Menu

#53 Add support for Web Ticket authentication using ADFS

closed-fixed
nobody
None
5
2014-09-04
2012-11-08
No

We recently were moved to Microsoft's Lync and a lot of us tried to configure pidgin to work for the same based on the steps provided at -

http://mytricks.in/2011/08/microsoft-lync-client-for-linux.html

But we keep getting Authentication Failure with reason "Direct login to WLID is not allowed for this federated namespace"

Kindly let us know how to get around this issue. A lot of us depend on it.

Thanks in advance,
Mayank

Related

Bugs: #263

Discussion

  • Stefan Becker

    Stefan Becker - 2012-11-08

    I'm discussing this problem with another user. It either

    - requires a new, as yet unknown initial user authentication method to obtain a WsFedBearer authentication token, or

    - some way to extract the correct login name & password from your Windows installation

    BTW: the instructions provided on the URL are too old and most likely don't work in the case of a hosted Lync installation.

     
  • Stefan Becker

    Stefan Becker - 2012-11-10

    It seems we're already making some progress thanks to the logs provided by one user. Can you please answer the following questions for your Lync setup (you'll need to have a working installation with a successfull Lync login on a Windows machine):

    - Is the "Microsoft Online Sign-in Assistant" installed on the machine and a service called "msoidcli" running?

    - check the Certificate (or Credential) Manager: do you see a certificate for "OCS"? It's user name should be the SIP user name, e.g. user@company.com

    - check the Certificate (or Credential) Manager: do you see a certificate for "MicrosoftOnlineServices"? It's user name is probably some "random" string and *does not* correspond to your SIP user name.

     
  • Anonymous

    Anonymous - 2012-11-12

    Hi, same problem here I guess. My answers to your questions:

    1.- I don't see any "msoidcli" service running neither I have " "Microsoft Online Sign-in Assistant" installed
    2.- By Credential Manger, do you mean the one in the Tools menu? If so, I see one certificate for lync.mycompany.com and another one for ocs_central.mycompany.com. Their Common Name is also the server's name.
    3.- I don't see any other certificates except the ones belonging to GTalk/MSN.

    If you need more information, please, let me know.

     
  • Mayank Rungta

    Mayank Rungta - 2012-11-12

    I haven't installed the Microsoft equivalent but asked a colleague to share the info. This is the response I got -

    > - Is the "Microsoft Online Sign-in Assistant" installed on the machine and
    > a service called "msoidcli" running?

    Yes, “Microsoft Online Services Sign-in Assistant” is installed. The “Services” manager lists it as running. I do not see a process with the ‘msoidcli’ name running at this exact moment; however, I do see “MSOIDSVC.EXE” and “MSOIDSVCM.EXE” running.

    > - check the Certificate (or Credential) Manager: do you see a certificate
    > for "OCS"? It's user name should be the SIP user name, e.g.
    > user@company.com

    I see such a certificate; however, it is listed as “Communications Server” instead of “OCS”.

    > - check the Certificate (or Credential) Manager: do you see a certificate
    > for "MicrosoftOnlineServices"? It's user name is probably some "random"
    > string and *does not* correspond to your SIP user name.

    No, I do not see this.

     
  • Stefan Becker

    Stefan Becker - 2012-11-12

    Can you ask your IT if they installed an ADFS server? It is a service that creates trust tokens from your companies Active Directory for outside services, e.g. Lync.

    If they won't (or can't) answer this question, here are some things you might want to try:

    - run (e.g. on a Linux box):

    wget -O - 'https://login.microsoftonline.com/getuserrealm.srf?login=XXXX&xml=1'

    with XXXX being your SIP user name, e.g. first.last@company.com. Please post the resulting XML here.

    - monitor the network traffic on the Windows box when you start MSOIDSVC and Lync. Does one of the IP addresses resolve to an internal server, possibly by the name of adfs.company.com or fs.company.com?

     
  • Anonymous

    Anonymous - 2012-11-12

    I forgot to mention that I have the official client Microsoft Office Communicator 2007 installed since 2009 but I prefer to use Pidgin. Today, after the trouble trying to login into the company network with Pidgin I tried to login with Communicator and, of course, it worked.

    I don't know if the IT people made some kind of change into the Office Communicator service on their side but I can assure you that no changes were made in my workstation. The official client is the same and no additional software has been installed. It's just that Pidgin SIPE stopped working from one day to another reporting: "Authentication failure".

     
  • Stefan Becker

    Stefan Becker - 2012-11-13

    @Rafa: if you made no changes since 2009 and didn't update SIPE (especially didn't update to 1.13.x), then I doubt that you have the same problem reported here. We're discussing issues with TLS-DSK authentication, which requires obtaining authentication tokens for Web Services. Only then you can get an error response of "Direct login to WLID is not allowed" in the debug log.

    Please study the --debug log for error messages and read through the FAQ (https://sourceforge.net/apps/mediawiki/sipe/index.php?title=FAQ). If you can't detect a reason then please post a message on the Help forum providing the --debug information.

     
  • Anonymous

    Anonymous - 2012-11-13

    Thank you, stefanb2. I'm sorry, probably I misunderstood what this bug report is about. I'll do what you say and if that's not enough, then I will fill a new bug report. Thank you for your time.

     
  • Mayank Rungta

    Mayank Rungta - 2012-11-15

    Hi Stefan,

    It is via fs.company.com as you guessed -

    $ cat getuserrealm.xml
    <RealmInfo Success="true"><State>3</State><UserState>2</UserState><Login>my_username@</Login><FederationGlobalVersion>-1</FederationGlobalVersion><DomainName>JUNIPER.NET</DomainName><AuthURL>https://fs.company.com/adfs/ls/</AuthURL><IsFederatedNS>true</IsFederatedNS><STSAuthURL>https://fs.company.com/adfs/services/trust/2005/usernamemixed</STSAuthURL><FederationTier>0</FederationTier><FederationBrandName>fs.company.com</FederationBrandName><AllowFedUsersWLIDSignIn>false</AllowFedUsersWLIDSignIn><Certificate>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Certificate><MEXURL>https://fs.company.com/adfs/services/trust/mex</MEXURL><SAML_AuthURL></SAML_AuthURL><PreferredProtocol>1</PreferredProtocol><EDUDomainFlags>0</EDUDomainFlags></RealmInfo>

    Kindly let me know if you need any other information.

    Thanks,
    Mayank

     
  • Stefan Becker

    Stefan Becker - 2012-11-16

    @mr-mynk: looking at the domain name it seems you work for the same company as the other user (braghavan) who has been supplying logs for me.

     
  • Stefan Becker

    Stefan Becker - 2012-11-17

    Moved from Bugs to Feature Requests.

    Some information links:

    - http://en.wikipedia.org/wiki/Active_Directory_Federation_Services
    - http://community.office365.com/en-us/wikis/office/534.aspx
    - wget -O - 'https://login.microsoftonline.com/getuserrealm.srf?login=<USERNAME HERE>&xml=1'

    To implement this SIPE will have to be able to talk the same protocol that is used between MSOIDSVC service and ADFS server, i.e. generate WsFedBearer authentication tokens for users of the Windows AD.

     
  • Stefan Becker

    Stefan Becker - 2012-11-17
    • summary: Authentication Failure "Direct login to WLID is not allowed" --> Add support for Web Ticket authentication using ADFS
     
  • Stefan Becker

    Stefan Becker - 2012-11-18

    As a first step I added everything about we learned from the ADFS setup analysis (see git HEAD). No real progress, I know, but it will at least give the user a sensible error message.

     
  • Stefan Becker

    Stefan Becker - 2012-11-28

    Implemented & pushed to repo: commit 1a2b742. It works at least for the user who provided the MITM attack logs from an ADFS setup. Please try the new code and give feedback

    I'll keep this open for a while still...

     
  • Mayank Rungta

    Mayank Rungta - 2012-11-29

    Thanks Stefan. It took me a while to get it built for my Ubuntu 12.10 setup on 32 bit & 64 bit but finally got things working! :)

    Look forward to seeing this fix in the pidgin-sipe installable sometime soon.

     
  • Stefan Becker

    Stefan Becker - 2012-11-30
    • status: open --> closed-fixed
     
  • Stefan Becker

    Stefan Becker - 2012-11-30

    Thanks for the feedback. Closing.

     
  • Mayank Rungta

    Mayank Rungta - 2013-05-30

    This bug has resurfaced. I had to put the previously compiled .so for this to work. I have other colleagues facing the same issue. I assume this reply will reopen the bug.

     
  • Mayank Rungta

    Mayank Rungta - 2013-08-09

    This bug is still lurking around. How do I re-open this bug? Kindly advise.

     
    • Stefan Becker

      Stefan Becker - 2013-08-09

      The other user at juniper.net, who helped me to implement this feature by providing logs from the Lync client, hasn't said that it stopped working for him.

      So I can only assume that your account settings are wrong.

       
  • Mayank Rungta

    Mayank Rungta - 2013-08-09

    It looks like it is something new. The error appears to be different. Placing the .so did not help this time! :(

    Web ticket request to https://webpoolsn20b08.infra.lync.com:443/CertProv/CertProvisioningService.svc failed

     
    • Stefan Becker

      Stefan Becker - 2013-08-09

      Some error message without --debug log is useless.

      Can we please stop discussing unrelated issues on this already closed feature request? Please post your debug log pastebin URL on the Help forum or send it via email.

       
  • Mayank Rungta

    Mayank Rungta - 2013-08-11

    Sorry I was just pointing out that it is not the same issue. I will log another bug if there are others facing the same problem.

     

Log in to post a comment.