Saved credentials not working and not visible across users

[suiciety]

Describe the bug
When a user saves a credential against a local device (RDP/SSH etc.) it is not able to be used. When trying to use the saved credential MC just shows 'Setup....' and gets stuck there. This is regardless of whether the user is an administrator or a user.

Strangely the primary admin user created when MC was setup does not have that issue.

In addition to that we have set the allowSavingDeviceCredentials parameter to true, however credentials are not available to other users.

To Reproduce
Steps to reproduce the first behaviour:

1. Select a computer from the no agent group
2. Click on Connect -> Enter credentials and click Save credentials
3. The remote session connects successfully and the credential shows as saved against the device
4. Press 'Disconnect'
5. Press 'Reconnect'
6. Connection status gets stuck at 'Setup'..... and never connects
   NOTE: If you are logged in as the primary admin everything works as expected when disconnecting/reconnecting.

Steps to reproduce the second behavior:

1. Select a computer from the no agent group
2. Click on Connect -> Enter credentials and click Save credentials
3. The remote session connects successfully and the credential shows against the device
4. Log in as a different user
5. No saved credential is shown

Expected behavior
When saving a credential is should be available across users and sessions should be able to reconnect with those credentials.

Extra info
All users are set as Administrators of this specific local device group via a user Group which is added when they login via Azure. I have tried to delete and re-create the device as other users and saving/re-using the credentials. I have also created a regular MC user but it doesn't make any difference.

Screenshots


Just gets stuck on 'Setup ...' unless you are the primary admin created when MC was installed where it works as expected.

Loging in as another user shows that there are also no saved credentials regardless of who saved the credential (including the primary admin)

Server Software (please complete the following information):

• OS: Ubuntu 22.04
• Virtualization: Azure VM
• Network: SSL Offload (NetIQ Access Gateway)
• Version: 1.1.22
• Node: 20.12.0

Client Device (please complete the following information):

• Device: Any
• OS: Any
• Network: WAN
• Browser: Tested Edge and Firefox

Remote Device (please complete the following information):

• Device: Windows server and SSH to switches, Linux boxes
• OS: Windows , physical devices
• Network: Azure site-site corporate VPN (transparent to devices)
• Current Core Version (if known): N/A doing agentless connect

Your config.json file

{
    "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
    "settings": {
        "cert": "***",
        "TLSOffload": "***",
        "trustedProxy": "***",
        "agentTimeStampServer": false,
        "webRTC": true,
        "selfUpdate": true,
        "amtManager": false,
        "wsCompression": true,
        "agentWsCompression": true,
        "compression": true,
        "MongoDb": "mongodb://127.0.0.1:27017/meshcentral",
        "_ignoreagenthashcheck": true
    },
    "domains": {
        "": {
            "title": "***",
            "loginPicture": "***",
            "titlePicture": "***",
            "trustedCert": true,
            "allowSavingDeviceCredentials": true,
            "loginfooter": "***",
            "nightMode": 1,
            "welcomePicture": "backgroundpeak.png",
            "_rootRedirect": "***",
            "unknownUserRootRedirect": "***",
            "_showPasswordLogin": false,
            "minify": true,
            "allowedOrigin": [
                "rmm.***",
                "*.***"
            ],
            "autoRemoveInactiveDevices": 190,
            "deviceSearchBarServerAndCilentName": true,
            "agentFileInfo": {
                "icon": "merici.ico",
                "fileDescription": "***",
                "productName": "***"
            },
            "agentCustomization": {
                "displayName": "***",
                "description": "***",
                "companyName": "***",
                "serviceName": "***",
                "image": "***",
                "installText": "***",
                "filename": "***",
                "backgroundColor": "#0e3468"
            },
            "ipkvm": true,
            "ssh": true,
            "userNameIsEmail": true,
            "newAccountEmailDomains": "***",
            "authStrategies": {
                "azure": {
                    "callbackurl": "https://***/auth-azure-callback",
                    "newAccounts": true,
                    "newAccountsUserGroups": [
                        "ugrp//***"
                    ],
                    "clientid": "***",
                    "clientsecret": "***",
                    "tenantid": "***"
                }
            },
            "meshMessengerTitle": "***t",
            "meshMessengerPicture": "***.png"
        }
    }
}

[si458]

Try changing webrtc to false, restart meshcentral and try again
The is sometimes bugs with webrtc

Edit. Also change any compression in ur config.json to false too

[suiciety]

Just tried those settings and no change in behaviour.

[suiciety]

The connections and credentials definitely work, I can go in and out all day typing them in just not when saved, and when they are saved they are not appearing for other users.

The reason I want to make sure it's working is so that my support agents won't necessarily need to know the specific accounts for certain systems and are logged in automatically.

[si458]

can you use the normal connect button and see the desktop?

edit: also what is the username you are trying to login with? is it AzureAD\USERNAME or just normal Administrator

[suiciety]

These are local only devices (no agent).

[si458]

ok so daft question (i have to ask), firewall, port 3389 open on nodes? both tcp+udp?
can meshcentral telnet to ports 3389 and get a reply?

edit: also what is the username you are trying to login with? is it AzureAD\USERNAME or just normal Administrator

[suiciety]

No firewall in between, it's a site-site VPN with full routing.

I can press the button and manually enter in the login details no problem and it will connect straight away so there is nothing stopping the connection. Whether it's SSH credentials to a switch or Domain RDP login ( local domain\username ) it all works when manually entering in credentials.

The problems is that ticking the save credential option then trying to use the saved credential doesn't work. It just shows 'Setup ... ' . Doesn't matter what the device is.

The saved credentials also don't appear for other users even with the config option is set.

The only user that the saved credentials seem to work reliably for are the default first admin account created when MC was first setup.

[si458]

Ahhh right ok so it works with manual entering the details!
Sorry had a long week, brains cabbaged.
The only thing I can think of is userNameIsEmail: true
As the was a bug the other week which @Ylianst said he fixed for this and saving credentials
So it might be broken again!
Will have a look when I get chance

[si458]

can u share a user id example for me plz? get it from the user panel when u selecg a user

[suiciety]

It's effecting all users, either manually created or auto-provisioned via Azure.
My Account

A manually created account.

Accounts are added to an IT Group that has the machine group permissions set.

[si458]

I will try and have a look over the weekend.
Sadly I don't use azure at all, not even a 365 home account, so it's gunna be hard for me to verify it!
As it works perfectly fine here, but I'm not using authStrategies which I think is why this bug is happened!
Maybe my Google oauth might trigger the same problem?
As I seem to remember this problem was because of the @ symbol in the username #5833

[si458]

@suiciety can u test this comment for me?
#5833 (comment)
Try a username without a fullstop in? And see if it saves?

[suiciety]

Creating a user without an @ or . works for connecting and re-connecting with the saved credentials. I will check if the credential works across users.

[si458]

@suiciety thanks! It just helps me narrow down the issue.

[suiciety]

I've checked other user accounts and the saved credential is still not appearing across users but does now work reliably for that user.

The Azure users are still a no-go. Would adjusting the claim that's sent to not be the email address help?

I could also change over to SAML2 and test that as an option?

[si458]

it seems #5833 has resurfaced!
created a new domain, set userNameIsEmail: true, added local group, added host, connect ssh (save creds), doesnt actually save in nedb!
so im guessing its not saving in other DBs correctly now either?

[si458]

well i found a bug, i could add the credentials but not remove them 😆 but fixed that 👍
now it seems to be saving the credentials correctly, but it just thinks the is none saved? 😕
so trying to find the line where it does this! 👊

[si458]

@suiciety i think ive fixed it with PR #6001
basically it was escaping the data correctly into the DBs (to handle fullstops)
but then when it read the database for details, it wasnt unescaping the data,
so when comparing user/testing123/simon@mydomain%2Ecom isnt the same as user/testing123/simon@mydomain.com

[suiciety]

Thanks,

Should this also re=solve the other problem with the saved credentials not being available between users?

[si458]

@suiciety erm think so? Didn't check! Doh! Will have a look later