Forum / NoMachine for Windows / NXClientAuthentication fails
- This topic has 12 replies, 2 voices, and was last updated 6 years, 1 month ago by shiba.
-
AuthorPosts
-
November 6, 2018 at 09:54 #20356itguy92075Participant
Hello,
I have a situation in which my configuration works well on Mac clients, but not at all on Windows clients.
In server.cfg:
EnableNXClientAuthentication 1
AcceptedAuthenticationMethods NX-password,NX-private-key
On Mac, both auth schemes work. On Windows, neither works, but setting:
EnableNXClientAuthentication 0
fixes password authentication.
Any ideas? So far I haven’t found anything I could have missed, and the setup works when the client is a Mac.
November 6, 2018 at 15:43 #20366shibaParticipantHi,
Did you go through the instructions on how to configure NoMachine to use SSL client authentication? https://www.nomachine.com/AR10M00866
I went through them myself on a mix of platforms just to make sure everything is working properly.
The key EnableNXClientAuthentication enabling support SSL client authentication and it is disabled by default. Setting the value of this key to 1 causes that only clients with the added certificate on the server are able to connect (which is explained there: https://www.nomachine.com/FR09M02964).
November 7, 2018 at 08:55 #20372itguy92075ParticipantYes, I followed the server setup instructions, and both password and NX authentication work when connecting from a Mac. When connecting from Windows, password authentication errors out with “Connection lost” without ever being prompted for the username or password. When connecting from Windows, NX authentication errors out with “Error 5: Input/output error.”
I have two problems:
Using the same version of the software, the same nx_client_rsa_key file, and the same session file, Mac works, Windows doesn’t.
When I set EnableNXClientAuthentication to 0, password authentication starts working. Why?
With debugging up to 7, nothing in the logs indicates what might be wrong with the setup, which is in a way unsurprising since it’s working on Mac.
November 8, 2018 at 13:11 #20403shibaParticipantHello,
The error messages you see in the Player appear when the client’s certificate is not accepted on the server. Could you try to look for similar entries on server side logs? There may be such errors in nxerror.log:65245 6659 16:40:04 116.519 Encryptor/Encryptable: ERROR! Certificate not found in ‘/Library/Application Support/NoMachine/var/nx/.nx/config/server.crt’..
65245 6659 16:40:04 116.589 Encryptor/Encryptable: ERROR! Failed to authorize the client certificate.If you have such entries, please make sure if everything is correctly set on the client and server side. If adding your client’s certificate, you have considered its IP address, maybe it’s worth checking if it is up-to-date.
November 9, 2018 at 09:21 #20405itguy92075ParticipantHello,
Thanks for your reply. I generated new keys and a new server.crt file for this test:
Here is nxerror.log:
355 507 16:13:54 531.155 ServerNetworkInfoHandler: WARNING! Obtaining network data failed.
Info: Handler started with pid 839 on Thu Nov 8 16:15:09 2018.
Info: Handling connection from 192.168.56.2 port 53353 on Thu Nov 8 16:15:09 2018.
839 851 16:15:15 101.381 Encryptor/Encryptor: ERROR! Decryption read from BIO pending 126 wpending 7 retry 0.
839 851 16:15:15 101.420 Encryptor/Encryptor: ERROR! Decryption read from BIO failed in context [D].
Error: Decryption read from BIO failed in context [D].
839 851 16:15:15 101.444 Channel/Channel: WARNING! Runnable DaemonReader failed for FD#5.
839 851 16:15:15 101.452 Channel/Channel: WARNING! Error is 74, ‘Bad message’.
Warning: Connection from 192.168.56.2 port 53353 failed on Thu Nov 8 16:15:15 2018.
Warning: Connection error is 74, ‘Bad message’.
Info: Handler with pid 839 terminated on Thu Nov 8 16:15:15 2018.
The first line of server.crt is:
Host:
November 9, 2018 at 16:49 #20411shibaParticipantWe weren’t able to reproduce problem, but we would like to investigate the issue further. What version of NoMachine do you have on the client and server side? We strongly recommend using the latest packages.
Could you send us the logs from server and client side? The certificate ‘server.crt’ from your Mac may also be helpful. Please send them to forum[at]nomachine[dot]com.
Instructions about collecting logs you can find here: https://www.nomachine.com/DT10O0016
November 12, 2018 at 08:42 #20419itguy92075ParticipantHello,
Everything is the latest, version 6.3.6. I will send logs.
Thanks!
November 13, 2018 at 16:42 #20456shibaParticipantThank you for files that you sent to us, we are investigating them. We would also like to take a look at the client side files. Could you reproduce failed connection again, pack the whole .nx folder from your Windows and send it to us?
Folder .nx is placed, for example, in C:/Users/username/.nx
Please send us also ‘server.crt’ file which is located on the server side in /var/NX/nx/.nx/config
November 14, 2018 at 08:44 #20464itguy92075ParticipantThanks for your reply. The additional files you requested are on the way.
November 14, 2018 at 12:26 #20469shibaParticipantThank you for the files you sent us. It seems that your private key and certificate are missing on client side. Could you place nx_client_rsa_key and nx_client_rsa_key.crt to C:\Users\Fred\.nx\config and try to connect again?
November 15, 2018 at 10:16 #20471itguy92075ParticipantThose files are in the first zip file I sent. I can send them again.
November 15, 2018 at 10:17 #20472itguy92075ParticipantHello,
I followed your suggestion to put the key into to the .nx\cofig folder. At that point, I still could not connect, the error was “Cannot accept key.”
Using the client interface, I reimported the key into my session file, this time using .nx\config\nx_client_rsa_key instead of Downloads\nx_client_rsa_key which I had done previously. This is the working formula — I am able to connect with the keys, no password.
All is well, thanks for your help!
November 16, 2018 at 12:15 #20489shibaParticipantWe are glad that your problem has been solved! 🙂
-
AuthorPosts
This topic was marked as solved, you can't post.