New issue
Advanced search Search tips

Issue 844662 link

Starred by 4 users
Status: Verified
Owner:
ljusten@chromium.org
Closed: Jun 2018
Cc:
rsorokin@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Offline AD token authentication error

Project Member Reported by aghuie@chromium.org, May 18 2018 
Version of Google Chrome (Wrench-> About Google Chrome): 65.0.3325.184

Able to sign in with AD credentials on AD joined machine but if I switch from network with AD server to a public wifi network, then sign out and sign back in I get a sign-in error message: failed to get authentication token.
ad token error.jpeg
111 KB View Download
85453834685-system_logs.zip
466 KB Download

Comment 1 by ljusten@chromium.org, May 21 2018

Cc: rsorokin@chromium.org
Owner: aghuie@chromium.org
If the public wifi network does not have access to the AD server, then this is working as intended. Currently, the token (aka Kerberos ticket or ticket-granting-ticket, TGT) gets deleted on logout for privacy reasons, but we have a plan to fix that, see  crbug.com/738433  (it's an OKR for Q2). That way, the ticket would stay valid for about 10 hours. Only then after 10 hours you'd see the token error.

Comment 2 by rsorokin@chromium.org, May 22 2018

Labels: -Pri-3 Enterprise-Triaged Pri-1
Status: Assigned (was: Unconfirmed)
Let's not show the popup when the server is not available.

Comment 3 by ljusten@chromium.org, May 22 2018 

In SambaInterface::GetUserStatus, we should try to access the server and return an appropriate error if we can't access the server.

Comment 4 by ljusten@chromium.org, May 22 2018

Owner: ljusten@chromium.org
Project Member

Comment 5 by bugdroid1@chromium.org, May 31 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/6fe5cb2ce235ac8e622d65957e31c0dc415f2722

commit 6fe5cb2ce235ac8e622d65957e31c0dc415f2722
Author: Lutz Justen <ljusten@chromium.org>
Date: Thu May 31 03:38:50 2018

authpolicy: Ping server if TGT is not valid

Currently, if the TGT is not valid as the user enters a session (e.g.
after an offline login), Chrome shows a popup that the user has to log
out and back in to get a new TGT. However, if the Active Directory
server is unavailable, this fails and Chrome shows the popup again.

This CL fixes this issue by pinging the server in GetUserStatus() if the
TGT is not valid. If the ping fails, GetUserStatus() returns
ERROR_NETWORK_PROBLEM and Chrome ignores the result and tries again
an hour later.

Also reworded some comments that seemed to indicate that
AuthenticateUser() was never called, even though it was (and failed).

BUG= chromium:844662 
TEST=On an AD enrolled device, log in while offline.
     Chrome should NOT show the popup on login.

Change-Id: I07920dcfcb6bcf5a05ec6d4de29bf57e4efedc1a
Reviewed-on: https://chromium-review.googlesource.com/1072470
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/6fe5cb2ce235ac8e622d65957e31c0dc415f2722/authpolicy/authpolicy.gyp
[modify] https://crrev.com/6fe5cb2ce235ac8e622d65957e31c0dc415f2722/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/6fe5cb2ce235ac8e622d65957e31c0dc415f2722/authpolicy/stub_common.h
[modify] https://crrev.com/6fe5cb2ce235ac8e622d65957e31c0dc415f2722/authpolicy/samba_interface.cc
[modify] https://crrev.com/6fe5cb2ce235ac8e622d65957e31c0dc415f2722/authpolicy/samba_interface.h
[modify] https://crrev.com/6fe5cb2ce235ac8e622d65957e31c0dc415f2722/authpolicy/stub_common.cc
[modify] https://crrev.com/6fe5cb2ce235ac8e622d65957e31c0dc415f2722/authpolicy/stub_net_main.cc

Comment 6 by ljusten@chromium.org, Jun 9 2018

Status: Fixed (was: Assigned)

Comment 7 by ibezmenov@chromium.org, Jun 20 2018

Status: Verified (was: Fixed)
Verified fixed, on an AD enrolled device, log in while offline - Chrome does NOT show the "relog" popup on login.

Chrome OS: 10798.0.0
Chrome: 69.0.3464.0
Device: Robo

Sign in to add a comment