Entra ID (Azure AD) auth not working - internal server error

[amirukg]

When i attempt to log in using Microsoft account, successfully passing Auth window and MFA i see "internal server error"

Steps to reproduce the behavior:

1. Go to Meshcentral login page
2. Click "Microsoft icon"
3. Fill the Authentication form with Login and password, pass MFA.
4. See error

I expected to log in Meshcentral under my Entra ID account.

Screenshots:

Server Software

• OS: Ubuntu 22.04
• Virtualization: Hyper-V
• Network: Meshcentral server is after NAT
• Version: 1.1.24
• Node: 20.15.0

Client Device

• Device: Laptop
• OS: Windows 11
• Network: Local to Meshcentral, Internet to Meshcentral
• Browser: Google Chrome, Edge

Additional context meshcentral-data/mesherrors.txt has errors: InternalOAuthError: Failed to obtain access token at OAuth2Strategy._createOAuthError (/root/node_modules/passport-oauth2/lib/strategy.js:423:17) at /root/node_modules/passport-oauth2/lib/strategy.js:177:45 at /root/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:196:18 at ClientRequest.<anonymous> (/root/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:166:7) at ClientRequest.emit (node:events:519:28) at TLSSocket.socketErrorListener (node:_http_client:500:9) at TLSSocket.emit (node:events:519:28) at emitErrorNT (node:internal/streams/destroy:169:8) at emitErrorCloseNT (node:internal/streams/destroy:128:3) at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

My azure app settings: API permissions: Redirect URI:

config.json file

{
  "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. E>
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "cert": "mydomain.example",
    "WANonly": true,
    "_LANonly": false,
    "_sessionKey": "mysessionkey",
    "port": 443,
    "aliasPort": 20443,
    "redirPort": 80,
    "redirAliasPort": 80
  },
  "domains": {
    "": {
      "title": "MeshCentral",
      "title2": "Title2",
      "minify": true,
      "newAccounts": false,
      "_userNameIsEmail": true,
      "authStrategies": {
        "azure": {
          "_callbackurl": "https://mydomain.example:20443/auth-azure-callback",
          "newAccounts": true,
          "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
          "clientid": "myclientID",
          "clientsecret": "myclientsecret",
          "tenantid": "mytenantID"
        }
      }
    }
  },
  "letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "[email protected]",
    "names": "mydomain.example",
    "skipChallengeVerification": false,
    "production": true
 }
}

[si458]

i dont use azure for anything so i have no way of testing this HOWEVER the new docs say to try using oidc instead of the azure option in authStrategies can you maybe try that and see if it works? https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#azure-preset

[amirukg]

Hi!

Updated config.json with:

   "authStrategies": {
          "oidc": {
            "client": {
              "client_id": "myclientID",
              "client_secret": "myclientsecret"
            },
            "custom": {
              "preset": "azure",
              "tenant_id": "mytenantID"
            }
          }
        }

but getting some strange errors:

-------- 6/28/2024, 4:31:56 PM ---- 1.1.24 --------

/root/node_modules/meshcentral/webserver.js:7406 let error = new Error('OIDC: Discovery failed.', { cause: err }); ^

Error: OIDC: Discovery failed. at setupDomainAuthStrategy (/root/node_modules/meshcentral/webserver.js:7406:29) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async setupAllDomainAuthStrategies (/root/node_modules/meshcentral/webserver.js:6495:82) { [cause]: AggregateError [ETIMEDOUT]: at internalConnectMultiple (node:net:1117:18) at afterConnectMultiple (node:net:1684:7) { code: 'ETIMEDOUT', [errors]: [ Error: connect ETIMEDOUT 20.190.144.163:443 at createConnectionError (node:net:1647:14) at Timeout.internalConnectMultipleTimeout (node:net:1706:38) at listOnTimeout (node:internal/timers:575:11) at process.processTimers (node:internal/timers:514:7) { errno: -110, code: 'ETIMEDOUT', syscall: 'connect', address: '20.190.144.163', port: 443 }, Error: connect ENETUNREACH 2603:1047:1:188::5:443 at createConnectionError (node:net:1647:14) at afterConnectMultiple (node:net:1677:16) { errno: -101, code: 'ENETUNREACH', syscall: 'connect', address: '2603:1047:1:188::5', port: 443

And Meshcentral server even cant start. Also IP adresses above are available from Meshcentral server.

[si458]

Is the azure AD stuff free or cheap to run? I'll have to create my own AD with users etc then try and replicate ur issue, so it might take some time! Any docs/guides setting it all up?

[amirukg]

I have Entra ID Plan 1, not free. I used https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate and https://ylianst.github.io/MeshCentral/meshcentral/#microsoft-azure-active-directory In Meshcentral docs there is nothing about API permissions setttings, so https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis

[amirukg]

update: it works with:

"authStrategies": {
          "azure": {
              "callbackurl": "https://example.com/auth-azure-callback",
              "newAccounts": true,
              "clientid": "CLIENT_ID",
              "clientsecret": "CLIENT_SECRET",
              "tenantid": "TENANT_ID"
          }
        }

BUT: If I launch browser and go on my Meshcentral using Azure account it still - Internal server error. THEN log in using local account, and immediatly log out and log in using Azure account it works! This is little confusing bug.

[si458]

@amirukg please can you email me? (email on my github page) i wonder if u can share creds/test details etc and ill have a look whats going on

[si458]

@amirukg are you still having this issue? did you switch to OIDC? another post explains that azure doesnt really work with the azure module anymore as its old they succeeded with oidc instead https://github.com/Ylianst/MeshCentral/issues/5626#issuecomment-2346766842

[mstrhakr]

Is the azure AD stuff free or cheap to run? I'll have to create my own AD with users etc then try and replicate ur issue, so it might take some time! Any docs/guides setting it all up?

Hey @si458, I can happily show you how to setup a free instance of Entra ID (What Azure Active Directory is now named). Let me know how we can connect and I can help walk you though it or just provide resources, whatever you need.

[si458]

@mstrhakr you can email myself (check my github profile) or discord (si458)

But I do already have a free entra id, it's linked to my Hotmail account haha

[si458]

hello, sorry did we fix this issue? i cant remember where we was up to?

[amirukg]

Hi Simon! My company don't use Azure anymore, so problem is not actual for me now. Thank you!

On Wed, Nov 27, 2024, 16:55 Simon Smith @.***> wrote:

hello, sorry did we fix this issue? i cant remember where we was up to?

— Reply to this email directly, view it on GitHub https://github.com/Ylianst/MeshCentral/issues/6213#issuecomment-2503685193, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJDP2XJJJPFJNGWUVEOCRPL2CWXMDAVCNFSM6AAAAABKBQLRXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMBTGY4DKMJZGM . You are receiving this because you were mentioned.Message ID: @.***>

[si458]

@amirukg no worries I'll close it as completed then! If u use it again and have problems let us know :)