Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why is SSPI enabled per default? #132

Open
mjernsell opened this issue Aug 26, 2019 · 5 comments
Open

Why is SSPI enabled per default? #132

mjernsell opened this issue Aug 26, 2019 · 5 comments
Labels
question

Comments

@mjernsell
Copy link
Contributor

The login flow in _azure_cloud_mfa_authenticator is broken unless the --no-sspi is given.

I'm not sure if this was the intended behaviour or not, but previously in html_roles_fetcher the User-Agent was not set since the import from requets_negotiate_sspi import HttpNegotiateAuth failed. The new behaviour now sets the header since sspi is set to True in the fetch_html_encoded_roles which (by some reason unknown to me) breaks the login - after password is given, "This account does not have access to any roles" is received instead of having a prompt for MFA.

Was the intention to have sspi enabled per default (it seems to be set in the get_prepared_config function in prepare.py)?
@kfattig
Copy link
Contributor

kfattig commented Sep 3, 2019

I broke this - and I'm sort of stuck on how to best fix it. My thoughts here:
#126 (comment)

I don't actually have an SSPI environment, so I can't say when the header is required. I know that in my case (and, according to the comments here, others) the header causes issues. I just trusted the comment & documentation which says that SSPI should be on by default and the header is required when using it.

@lmayorga1980
Copy link

I am having a related issue when using AzureMFA Authentication.

aws-adfs login --adfs-host my.adfs.host --authfile auth.txt --profile test-account

I was getting this response.

This account does not have access to any roles

I went and updated this file to print the response vim ./venv/Lib/site-packages/aws_adfs/html_roles_fetcher.py and I got this response.

https://gist.github.com/lmayorga1980/ff6adfe00052a8b462b43723b836e77e

Maybe there needs to be another property to be set?

At this time, the best I can do is use an HTTP Packet Trace on my browser to see if it's sending some extra headers
https://github.com/venth/aws-adfs/blob/master/aws_adfs/html_roles_fetcher.py#L92

@kfattig
Copy link
Contributor

kfattig commented Oct 8, 2019

@lmayorga1980 Did you try with '--no-sspi' ?

@lmayorga1980
Copy link

lmayorga1980 commented Oct 8, 2019
edited
Loading

aws-adfs: 1.18.1

Maybe an older version?

$ aws-adfs login --adfs-host myadfshost --authfile auth.txt --profile test-account --no-sspi

2019-10-08 16:55:36,282 [authenticator authenticator.py:authenticate] [18580-MainProcess] [5996-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
2019-10-08 16:55:36,431 [authenticator authenticator.py:authenticate] [18580-MainProcess] [5996-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
This account does not have access to any roles

I tried 1.17.0 and also the same error.

@lmayorga1980
Copy link

any 📰 @kfattig ??

@pdecat pdecat added question waiting Waiting for answer and removed waiting Waiting for answer labels Sep 23, 2021
@pdecat pdecat changed the title Issue with the _azure_cloud_mfa_authenticator after the sspi changes Why is SSPI enabled per default? Sep 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pdecat @mjernsell @lmayorga1980 @kfattig