Teams-for-linux: Blank page on saml login with self signed certificate

Created on 3 Apr 2019  Â·  21Comments  Â·  Source: IsmaelMartinez/teams-for-linux

Hi,

First of all thank you and all other forks members for this work.

OS: Ubuntu 18.04 (bionic) x86_64
TFL version: 0.1.17
Installation method: deb package downloaded from releases page

I currently work for a customer using teams linked to O365 implementing it's own external authentication mechanism. When I launch teams-for-linux, I can enter my organisation email and get the normal message "We are redirecting you to you organisation's login page" (which I have traced to be https://idpriam.groupe.extra.laposte.fr/auth/dologin.jsp in case it really matters). But the screen is desperately blank, I'm never offered a chance to enter my credentials.

This totally works as expected if I launch teams in a browser (either chrome or firefox).

Around the coffee machine, I've learned that several of my colleagues have tried team-for-linux on the same (or nearly identical) configuration in the past months and are facing the exact same issue.

I have tried the remedies that were proposed in #18 but it did no help.

I'm brand new to your app and I didn't yet take any time to look at the app contents or to go further than reported above. Meanwhile, my job implies debugging lots of different things so I definitely can capture more info. Though, I would appreciate a small initial assistance to put myself on track.

The customer I mentioned is a 200k+ people company with an echosystem of several thousands developers/techs/pms. My team is very activelly pushing (officially and underground) to let all these people having AT LAST the ability to choose their OS. Having teams working correctly is the last rock in our shoe to be fully connected with the enterprise information system and deploy at large for some hundred devs desperately waiting.

Looking forward to cooperate, cheers !

Edit: it turns out the real problem is not the enterprise login but a self signed certificate delivered only when connecting from the company network. Logins from outside the site are ok (with a fully trusted ssl certificate).

authentication bug

Most helpful comment

And yeah, it will be good to add messages but we arent currently checking for those cases.

All 21 comments

Just to let you know I have since tried to run the app with --webDebug. When I get on the blank page, the developer tool panel shows absolutely nothing, like if a request was lost in the wild. I have no idea where to look for the actual resquests fired and responses or redirects being followed.

I also ran the app directly from sources with a checkout from the latest master. It didn't help either.

I suspect there could be an issue with the proxy settings. I will try again tonight from home with no proxy at all to see if it helps.

the only thing that I can think of is to disable the ntlmV2 stuff.

like teams-for-linux --ntlmV2enabled=false

To get logs you might need to click in the "preserveLogs", in the chrome developer tools, and then do a refresh (Ctrl+r).

We're likely rolling out this exact solution soon at work - I can test this more once our rollout is complete and I have a domain to test on.

If anyone else has ideas, feel free to dive into this as well, as it may be a few months before I'm ready to test.

More info as promised: :champagne: It works from home without proxy. So now I know where to concentrate my effort at least.

@IsmaelMartinez I already tried to disable ntlm without luck as it was one of your precos already in #18. But with my result above, I'm quite sure it's not the problem. The info about enabling logs will probably help. Thanks.

My assumption is that the call to the SAML login page is going through the proxy when I'm at work although it is not suppose to (firing an error page other https with a self signed certificate). Can you tell me a little more about how I can tweak the proxy settings in teams-for-linux ? If I understand correctly it uses my system setting as chrome(ium) does. I'm almost sure that the problem is the interpretation of the no_proxy variable (i.e. written in bash style .extension.com,.otherextension.com where TFL might expect something with wildcards *.extension.com,*.otherextension.com). Can I customize it only for TFL ?

Anyway, I'll find some time to run tcpdump and launch TFL to confirm my assumptions. Thanks for your support.

Maybe worth trying some proxy options from here?

https://github.com/electron/electron/blob/master/docs/api/chrome-command-line-switches.md#--proxy-serveraddressport

you should be able to test them as teams-for-linux --proxy-server=proxyAddress:port. If they work then I am happy to help on putting those in a config (so you can distribute the config.json file not to be configuring the desktop files)

Hope helps,

There we go !!!! What I need the most is --proxy-bypass-list=hosts which is as I suspected a comma separated list of wildcards. I'll test that tomorrow from the office and report back.

Perfect. Just let me know if that works and we can add it as another option in the config stuff (if that helps you and others). Doesn't take much time todo. Cheers

My motivation and joy have vanished this morning... Launched TFL when I arrived at the office and got directly connected to my account since I logged in from home yesterday (that was the good part !). Then I logged out to restart my tests over and since then, no matter what I try (proxy with exclusions, use proxy pac, disable authentication, white list auth servers....) I still get my desperately blank page.

I'm going to login back in from a connection with my 4G phone so i can test the rest of TFL functions.

I'll try to analyse what's going on with this <Beeeppp!!!> saml login page when I have time, but I foresee this is going to be a long and hard debugging path (where the root cause is most probably a very specific and local enterprise issue).

Moreover, I also discovered with the above docs that Electron does not support basic auth for proxies. Unless using a pac file works perfectly well (i.e. asks for a login/pass interactively when it is needed for a particular proxy), this is going to be a stopper. I'm able to overcome this locally by deploying my own local squid as an authentified relay to the different proxies I need. But this is clearly not a setup we can deploy at large and expect our basic users to master.

More I have time, cause I still have some hope I can work it out. Thanks.

Hi @zeitounator , there is a login dialog that should appear if a login event happens. https://github.com/IsmaelMartinez/teams-for-linux/blob/master/app/login/index.js

Maybe, we need to also handle this, for you case, at a higher level like we use to do a long time ago:

https://github.com/IsmaelMartinez/teams-for-linux/blob/284a92b14a3e3a4a09766ddb5d732cca632c95a0/app/lib/index.js#L112

if you can build from source (yarn stuff) it might be easier to test and try.

Be aware that the partition can be, and is probably, making it harder to test that part.

I recommend, if running from package, to:

  • remove the ~/.config/teams-for-linux
  • try setting the partition without the persist teams-for-linux --partition=test-teams
  • try then each different case... you might get a surprise and one of them might work.

If running from source, the config folder is under ~/.Electron

Hope helps! that part is a bloody nightmare to test but hopefully the recommendations might help you. I use to remove the config after each iteration but I don't think is fully needed...

ah, and thanks for testing this. Create any bugs that you find and, hopefully, we can fix them soon :)

@IsmaelMartinez thanks for your help, I really (and I mean REALLY(tm)) appreciate, especially because I'm almost sure that the exact problems is not in the application but somewhere here, in an office, in between a chair and a keyboard...

I already installed the sources and ran from there yesterday. I will definitely play with that and try to find a solution although it might take a while (because of the bloody nightmare and also because I'm doing this almost on spare time and I now have tons of things to catch up).

One question though: is there a way I can use Kerberoes in Electron/TFL, possibly as implemented in gnome settings panel (online accounts > enterprise login) ? That might be an other option which could possibly fix my current problems

The good point still: I've used TFL all day without any problems and this is really a big difference. See ya !

I'm in a new hope vortex !!! I had debugged the console with "preserve logs" but didn't see there was the same same checkbox on the network tab (silly me !). So my new findings.

  • When we are outside the network, we are redirected to the saml page and accessing it from an extranet path. The https response is returned with an ssl certifcate from a generally trusted CA.
  • When we are inside the network, we are redirected to the same saml page. But the path is totally on the intranet and the https response is returned with an ssl cert signed by a local company CA that Electron does not trust.

That cert is already part of my ubuntu system trust store but I guess Electron does not use it. I did a very quick search and did not find the way to add a CA cert to Electron/TFL app. How can I add a new CA to Electron ?

To go further, would it be possible to ask Electron/TFL to display an error message rather than a blank page in such cases ?

Thanks.

I will probably go down the route of checking the login part. Add what I send you before to the bottom of the main index.js, add logs and see if you still got the problems.

Ntlm should do the auth just fine.

I don't know/think you can do the kerberos and pass that authentication down to the browser window that is opening the teams page.. But I might be wrong.

Do you get a popup at any of the authentication steps? Meaning, browser, home browser, home app... Thanks

I think then is needed to add a check for that certificate. Check this:

https://github.com/electron/electron/blob/master/docs/api/app.md#event-certificate-error

Again, the code probably also works by adding it at the index.js file (main one)

For the sake of testing, just do the prevent default and callback(true).

If that is the issue, and it works as a solution, it might be wise to still check for the certificate URL and add that as a config option.

And yeah, it will be good to add messages but we arent currently checking for those cases.

Hi ! I'm a colleague of @zeitounator and thanks to your discussion, I managed to make the snap version work by trusting self-signed certificates (/usr/local/share/ca-certificates + sudo update-ca-certificates) and tweaking the "no proxy" value in Gnome (Settings -> Network -> Proxy).

Now, I'm thinking about overriding the .desktop file to locally set the no_proxy env var. But, I don't know why, if I use Gnome settings, then it's working. But if I try this :

$ no_proxy='…' NO_PROXY='…' teams-for-linux

or this :

$ export no_proxy='…'
$ export NO_PROXY='…'
$ teams-for-linux

… then I can't get no satisfaction :notes:

Is this normal that setting proxy by Gnome is working but not by 'export' ?

Not sure. Maybe is because is an electron app.

Maybe try using the arguments like in here:
https://github.com/electron/electron/blob/master/docs/api/chrome-command-line-switches.md#--no-proxy-server

Check that page as there are other network pareters that could be useful to your case.

Hope helps!

Hey, do we have an update on this? Just to wait for the release or go ahead with it. Thanks!

I just didn't find a clean way of checking the cert in nodejs and I'm still working on it. My idea was to let the user define a list of certificate files on his disk for custom CA if needed and check on this but this is much harder than I thought.

Closing as the PR has been merge. Hopefully I get some time to tidy up stuff and release 0.2.0.

Thanks @zeitounator and @charlycoste for your contribution!!

This has been now released in version 0.2.0. thanks again for your contribution!!!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

wagnst picture wagnst  Â·  5Comments

tulanian picture tulanian  Â·  6Comments

Bican007 picture Bican007  Â·  8Comments

jpiautinity picture jpiautinity  Â·  8Comments

sakthicsk picture sakthicsk  Â·  6Comments