Devolutions ForumDevolutions Forum

Workspace App gets HTTP ERROR 500 after MFA Authentication

Workspace App gets HTTP ERROR 500 after MFA Authentication

avatar
markusgrubich

Hi there!

I'm new and thats my first post ;)

We are going to use the Workspace app in combination with Devolutions Server. We activated SSO as well as MFA (TOTP or YubiKey).
MFA works fine with Remote Desktop Manager. But with Workspace App (Chrome Plugin) we got an Error 500 after MFA authentication.
Logs on Devolutions Server says we authenticated successfully.
After ~2 Minutes of waiting, we refresh the "Error 500" Page, and thats it: we are successfully logged in!
Every time this happens, i'll get a strange email about it:

The following error
  was received by at 03/06/2024 07:14:42

  Error:

  InvalidOperationException
  - The specified principal was rejected because the mandatory subject claim
  was missing. at
  OpenIddict.Server.OpenIddictServerHandlers.ValidateSignInDemand.HandleAsync(ProcessSignInContext
  context) at
  OpenIddict.Server.OpenIddictServerDispatcher.DispatchAsync[TContext](TContext
  context) at
  OpenIddict.Server.OpenIddictServerDispatcher.DispatchAsync[TContext](TContext
  context) at OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandler.SignInAsync(ClaimsPrincipal
  user, AuthenticationProperties properties) at
  Microsoft.AspNetCore.Authentication.AuthenticationService.SignInAsync(HttpContext
  context, String scheme, ClaimsPrincipal principal, AuthenticationProperties
  properties) at
  Devolutions.Server.OAuth.Handler.VerifyRequestHandler.HandleAsync(HandleVerificationRequestContext
  context) at
  OpenIddict.Server.OpenIddictServerDispatcher.DispatchAsync[TContext](TContext
  context) at OpenIddict.Server.OpenIddictServerDispatcher.DispatchAsync[TContext](TContext
  context) at
  OpenIddict.Server.OpenIddictServerHandlers.Device.HandleVerificationRequest.HandleAsync(ProcessRequestContext
  context) at
  OpenIddict.Server.OpenIddictServerDispatcher.DispatchAsync[TContext](TContext
  context) at
  OpenIddict.Server.OpenIddictServerDispatcher.DispatchAsync[TContext](TContext
  context) at
  OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandler.HandleRequestAsync()
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext
  context) at
  Devolutions.Server.Middleware.LegacyTokenParserMiddleware.InvokeAsync(HttpContext
  httpContext) at
  Devolutions.Server.OAuth.Middleware.OAuthTokenParserMiddleware.InvokeAsync(HttpContext
  httpContext) at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext
  context) at
  Devolutions.Server.Middleware.ReferrerPolicyMiddleware.InvokeAsync(HttpContext
  httpContext) at
  Devolutions.Server.Middleware.StrictTransportMiddleware.InvokeAsync(HttpContext
  httpContext) at
  Devolutions.Server.Middleware.XContentTypeOptionsMiddleware.InvokeAsync(HttpContext
  httpContext) at
  Devolutions.Server.Middleware.XFrameOptionsMiddleware.InvokeAsync(HttpContext
  httpContext) at Devolutions.Server.Middleware.CSPMiddleware.InvokeAsync(HttpContext
  httpContext) at
  Serilog.AspNetCore.RequestLoggingMiddleware.Invoke(HttpContext httpContext)
  at
  Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware
  middleware, HttpContext context, Task task) --- Default

  Source:

  OpenIddict.Server


Also, I'm a bit confused about the token lifetime. I've set it to 12 hours. But it seems to be a more random value - not infrequently i can login without MFA the next day!

I hope you can help me with the issues and I am already very grateful!

Best regards

Markus

All Comments (4)

avatar
Olivier Desalliers

Hi,

What is your Devolutions Server version?

By SSO, do you mean the “Domain Single Sign-On”?

For the 12 hours token lifetime, you mean that after 12 hours you indeed are disconnected from Devolutions Workspace but when you are trying login again later with “Domain Single Sign-On” the MFA is not asked and it goes directly to the error 500 page?

Best regards,

Olivier Désalliers

avatar
markusgrubich

Hi!

Yes, I mean Domain SSO.
Workspace 2024.1.0.3
Server 2023.3.14.0
RDM 2023.3.39.0

Token Lifetime is not related to the error 500 problem. From time to time, i'm able to logon per SSO without MFA - after 12 hours, regardless if RDM or Workspace.

Thanks alot!

avatar
Erica Poirier

Hello,

I have been able to reproduce the issue with DVLS version 2023.3.14 and Workspace 2024.1.0.3.

Once I updated DVLS to the latest version, 2024.1.4, I could connect without any issue using SSO and a TOTP.

We suggest installing Devolutions Server in a staging environment before deploying it in your production environment.

Second, we recommend that you follow the instructions on this online help page to perform the DPS upgrade.

We also offer a free remote session to assist you during the upgrade process of your DVLS instance. If you want to book a session, please open a ticket at service@devolutions.net, and we will send you a link to our online reservation system.

Best regards,

Érica Poirier

avatar
markusgrubich

Hi Erica!

Thank you very much for your fast response!

I'm going to upgrade next week. Our Devolutions setup is still in pre-production state, testing with key users ;-)

I'll give feedback after upgrading.

Best regards,

Markus