Reboot fixes it, happens several times a day (.9.14 and .9.12)

mjumper
Administrator
On Tue, Jul 10, 2018, 10:26 beezel <[hidden email]> wrote:
We upgraded to .9.14 a week or two ago, and immediately started having
failures with our Duo 2FA. We attempted to diagnose, but could not find any
logs or signs pointing to the issue. We had taken a cold snapshot prior to
the upgrade, so we restored from there.

We continue to have Duo failures every few hours, unfortunately.

Can you describe the nature of the failures? What happens within the browser when a user tries to log in?


...

I have double checked the time to make sure it is 100%, and it is (we've had
issues with timesync producing the same errors). We are using CentOS 7.3,
installed locally (not a container).

What errors?

- Mike

Reply | Threaded
Open this post in threaded view
|

Re: Duo silently failing at "Success, Logging you in..." Reboot fixes it, happens several times a day (.9.14 and .9.12)

beezel
Thanks Mike,

There are no errors, per se. When a user logs into the website, they are
prompted to Push to Duo, as soon as you accept on your device the Guac
website says "Success, Logging you in..." and hangs there. You are never
logged in, and catalina.out only shows the "success" message from my
original post.

Regarding the "timesync" errors, at one point we had a daylight savings
mismatch between our guac server and real time and this caused the same
symptoms. Users would only get "Success, Logging you in..." but never
actually login. Someone from this mailing list suggested I look at time and
it turned out to be the issue. I have made sure that issue is not happening
in this instance.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Duo silently failing at "Success, Logging you in..." Reboot fixes it, happens several times a day (.9.14 and .9.12)

beezel
In reply to this post by beezel
I've built a new Guac server using docker, with mariadb. This all works, but
as soon as I enable Duo I get the same issue my primary box has: "Success!
Logging you in..." with no errors.

I have created a new "Web SDK" application on Duo, and updated the
guacamole.properties to reflect these. I successfully get pushes on my phone
from the new Web SDK application, but it does not work.

We are currently on .9.12 so that we could migrate our DB before upgrading
the schema and going with .9.14. Is no one else having any issues with Duo
and Guac recently? Our deployment isn't very complex at all, and I can't
figure out why it is failing.

Thanks!

Justin



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Duo silently failing at "Success, Logging you in..." Reboot fixes it, happens several times a day (.9.14 and .9.12)

beezel
I can't seem to get Duo to work correctly even with a bone stock
configuration. Using the latest docker images, with the duo-auth.0.9.14.jar
in $GUACAMOLE_HOME along with a guacamole.properties with the 4 duo-*
settings it continues to give me either "Success! Logging you in" after a
successful Duo Push, or if I have a user set to bypass it will just hang at
"Logging you in...".

Here are my docker-compose and guacamole.properties:
https://gist.github.com/beezel/0b9cbaf0f9dc083eb4b7ce0100a8d1a8

And once again, the only thing showing up in any logs is:
16:10:12.435 [http-nio-8080-exec-2] INFO  o.a.g.r.auth.AuthenticationService
- User "****" successfully authenticated from 172.16.19.39.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Duo silently failing at "Success, Logging you in..." Reboot fixes it, happens several times a day (.9.14 and .9.12)

Mike Jumper
Anything in the browser's JavaScript console when the expected redirect does not occur?

- Mike

On Wed, Jul 11, 2018, 16:11 beezel <[hidden email]> wrote:
I can't seem to get Duo to work correctly even with a bone stock
configuration. Using the latest docker images, with the duo-auth.0.9.14.jar
in $GUACAMOLE_HOME along with a guacamole.properties with the 4 duo-*
settings it continues to give me either "Success! Logging you in" after a
successful Duo Push, or if I have a user set to bypass it will just hang at
"Logging you in...".

Here are my docker-compose and guacamole.properties:
https://gist.github.com/beezel/0b9cbaf0f9dc083eb4b7ce0100a8d1a8

And once again, the only thing showing up in any logs is:
16:10:12.435 [http-nio-8080-exec-2] INFO  o.a.g.r.auth.AuthenticationService
- User "****" successfully authenticated from 172.16.19.39.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/