Comments (16)
I'm very glad to hear this. As you can see from 2cf0507, I added a couple helpful messages which I hope will be useful to other users who run into similar problems.
I'll tweak the title slightly and close.
I'm also going to use this issue as an illustration of how to provide useful, well-formatted, detailed information to debug a problem. Many thanks!
from gp-saml-gui.
gp-saml-gui
with --gateway
gives me the following error
Looking for SAML auth tags in response to https://remote.corp.com/ssl-vpn/prelogin.esp...
usage: gp-saml-gui.py [-h] [--no-verify] [-C COOKIES | -K] [-p | -g] [-c CERT]
[--key KEY] [-v] [-x] [-u]
server [extra [extra ...]]
gp-saml-gui.py: error: This does not appear to be a SAML prelogin response (<saml-auth-method> or <saml-request> tags missing)
You suggested to use --portal
while generating that first cookie.
Other than that, i've used this command
echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --passwd-on-stdin "$HOST" -vvv --dump --usergroup=gateway:prelogin-cookie --os="win"
If you're willing to email me the real server name, privately, it may help me improve the accuracy of what-vpn
You should've received an email. 👍
from gp-saml-gui.
If you're willing to email me the real server name, privately, it may help me improve the accuracy of what-vpn
You should've received an email. 👍
Thanks, this is very helpful. 💯
- Above you showed the
POST /ssl-vpn/prelogin.esp?foo=bar&blah=blahblah&host-id=asdflkjasdfasdf
response from your server. That's the gateway prelogin. And it included SAML tags. - But when I simply do
curl -XGET 'https://YOUR_SERVER/ssl-vpn/prelogin.esp
, I get no SAML tags.
So what is the difference?
Is it GET
vs. POST
? No. Is it included the host-id
in the query? No. Apparently, including 'clientos=Windows` in the query is required to trigger the SAML tags.
curl -XGET 'https://YOUR_SERVER/ssl-vpn/prelogin.esp
curl -XGET 'https://YOUR_SERVER/ssl-vpn/prelogin.esp?clientos=Linux
curl -XGET 'https://YOUR_SERVER/ssl-vpn/prelogin.esp?clientos=Mac
→ No SAML tagscurl -XGET 'https://YOUR_SERVER/ssl-vpn/prelogin.esp?clientos=Windows
→ Yes SAML tags
Please pull the latest version, and try running as below. If we're really lucky (:sweat_smile:), this will produce a prelogin-esp
cookie that lets you authenticate to the gateway successfully:
$ ./gp-saml-gui.py -v --clientos=Windows --gateway 'https://YOUR_SERVER'
from gp-saml-gui.
Yayyy, it works 🎉
Running first eval $( ./gp-saml-gui.py -vvv --clientos=Windows --gateway remote.corp.com )
and then echo "$COOKIE" | sudo -E openconnect --protocol=gp -u "$USER" --passwd-on-stdin "$HOST" -vvv --dump --usergroup=gateway:prelogin-cookie --os="win"
i'm connected to our infra 👍
Thank you very much and well done 👏
If you need more information and verbose logs in order to improve stuff, just ask me and i will provide them.
Should i rename this issue, so people can see that it's related to SAML Login with Microsoft AD?
And i think it can be closed now.
from gp-saml-gui.
Do you have any idea why i'm getting that mesasge?
GP VPNs are dumb. They have two different entry points through which the user can authenticate. The gateway interface (/ssl-vpn
) and the portal interface (/global-protect
). The portal interface is the one that the official clients always start with, but the gateway interface is the one that does all the actual work.
It's quite likely that your VPN only has SAML REDIRECT authentication set up on the portal interface, not the gateway interface. Try using gp-saml-gui --portal
?
(Note that one other consequence of this situation is that it's possible, though not guaranteed, that you can use OpenConnect to connect directly to the gateway interface using an ordinary username/password without SAML.)
Your other tool (what-vpn) gives me the following information (ran it three times, and gave me three different(?) responses):
Good timing. I just pushed a couple changes to what-vpn
, which make the order predictable here, and also will clarify which interface(s) use SAML:
For example, this response shows that only the portal—not the gateway—expects login via SAML:
$ what_vpn vpn.corp.com
vpn.corp.com: PAN GlobalProtect (gateway+portal+portal wants SAML REDIRECT)
from gp-saml-gui.
Just tested with --portal. I can login now: i'm getting that small window to enter my azure ad credentials.
After successful login, i see the folowing:
<html><body>Login Successful!</body><!-- <saml-auth-status>1</saml-auth-status><prelogin-cookie>/isolonggibberishwodsandsoon+lsjfijowfe/hadsfjölsajf</prelogin-cookie><saml-username>[email protected]</saml-username><saml-slo>yes</saml-slo> --></html>
[SAML ] Got all required SAML headers, done.
SAML response converted to OpenConnect command line invocation:
echo /isolonggibberishwodsandsoon+lsjfijowfe/hadsfjölsajf |
openconnect --protocol=gp [email protected] --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.company.com
SAML response converted to test-globalprotect-login.py invocation:
test-globalprotect-login.py [email protected] -p '' \
https://remote.company.com/global-protect/getconfig.esp prelogin-cookie=/isolonggibberishwodsandsoon+lsjfijowfe/hadsfjölsajf
When i run that first command, i get the following:
POST https://remote.company.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to 1.2.3.4:443
SSL negotiation with remote.company.com
Connected to HTTPS on remote.company.com
Enter login credentials
POST https://remote.company.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 512 Custom error
Unexpected 512 result from server
Enter login credentials
Username: fgets (stdin): Resource temporarily unavailable
what-vpn
gives me the following output now
remote.company.com: PAN GlobalProtect (portal+portal wants SAML REDIRECT+gateway)
from gp-saml-gui.
First of all, when debugging this you should use gp-saml-gui -vv
and also openconnect -vvv --dump
to turn up the log verbosity to the max. This may give some helpful clues.
I see that your VPN is returning a cookie called prelogin-cookie
. In my limited experience, this cookie is always used for authentication to the gateway, not the portal. However, the script can't currently auto-detect this.
So you should try changing --usergroup=portal:prelogin-cookie
→ --usergroup=gateway:prelogin-cookie
in your openconnect invocation.
If that makes a difference please let me know; perhaps I should change the script to do this automatically.
from gp-saml-gui.
I've enabled debugging now:
gp-saml-gui
eval $( ./gp-saml-gui.py -vv remote.company.com --portal )
Looking for SAML auth tags in response to https://remote.company.com/global-protect/prelogin.esp...
Got SAML REDIRECT, opening browser...
[REQUEST] GET for resource xxx
[PAGE ] Finished loading page xxx
[REQUEST] POST for resource https://remote.company.com/SAML20/SP/ACS
[PAGE ] Finished loading page https://remote.company.com/SAML20/SP/ACS
[SAML ] Got SAML result headers: {'saml-username': '[email protected]', 'prelogin-cookie': '1wYH76xMHGkSRan12UatBTIqgTpQSip1OuwjX1e7hSZJINvBVAkrU4T+s9mcmqC6', 'saml-slo': 'yes', 'saml-auth-status': '1'}
[DATA ] 276 bytes of text/html; charset=UTF-8 for resource https://remote.company.com/SAML20/SP/ACS
Date: Fri, 13 Mar 2020 19:50:22 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 276
Connection: keep-alive
ETag: "19c25bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
saml-username: [email protected]
prelogin-cookie: 1wYH76xMHGkSRan12UatBTIqgTpQSip1OuwjX1e7hSZJINvBVAkrU4T+s9mcmqC6
saml-slo: yes
saml-auth-status: 1
Strict-Transport-Security: max-age=31536000;
<html><body>Login Successful!</body><!-- <saml-auth-status>1</saml-auth-status><prelogin-cookie>1wYH76xMHGkSRan12UatBTIqgTpQSip1OuwjX1e7hSZJINvBVAkrU4T+s9mcmqC6</prelogin-cookie><saml-username>[email protected]</saml-username><saml-slo>yes</saml-slo> --></html>
[SAML ] Got all required SAML headers, done.
SAML response converted to OpenConnect command line invocation:
echo 1wYH76xMHGkSRan12UatBTIqgTpQSip1OuwjX1e7hSZJINvBVAkrU4T+s9mcmqC6 |
openconnect --protocol=gp [email protected] --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.company.com
SAML response converted to test-globalprotect-login.py invocation:
test-globalprotect-login.py [email protected] -p '' \
https://remote.company.com/global-protect/getconfig.esp prelogin-cookie=1wYH76xMHGkSRan12UatBTIqgTpQSip1OuwjX1e7hSZJINvBVAkrU4T+s9mcmqC6
running openconnect
echo 1wYH76xMHGkSRan12UatBTIqgTpQSip1OuwjX1e7hSZJINvBVAkrU4T+s9mcmqC6 | openconnect --protocol=gp [email protected] --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.company.com -vvv --dump
POST https://remote.company.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.49:443
Connected to 1.2.3.49:443
SSL negotiation with remote.company.com
Connected to HTTPS on remote.company.com
> POST /global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux HTTP/1.1
> Host: remote.company.com
> User-Agent: PAN GlobalProtect
>
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 13 Mar 2020 19:55:40 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 401
Connection: keep-alive
ETag: "d7a5bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=b318874f7b5fc10a5ea7946db415bff2; secure; HttpOnly
Set-Cookie: PHPSESSID=b318874f7b5fc10a5ea7946db415bff2; secure; HttpOnly
Set-Cookie: PHPSESSID=b318874f7b5fc10a5ea7946db415bff2; secure; HttpOnly
Set-Cookie: PHPSESSID=b318874f7b5fc10a5ea7946db415bff2; secure; HttpOnly
Set-Cookie: PHPSESSID=b318874f7b5fc10a5ea7946db415bff2; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (401)
< <?xml version="1.0" encoding="UTF-8" ?>
< <prelogin-response>
< <status>Success</status>
< <ccusername></ccusername>
< <autosubmit>false</autosubmit>
< <msg></msg>
< <newmsg></newmsg>
< <authentication-message>Enter login credentials</authentication-message>
< <username-label>Username</username-label>
< <password-label>Password</password-label>
< <panos-version>1</panos-version><region>DE</region>
< </prelogin-response>
Login form: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
Enter login credentials
POST https://remote.company.com/global-protect/getconfig.esp
> POST /global-protect/getconfig.esp HTTP/1.1
> Host: remote.company.com
> User-Agent: PAN GlobalProtect
> Cookie: PHPSESSID=b318874f7b5fc10a5ea7946db415bff2
> X-Pad: 0000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 271
>
> jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&clientos=Linux&os-version=linux-64&server=remote.company.com&computer=pluto&user=user.user%40company.com&prelogin-cookie=1wYH76xMHGkSRan12UatBTIqgTpQSip1OuwjX1e7hSZJINvBVAkrU4T%2bs9mcmqC6
Got HTTP response: HTTP/1.1 512 Custom error
Date: Fri, 13 Mar 2020 19:55:40 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 0
Connection: keep-alive
ETag: "7875bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
x-private-pan-globalprotect-extension: auth-failed-password-empty
x-private-pan-globalprotect: auth-failed
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=b318874f7b5fc10a5ea7946db415bff2; secure; HttpOnly
HTTP body length: (0)
Unexpected 512 result from server
Enter login credentials
Username: fgets (stdin): Resource temporarily unavailable
running openconnect
with your recommendation
echo 1wYH76xMHGkSRan12UatBTIqgTpQSip1OuwjX1e7hSZJINvBVAkrU4T+s9mcmqC6 | openconnect --protocol=gp [email protected] --usergroup=gateway:prelogin-cookie --passwd-on-stdin remote.company.com -vvv --dump
POST https://remote.company.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.49:443
Connected to 1.2.3.49:443
SSL negotiation with remote.company.com
Connected to HTTPS on remote.company.com
> POST /ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux HTTP/1.1
> Host: remote.company.com
> User-Agent: PAN GlobalProtect
>
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 13 Mar 2020 19:58:55 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 424
Connection: keep-alive
ETag: "e185bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=d27ede5efbed0bdd60179e82e993160b; secure; HttpOnly
Set-Cookie: PHPSESSID=d27ede5efbed0bdd60179e82e993160b; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (424)
< <?xml version="1.0" encoding="UTF-8" ?>
< <prelogin-response>
< <status>Success</status>
< <ccusername></ccusername>
< <autosubmit>false</autosubmit>
< <msg></msg>
< <newmsg></newmsg>
< <license>yes</license>
< <authentication-message>Enter login credentials</authentication-message>
< <username-label>Username</username-label>
< <password-label>Password</password-label>
< <panos-version>1</panos-version><region>DE</region>
< </prelogin-response>
Login form: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
Enter login credentials
POST https://remote.company.com/ssl-vpn/login.esp
> POST /ssl-vpn/login.esp HTTP/1.1
> Host: remote.company.com
> User-Agent: PAN GlobalProtect
> Cookie: PHPSESSID=d27ede5efbed0bdd60179e82e993160b
> X-Pad: 0000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 271
>
> jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&clientos=Linux&os-version=linux-64&server=remote.company.com&computer=pluto&user=user.name%40company.com&prelogin-cookie=1wYH76xMHGkSRan12UatBTIqgTpQSip1OuwjX1e7hSZJINvBVAkrU4T%2bs9mcmqC6
Got HTTP response: HTTP/1.1 512 Custom error
Date: Fri, 13 Mar 2020 19:58:55 GMT
Content-Type: text/html
Content-Length: 128
Connection: keep-alive
ETag: "23605bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
x-private-pan-sslvpn: auth-failed
x-private-pan-sslvpn-extension: auth-failed-password-empty
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=d27ede5efbed0bdd60179e82e993160b; secure; HttpOnly
Set-Cookie: PHPSESSID=d27ede5efbed0bdd60179e82e993160b; secure; HttpOnly
HTTP body length: (128)
<
< var respStatus = "Error";
< var respMsg = "Authentication failure: Invalid username or password";
< thisForm.inputStr.value = "";
<
Unexpected 512 result from server
Enter login credentials
Username: fgets (stdin): Resource temporarily unavailable
from gp-saml-gui.
It appears that you tried sending the cookie to the portal, got an authentication error, and then sent the same cookie to the gateway and again got an authentication error.
You should generate a new cookie prelogin-cookie
before each attempt to use it.
I'm not exactly sure how the GlobalProtect servers synchronize and enforce this, but each prelogin-cookie
is accepted at most once. Even if something else goes wrong, it gets invalidated.
from gp-saml-gui.
Now i generated a new cookie with gp-saml-gui
and used that cookie with openconnect
echo 'Rv/65jbaqeNnfqdVqnP/OXZeUjCvSfpObI/6y70I5lx/l5DkXdnQg1AhWDP+cYKV' | openconnect --protocol=gp [email protected] --usergroup=gateway:prelogin-cookie --passwd-on-stdin remote.company.com -vvv -dump
POST https://remote.company.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with remote.company.com
Connected to HTTPS on remote.company.com
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 14 Mar 2020 07:54:18 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 424
Connection: keep-alive
ETag: "e185bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=4d7cbe5bbaa113dd9f61be8f0b02ed35; secure; HttpOnly
Set-Cookie: PHPSESSID=4d7cbe5bbaa113dd9f61be8f0b02ed35; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (424)
Login form: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
Enter login credentials
POST https://remote.company.com/ssl-vpn/login.esp
Got HTTP response: HTTP/1.1 512 Custom error
Date: Sat, 14 Mar 2020 07:54:18 GMT
Content-Type: text/html
Content-Length: 128
Connection: keep-alive
ETag: "23605bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
x-private-pan-sslvpn: auth-failed
x-private-pan-sslvpn-extension: auth-failed-password-empty
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=4d7cbe5bbaa113dd9f61be8f0b02ed35; secure; HttpOnly
Set-Cookie: PHPSESSID=4d7cbe5bbaa113dd9f61be8f0b02ed35; secure; HttpOnly
HTTP body length: (128)
Unexpected 512 result from server
Enter login credentials
Username: fgets (stdin): Resource temporarily unavailable
and a second time without --usergroup=gateway
echo '3m/i6f/oTsx507sa1Ht55wyfJhuBYRwaczmdki/2uh1r5m8+ssrWcFOPWci/X3Fk' | openconnect --protocol=gp [email protected] --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.company.com -vvv -dump
POST https://remote.company.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with remote.company.com
Connected to HTTPS on remote.company.com
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 14 Mar 2020 08:11:11 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 401
Connection: keep-alive
ETag: "d7a5bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=50ecca8251fcaf4922c6aac622d6096b; secure; HttpOnly
Set-Cookie: PHPSESSID=50ecca8251fcaf4922c6aac622d6096b; secure; HttpOnly
Set-Cookie: PHPSESSID=50ecca8251fcaf4922c6aac622d6096b; secure; HttpOnly
Set-Cookie: PHPSESSID=50ecca8251fcaf4922c6aac622d6096b; secure; HttpOnly
Set-Cookie: PHPSESSID=50ecca8251fcaf4922c6aac622d6096b; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (401)
Login form: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
Enter login credentials
POST https://remote.company.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 14 Mar 2020 08:11:11 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 251
Connection: keep-alive
ETag: "7875bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=c3fa09d3494e7280d1cecaa478452a66; path=/
Set-Cookie: PHPSESSID=c3fa09d3494e7280d1cecaa478452a66; path=/
Set-Cookie: PHPSESSID=c3fa09d3494e7280d1cecaa478452a66; path=/
Set-Cookie: PHPSESSID=c3fa09d3494e7280d1cecaa478452a66; path=/
Set-Cookie: PHPSESSID=c3fa09d3494e7280d1cecaa478452a66; path=/
Set-Cookie: PHPSESSID=c3fa09d3494e7280d1cecaa478452a66; path=/
Set-Cookie: PHPSESSID=c3fa09d3494e7280d1cecaa478452a66; path=/
Set-Cookie: PHPSESSID=c3fa09d3494e7280d1cecaa478452a66; path=/
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (251)
Failed to parse server response
Response was:<?xml version="1.0" encoding="UTF-8" ?>
<policy>
<has-config>no</has-config>
<user-group-loaded>yes</user-group-loaded>
<portal-userauthcookie>empty</portal-userauthcookie>
<portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie>
</policy>
Failed to obtain WebVPN cookie
I also tried with --os=win
(with new cookie)
echo 'WExmkcPIvy8RodC5+0kaSbGTauImlmSLJo23wV8jfSHmP+Izz4sXFG98OSS9pjRt' | openconnect --protocol=gp [email protected] --usergroup=gateway:prelogin-cookie --passwd-on-stdin remote.company.com -vvv -dump --os=win
POST https://remote.company.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with remote.company.com
Connected to HTTPS on remote.company.com
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 14 Mar 2020 08:06:40 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1345
Connection: keep-alive
ETag: "e185bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: CLIENTOS=V2luZG93cw%3D%3D; expires=Sun, 15-Mar-2020 08:06:40 GMT; path=/
Set-Cookie: PHPSESSID=e4a0b2b4fe69e1ea5036916ebcb91e0f; secure; HttpOnly
Set-Cookie: PHPSESSID=e4a0b2b4fe69e1ea5036916ebcb91e0f; secure; HttpOnly
Set-Cookie: PHPSESSID=e4a0b2b4fe69e1ea5036916ebcb91e0f; secure; HttpOnly
Set-Cookie: PHPSESSID=e4a0b2b4fe69e1ea5036916ebcb91e0f; secure; HttpOnly
Set-Cookie: PHPSESSID=e4a0b2b4fe69e1ea5036916ebcb91e0f; secure; HttpOnly
Set-Cookie: PHPSESSID=e4a0b2b4fe69e1ea5036916ebcb91e0f; secure; HttpOnly
Set-Cookie: PHPSESSID=e4a0b2b4fe69e1ea5036916ebcb91e0f; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (1345)
Login form: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
SAML login is required via REDIRECT to this URL:
xxx
Enter login credentials
POST https://remote.company.com/ssl-vpn/login.esp
Got HTTP response: HTTP/1.1 512 Custom error
Date: Sat, 14 Mar 2020 08:06:40 GMT
Content-Type: text/html
Content-Length: 128
Connection: keep-alive
ETag: "23605bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
x-private-pan-sslvpn: auth-failed
x-private-pan-sslvpn-extension: auth-failed-password-empty
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=e4a0b2b4fe69e1ea5036916ebcb91e0f; secure; HttpOnly
Set-Cookie: PHPSESSID=e4a0b2b4fe69e1ea5036916ebcb91e0f; secure; HttpOnly
HTTP body length: (128)
Unexpected 512 result from server
SAML login is required via REDIRECT to this URL:
xxx
Enter login credentials
Username: fgets (stdin): Resource temporarily unavailable
And with portal
echo 'E0aJAvMH2z1g7T7RAOvJwKV3G2nuw8o4He/wTWJxUHSlKAJD3eYW9pk57z+LDZWB' | openconnect --protocol=gp [email protected] --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.corp.com -vvv -dump --os=win
POST https://remote.corp.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with remote.corp.com
Connected to HTTPS on remote.corp.com
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 14 Mar 2020 08:13:41 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1310
Connection: keep-alive
ETag: "d7a5bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=73c3b2c843490b769fb48284e33f0a85; secure; HttpOnly
Set-Cookie: PHPSESSID=73c3b2c843490b769fb48284e33f0a85; secure; HttpOnly
Set-Cookie: PHPSESSID=73c3b2c843490b769fb48284e33f0a85; secure; HttpOnly
Set-Cookie: PHPSESSID=73c3b2c843490b769fb48284e33f0a85; secure; HttpOnly
Set-Cookie: PHPSESSID=73c3b2c843490b769fb48284e33f0a85; secure; HttpOnly
Set-Cookie: PHPSESSID=73c3b2c843490b769fb48284e33f0a85; secure; HttpOnly
Set-Cookie: PHPSESSID=73c3b2c843490b769fb48284e33f0a85; secure; HttpOnly
Set-Cookie: PHPSESSID=73c3b2c843490b769fb48284e33f0a85; secure; HttpOnly
Set-Cookie: PHPSESSID=73c3b2c843490b769fb48284e33f0a85; secure; HttpOnly
Set-Cookie: PHPSESSID=73c3b2c843490b769fb48284e33f0a85; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (1310)
Login form: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
SAML login is required via REDIRECT to this URL:
x
Enter login credentials
POST https://remote.corp.com/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 14 Mar 2020 08:13:41 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 7010
Connection: keep-alive
ETag: "7875bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; path=/
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; path=/
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; path=/
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; path=/
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; path=/
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; path=/
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; path=/
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; path=/
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (7010)
1 gateway servers available:
Azure-west (remote.corp.com)
Please select GlobalProtect gateway.
GATEWAY: [Azure-west]:Azure-west
POST https://remote.corp.com/ssl-vpn/login.esp
Got HTTP response: HTTP/1.1 512 Custom error
Date: Sat, 14 Mar 2020 08:13:41 GMT
Content-Type: text/html
Content-Length: 128
Connection: keep-alive
ETag: "23605bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
x-private-pan-sslvpn: auth-failed
x-private-pan-sslvpn-extension: auth-failed-password-empty
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; secure; HttpOnly
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; secure; HttpOnly
HTTP body length: (128)
Unexpected 512 result from server
POST https://remote.corp.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 14 Mar 2020 08:13:41 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1341
Connection: keep-alive
ETag: "e185bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: CLIENTOS=V2luZG93cw%3D%3D; expires=Sun, 15-Mar-2020 08:13:41 GMT; path=/
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; secure; HttpOnly
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; secure; HttpOnly
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; secure; HttpOnly
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; secure; HttpOnly
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; secure; HttpOnly
Set-Cookie: PHPSESSID=96b58454678b0ec99c5bacf0d2ebabdc; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (1341)
Login form: "Username: " user(HIDDEN)=mp, "prelogin-cookie: " prelogin-cookie(PASSWORD)
SAML login is required via REDIRECT to this URL:
xxx
Enter login credentials
prelogin-cookie:
fgets (stdin): Inappropriate ioctl for device
from gp-saml-gui.
So nothing working, still? Drat.
I honestly have no idea about what might be different about your VPN. I don't have access to a VPN that uses Microsoft's single-sign on. I would have to see a MITM log of one of the official GP clients successfully connecting to have some idea of what might be different.
(Note that one other consequence of this situation is that it's possible, though not guaranteed, that you can use OpenConnect to connect directly to the gateway interface using an ordinary username/password without SAML.)
Did you try this, by the way?
from gp-saml-gui.
Did you try this, by the way?
Yep, tried that already:
❯ openconnect --protocol=gp [email protected] remote.company.com -vvv --dump
POST https://remote.company.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with remote.company.com
Connected to HTTPS on remote.company.com
> POST /ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux HTTP/1.1
> Host: remote.company.com
> User-Agent: PAN GlobalProtect
>
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 16 Mar 2020 06:58:39 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 424
Connection: keep-alive
ETag: "e185bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=dbdca36c1bb5c856c69cec3384492491; secure; HttpOnly
Set-Cookie: PHPSESSID=dbdca36c1bb5c856c69cec3384492491; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (424)
< <?xml version="1.0" encoding="UTF-8" ?>
< <prelogin-response>
< <status>Success</status>
< <ccusername></ccusername>
< <autosubmit>false</autosubmit>
< <msg></msg>
< <newmsg></newmsg>
< <license>yes</license>
< <authentication-message>Enter login credentials</authentication-message>
< <username-label>Username</username-label>
< <password-label>Password</password-label>
< <panos-version>1</panos-version><region>DE</region>
< </prelogin-response>
Login form: "Username: " user(TEXT)=(null), "Password: " passwd(PASSWORD)
Enter login credentials
Password:
POST https://remote.company.com/ssl-vpn/login.esp
> POST /ssl-vpn/login.esp HTTP/1.1
> Host: remote.company.com
> User-Agent: PAN GlobalProtect
> Cookie: PHPSESSID=dbdca36c1bb5c856c69cec3384492491
> X-Pad: 00000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 212
>
> jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&clientos=Linux&os-version=linux-64&server=remote.company.com&computer=pluto&user=user.name%40company.com&passwd=passsssssss
Got HTTP response: HTTP/1.1 512 Custom error
Date: Mon, 16 Mar 2020 06:58:46 GMT
Content-Type: text/html
Content-Length: 127
Connection: keep-alive
ETag: "23605bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
x-private-pan-sslvpn: auth-failed
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=dbdca36c1bb5c856c69cec3384492491; secure; HttpOnly
Set-Cookie: PHPSESSID=dbdca36c1bb5c856c69cec3384492491; secure; HttpOnly
HTTP body length: (127)
<
< var respStatus = "Error";
< var respMsg = "Authentication failed: Invalid username or password";
< thisForm.inputStr.value = "";
<
Unexpected 512 result from server
Enter login credentials
Username: [email protected]
Password:
POST https://remote.company.com/ssl-vpn/login.esp
> POST /ssl-vpn/login.esp HTTP/1.1
> Host: remote.company.com
> User-Agent: PAN GlobalProtect
> Cookie: PHPSESSID=dbdca36c1bb5c856c69cec3384492491
> X-Pad: 00000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 212
>
> jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&clientos=Linux&os-version=linux-64&server=remote.company.com&computer=pluto&user=user.name%40company.com&passwd=oZC3HhSpS3PticE9
Got HTTP response: HTTP/1.1 512 Custom error
Date: Mon, 16 Mar 2020 06:59:30 GMT
Content-Type: text/html
Content-Length: 127
Connection: keep-alive
ETag: "23605bf5ac26"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
x-private-pan-sslvpn: auth-failed
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=dbdca36c1bb5c856c69cec3384492491; secure; HttpOnly
Set-Cookie: PHPSESSID=dbdca36c1bb5c856c69cec3384492491; secure; HttpOnly
HTTP body length: (127)
<
< var respStatus = "Error";
< var respMsg = "Authentication failed: Invalid username or password";
< thisForm.inputStr.value = "";
<
Unexpected 512 result from server
Enter login credentials
Username: ^Cfgets (stdin): Interrupted system call
I'll try to get information from the official client by using mitmproxy as suggested on Gitlab
from gp-saml-gui.
I've setup my mitm'ing now:
I'm using GlobalProtect v5.1.1-12 on Windows 10. Sniffing traffic works and i can login with the official client.
BTW: Is useragent
hardcoded for protocol=gp
? I'm trying to use the same header as my GP client, but it won't register my option --useragent 'PAN GlobalProtect/5.1.1-12 (Microsoft Windows 10 Pro , 64-bit) Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko'
. While using openconnect, I can see with dump
the following > User-Agent: PAN GlobalProtect
Ignore that former message. I messed up a couple of things.
With os=win
i received something similar to the official client
This is fetched request from mitmproxy
POST /ssl-vpn/login.esp HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: PAN GlobalProtect/5.1.1-12 (Microsoft Windows 10 Pro , 64-bit) Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Cookie: PHPSESSID=6bb29369ad8e9bc3847775b4174325eb; CLIENTOS=V2luZG93cw%3D%3D
host: remote.company.com
prot=https:&server=1.2.3.4&inputStr=&jnlpReady=jnlpReady&user=user.name%40company.com&passwd=&computer=DESKTOP-SDI4QT7&ok=Login&direct=yes&clientVer=4100&os-version=Microsoft+Windows+10+Pro+%2c+64-bit&preferred-ip=1.x.x.x&preferred-ipv6=&clientos=Windows&clientgpversion=5.1.1-12&portal-userauthcookie=empty&portal-prelogonuserauthcookie=empty&host-id=6c04a587-eee4-4555-95ab-bc228d7ae07c&prelogin-cookie=7%2bP5IfrvaWC%2b3y9rAiSe1TMOE7tqQUi%2f6UoejWY1uv%2bR7OapH1ANhl12PBbU0zqa&ipv6-support=yes&client-ip=192.x.x.x&client-ipv6=&internal=no&serialno=&connect-method=on-demand&selection-type=auto\00
from gp-saml-gui.
I've setup my mitm'ing now:
I'm using GlobalProtect v5.1.1-12 on Windows 10. Sniffing traffic works and i can login with the official client.
First of all, let me just say that you're doing an incredibly good job of figuring out how to debug this in a hurry. 💪
These kinds of issues have been hard for me to resolve because there's a lot of VPN-to-VPN variation, and most users give up well before reaching this point.
BTW: Is
useragent
hardcoded forprotocol=gp
?
In OpenConnect it is indeed hard-coded. As far as I can tell, some older GlobalProtect servers require this exact value for the User-Agent to work correctly, whereas some newer servers don't care. See this commit.
I'm trying to use the same header as my GP client, but it won't register my option
--useragent 'PAN GlobalProtect/5.1.1-12 (Microsoft Windows 10 Pro , 64-bit) Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko'
.
If you simply comment out this line and rebuild OpenConnect, the --useragent
option will start working with OpenConnect + GlobalProtect.
I have not seen any evidence that any GlobalProtect servers care about this value, other than older ones which require the exact string PAN GlobalProtect
… but would be interested in evidence to the contrary.
With os=win i received something similar to the official client:
echo "$COOKIE" | openconnect --protocol=gp -u "$USER" --passwd-on-stdin "$HOST" -vvv --dump --usergroup=gateway:prelogin-cookie --os="win"
Very interesting. To be 100% clear, are you saying this is not what you receive when you don't specify --os=win
? If --os=win
gets you further, then you should use it.
Unfortunately, GlobalProtect servers are so erratic in how they handle the client OS (probably because VPN administrators don't test with anything other than Windows) that it's basically impossible for us to get this part right automatically. See this commit.
⭐ It appears that you are now getting to the point where SAML authentication to the portal is working successfully (POST /global-protect/getconfig.esp
using prelogin-cookie
). However, after authenticating to the portal and then attempting to continue to the gateway, the authentication fails.
This is not actually surprising to me, because I expect that the prelogin-cookie
can only be used one time. Unfortunately, I don't know how you are supposed to get the prelogin-cookie
for the gateway, since the gateway doesn't require separate SAML authentication — according to what-vpn
.
This is fetched request from
mitmproxy
Now here's the crucial part. According to mitmproxy
, what happens in step 4?
- Portal prelogin (
POST /global-protect/prelogin.esp
) - SAML authentication
- Portal getconfig (
POST /global-protect/getconfig.esp
withprelogin-cookie
) - ????
- Gateway login (
POST /ssl-vpn/login.esp
withprelogin-cookie
)- Is the
prelogin-cookie
value here the same as the value in step 3, or different? My guess is that it's different, but I don't know where it comes from.
- Is the
from gp-saml-gui.
First of all, let me just say that you're doing an incredibly good job of figuring out how to debug this in a hurry
Thank you. I hope that i can contribute this way, 'cause i can't programm at all 😄
I have not seen any evidence that any GlobalProtect servers care about this value, other than older ones which require the exact string PAN GlobalProtect… but would be interested in evidence to the contrary.
I just tried to debug openconnect. Bringing it closer to the offical client as much as possible. Maybe it's not relevant.. I'm going to build it with your recommendation, if i'm stuck after applying your last idea 👍
Very interesting. To be 100% clear, are you saying this is not what you receive when you don't specify --os=win? If --os=win gets you further, then you should use it.
Yep, not using os=win
i can only see 2x "ping-pong" ('>' / '<')
While using os=win
i can see 4x "ping-pong". Also the response to POST https://remote.company.com/global-protect/getconfig.esp
is very similar to what i see in mitmproxy logs. Our company prohibits probably everything except Win 🤷♂️
Now here's the crucial part. According to mitmproxy, what happens in step 4?
That's how my mitmproxy looks like (i've numbered it)
1. 19:54:03 POST HTTPS ~sremote.company.com /global-protect/prelogin.esp?kerberos-support=yes&tmp=tmp&clientVer=4100&host-id=6c04a587~ 200 application/xml 1.29k 151ms
2. 19:54:03 GET HTTPS ~in.microsoftonline.com /91e00cb2-b7c0-41b8-aa04-bbd40d719dee/saml2?SAMLRequest=lZJBb8IwDIX%2FSpV7adKmlEZQicFhSEy~ 200 text/html 44.9k 675ms
3. 19:54:09 POST HTTPS ~in.microsoftonline.com /common/GetCredentialType?mkt=de-DE 200 ~plication/json 1.02k 189ms
4. 19:54:11 POST HTTPS ~in.microsoftonline.com /91e00cb2-b7c0-41b8-aa04-bbd40d719dee/login 200 text/html 34.1k 287ms
5. 19:54:13 POST HTTPS ~in.microsoftonline.com /kmsi 200 text/html 3.96k 279ms
6. 19:54:13 POST HTTPS ~sremote.company.com /SAML20/SP/ACS 200 text/html 276b 146ms
7. 19:54:14 POST HTTPS ~sremote.company.com /global-protect/getconfig.esp 200 application/xml 6.85k 277ms
8. 19:54:14 POST HTTPS ~sremote.company.com /ssl-vpn/prelogin.esp?kerberos-support=yes&tmp=tmp&clientVer=4100&host-id=6c04a587-eee4-4~ 200 application/xml 1.32k 74ms
9. 19:54:15 GET HTTPS ~in.microsoftonline.com /91e00cb2-b7c0-41b8-aa04-bbd40d719dee/saml2?SAMLRequest=lZJBb4MwDIX%2FCsodSIBCGxUk1h5WqdO~ 200 text/html 3.96k 280ms
10. 19:54:15 POST HTTPS ~sremote.company.com /SAML20/SP/ACS 200 text/html 276b 83ms
11. 19:54:15 POST HTTPS ~sremote.company.com /ssl-vpn/login.esp 200 application/xml 707b 307ms
12. 19:54:16 POST HTTPS ~sremote.company.com /ssl-vpn/getconfig.esp 200 application/xml 1.63k 303ms
13. 19:54:22 POST HTTPS 1.2.3.4 /ssl-vpn/logout.esp? 200 application/xml 1.26k 282ms
14. 19:54:22 GET HTTPS ~in.microsoftonline.com /91e00cb2-b7c0-41b8-aa04-bbd40d719dee/saml2?SAMLRequest=jZJPb9wgEMW%2FisUdGwNeG7RrNdKq1Up~ 200 text/html 111k 365ms
Step 2-5 are Microsoft stuff (email, password, do you want to stay logged in,..)
x
Is the prelogin-cookie value here the same as the value in step 3, or different? My guess is that it's different, but I don't know where it comes from.
prelogin-cookie
from global-protect/getconfig.esp
:
prelogin-cookie: esdz2hL+UftzhPpnnDuWl0wWmcm++Bxbmni9JyLW0YqIbJbxKlpTeHgs5b3NzIka
prelogin-cookie
from ssl-vpn/login.esp
:
prelogin-cookie: GiV3XWNqUuPjTanvsxRbtk0Mo/kFUwPD5fD6FEZotlZEh0qrOV+0lnJY3ybWBCne
The second prelogin-cookie
is from second SAML20/SP/ACS
(step 10)
from gp-saml-gui.
Is the prelogin-cookie value here the same as the value in step 3, or different? My guess is that it's different, but I don't know where it comes from.
prelogin-cookie
fromglobal-protect/getconfig.esp
:
prelogin-cookie: esdz2hL+UftzhPpnnDuWl0wWmcm++Bxbmni9JyLW0YqIbJbxKlpTeHgs5b3NzIka
prelogin-cookie
fromssl-vpn/login.esp
:
prelogin-cookie: GiV3XWNqUuPjTanvsxRbtk0Mo/kFUwPD5fD6FEZotlZEh0qrOV+0lnJY3ybWBCne
The second
prelogin-cookie
is from secondSAML20/SP/ACS
(step 10)
Well this confirms my suspicions about why the previous approach wasn't working: there are two different values of prelogin-cookie
being generated.
First, the client does SAML to authenticate to the portal (requests 1-6 in your MITM log). Then it does a new round of SAML to authenticate to the gateway (requests 8-10):
8. 19:54:14 POST HTTPS ~sremote.company.com /ssl-vpn/prelogin.esp?kerberos-support=yes&tmp=tmp&clientVer=4100&host-id=6c04a587-eee4-4~ 200 application/xml 1.32k 74ms
9. 19:54:15 GET HTTPS ~in.microsoftonline.com /91e00cb2-b7c0-41b8-aa04-bbd40d719dee/saml2?SAMLRequest=lZJBb4MwDIX%2FCsodSIBCGxUk1h5WqdO~ 200 text/html 3.96k 280ms
10. 19:54:15 POST HTTPS ~sremote.company.com /SAML20/SP/ACS 200 text/html 276b 83ms
You told me above that what-vpn
thinks only the portal interface needs SAML authentication, but your MITM log of request (8) shows that the gateway needs SAML authentication too. I don't understand the gap. 🤷♂️ (If you're willing to email me the real server name, privately, it may help me improve the accuracy of what-vpn
.)
Anyway… I wanted to double check one thing: have you tried the combination of --os=win
and SAML-to-the-gateway? I think you did that above, but want to double-check.
$ gp-saml-gui.py --gateway your.server.com
$ echo PRELOGIN_COOKIE | openconnect SERVER --usergroup gateway:prelogin-cookie --passwd-on-stdin --os=win
from gp-saml-gui.
Related Issues (20)
- Install fails under Ubuntu 23.10 with ERROR: Dependency 'gobject-introspection-1.0' is required but not found. HOT 1
- After successful login screen stuck out HOT 1
- misleading openconnect_command print with -E HOT 2
- Headless solution? HOT 1
- not working all of a sudden HOT 7
- Tested in Debian 12 and it does not open display HOT 1
- AttributeError: 'NoneType' object has no attribute 'get_content_type'
- HTTP body length: (0) HOT 10
- Microsoft SAML contains XML in comment HOT 4
- Can it use not webkit but Firefox? HOT 3
- Include needed apt dependencies for ubuntu HOT 1
- Cannot set verify_mode to CERT_NONE when check_hostname is enabled. HOT 3
- webkit crash with some nvidia drivers HOT 1
- Empty login screen HOT 1
- fgets (stdin): Inappropriate ioctl for device HOT 3
- Add support for using private keys encrypted with fsid
- 'Unexpected 200 result from server' on openconnect
- Blank SAML Login Window HOT 3
- Need to pass --csd-wrapper=(wrapper) command-line argument HOT 1
- Ubuntu 24.04 support HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gp-saml-gui.