.Net client authorization using /integrated-challenge returns 500 error

msallmen1 · 11 August 2020 17:50

I have an internal Windows app that uses the Octopus .Net client to let the current user authenticate against Octopus.

The code is like this repo.Client.Get<string>("/integrated-challenge"); It’s also outlined in this old post.

This approach worked find until we upgraded Octopus from 2019.10.12 to 2020.3.1. Release notes show that this related issue was included in that upgrade. Fixes to include the CORS headers and any custom cookie domain to the integrated-challenge endpoint response. I don’t really understand how to make the code work again. Is there something I need to add?

Also, I navigated to {my Octopus server}/integrated-challenge in a browser and, after supplying my credentials, received a 500 error.

Updating to the latest Octopus .Net Client did not resolve this issue. Any advice would be appreciated.

jeremy.miller · 11 August 2020 19:27

Hi @msallmen1,

First of all welcome to the Octopus Forums!

Thanks for reaching out. We had to rework this system as part of when we made the switch to .net core. I will reach out to our engineers on what would be the next steps for you here. Unfortunately, they are based in Australia so we won’t hear back until tomorrow.

Please feel free to reach out in the meantime with any questions or concerns.

Thanks,
Jeremy

jeremy.miller · 12 August 2020 14:11

Hey @msallmen1,

I spoke with one of our engineers on this and he thinks this might be unrelated to the Octopus upgrade. When you go to the portal and try to use integrated auth, does it work?

Thanks,
Jeremy

msallmen1 · 12 August 2020 14:24

Hey, thanks for the reply. The integrated auth button on the log in page Sign in with a domain account works fine. However, as described in the original post, navigating to {my Octopus server}/integrated-challenge url does give me a 500 error. My code hasn’t changed, so it’s got to be something with either the updated Octopus, or our environment. Any ideas on what to look for in our environment?

jeremy.miller · 12 August 2020 16:03

Hey @msallmen1,

Is it possible the service account that runs Octopus has lost permissions in some way?
Which type of auth are you using? Ntlm/Kerberos/Etc?

You could take a look at the workarounds in this issue. The button itself has been fixed but the workarounds may apply depending on what you’re using.

Thanks,
Jeremy

msallmen1 · 12 August 2020 19:10

We’re using NTLM, I believe. Just to be clear, the button works fine. This is an issue with the .Net client and trying to simulate that call in the browser. I used Chrome dev tools to examine the network traffic and found that there is a url call like this, https://{my Octopus server}/integrated-challenge?state=%7B%22RedirectAfterLoginTo%22%3A%22%2Fapp%23%2F%22%2C%22UsingSecureConnection%22%3Atrue%7D which decoded is, /integrated-challenge?state={"RedirectAfterLoginTo":"/app#/","UsingSecureConnection":true}. Is there documentation on using /integrated-challenge form the .Net client? Maybe I need to add some parameters to the call in my code.

jeremy.miller · 12 August 2020 19:23

Hi @msallmen1,

Let me get back with the engineer and see if I can get some more information for you.

Feel free to reach out in the meantime.

Thanks,
Jeremy

msallmen1 · 17 August 2020 13:42

Hello. Is there any further information on this issue? Can you point me towards any documentation?

jeremy.miller · 17 August 2020 14:13

Hi @msallmen1,

Thanks for reaching out.

Sorry about the delay but I didn’t get a response. Let me cast a wider net and see if I can get some answers for you. Unfortunately, there isn’t any documentation on this that I could think to point you to.

Sincerely,
Jeremy

jeremy.miller · 18 August 2020 14:58

Hey @msallmen1,

I spoke with one of our engineers and he wanted me to gather some more information for him.

Would you be able to provide me with server logs from the timeframe when the 500 error is occuring? You can direct message these to me for privacy reasons.

Would you be able to diagram/explain the setup and configuration of your authentication servers in detail, along with configuration settings for AD? (This can also be privately messaged if you prefer)

Can you verify the authentication method your AD is using isnt Kerberos under the hood?

Which user is running the script? Is it the same as the user running the browser?

Would you be able to privately message me the script youre using with any information we need to reproduce it on our end?

Sorry about the barrage of questions, please let me know if you have any questions about the above.

Thanks,
Jeremy

msallmen1 · 18 August 2020 21:31

I’ll see if someone in my organization can help me gather that information. Meanwhile, is there documentation on GET /integrated-challenge?

jeremy.miller · 19 August 2020 01:02

Hi,

Unfortunately, we don’t have any documentation on that. You could take a look at the open source code here, though : https://github.com/OctopusDeploy/DirectoryServicesAuthenticationProvider/blob/6df5ff4bfcb9f5cdeb8023b9a461e1efd709b8f8/source/Server/IntegratedAuthentication/IntegratedAuthenticationHandler.cs#L74

Please let me know when you have the information above.

Thanks,
Jeremy

system · 19 September 2020 01:02

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.