NXClientAuthentication fails

Forum / NoMachine for Windows / NXClientAuthentication fails

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #20356
    itguy92075
    Participant

    Hello,

    I have a situation in which my configuration works well on Mac clients, but not at all on Windows clients.

    In server.cfg:

    EnableNXClientAuthentication 1

    AcceptedAuthenticationMethods NX-password,NX-private-key

    On Mac, both auth schemes work.  On Windows, neither works, but setting:

    EnableNXClientAuthentication 0

    fixes password authentication.

    Any ideas?  So far I haven’t found anything I could have missed, and the setup works when the client is a Mac.

    #20366
    shiba
    Participant

    Hi,

    Did you go through the instructions on how to configure NoMachine to use SSL client authentication? https://www.nomachine.com/AR10M00866

    I went through them myself on a mix of platforms just to make sure everything is working properly.

    The key EnableNXClientAuthentication enabling support SSL client authentication and it is disabled by default. Setting the value of this key to 1 causes that only clients with the added certificate on the server are able to connect (which is explained there: https://www.nomachine.com/FR09M02964).

    #20372
    itguy92075
    Participant

    Yes, I followed the server setup instructions, and both password and NX authentication work when connecting from a Mac.  When connecting from Windows, password authentication errors out with “Connection lost” without ever being prompted for the username or password.  When connecting from Windows, NX authentication errors out with “Error 5: Input/output error.”

    I have two problems:

    Using the same version of the software, the same nx_client_rsa_key file, and the same session file, Mac works, Windows doesn’t.

    When I set EnableNXClientAuthentication to 0, password authentication starts working.  Why?

    With debugging up to 7, nothing in the logs indicates what might be wrong with the setup, which is in a way unsurprising since it’s working on Mac.

    #20403
    shiba
    Participant

    Hello,
    The error messages you see in the Player appear when the client’s certificate is not accepted on the server. Could you try to look for similar entries on server side logs? There may be such errors in nxerror.log:

    65245 6659 16:40:04 116.519 Encryptor/Encryptable: ERROR! Certificate not found in ‘/Library/Application Support/NoMachine/var/nx/.nx/config/server.crt’..
    65245 6659 16:40:04 116.589 Encryptor/Encryptable: ERROR! Failed to authorize the client certificate.

    If you have such entries, please make sure if everything is correctly set on the client and server side. If adding your client’s certificate, you have considered its IP address, maybe it’s worth checking if it is up-to-date.

    #20405
    itguy92075
    Participant

    Hello,

    Thanks for your reply.  I generated new keys and a new server.crt file for this test:

    Here is nxerror.log:

    355 507 16:13:54 531.155 ServerNetworkInfoHandler: WARNING! Obtaining network data failed.

    Info: Handler started with pid 839 on Thu Nov  8 16:15:09 2018.

    Info: Handling connection from 192.168.56.2 port 53353 on Thu Nov  8 16:15:09 2018.

    839 851 16:15:15 101.381 Encryptor/Encryptor: ERROR! Decryption read from BIO pending 126 wpending 7 retry 0.

    839 851 16:15:15 101.420 Encryptor/Encryptor: ERROR! Decryption read from BIO failed in context [D].

    Error: Decryption read from BIO failed in context [D].

    839 851 16:15:15 101.444 Channel/Channel: WARNING! Runnable DaemonReader failed for FD#5.

    839 851 16:15:15 101.452 Channel/Channel: WARNING! Error is 74, ‘Bad message’.

    Warning: Connection from 192.168.56.2 port 53353 failed on Thu Nov  8 16:15:15 2018.

    Warning: Connection error is 74, ‘Bad message’.

    Info: Handler with pid 839 terminated on Thu Nov  8 16:15:15 2018.

     

    The first line of server.crt is:

    Host:

     

     

    #20411
    shiba
    Participant

    We weren’t able to reproduce problem, but we would like to investigate the issue further. What version of NoMachine do you have on the client and server side? We strongly recommend using the latest packages.

    Could you send us the logs from server and client side? The certificate ‘server.crt’ from your Mac may also be helpful. Please send them to forum[at]nomachine[dot]com.

    Instructions about collecting logs you can find here: https://www.nomachine.com/DT10O0016

    #20419
    itguy92075
    Participant

    Hello,

    Everything is the latest, version 6.3.6.  I will send logs.

    Thanks!

    #20456
    shiba
    Participant

    Thank you for files that you sent to us, we are investigating them. We would also like to take a look at the client side files. Could you reproduce failed connection again, pack the whole .nx folder from your Windows and send it to us?

    Folder .nx is placed, for example, in C:/Users/username/.nx

    Please send us also ‘server.crt’ file which is located on the server side in /var/NX/nx/.nx/config

    #20464
    itguy92075
    Participant

    Thanks for your reply.  The additional files you requested are on the way.

    #20469
    shiba
    Participant

    Thank you for the files you sent us. It seems that your private key and certificate are missing on client side. Could you place nx_client_rsa_key and nx_client_rsa_key.crt to C:\Users\Fred\.nx\config and try to connect again?

    #20471
    itguy92075
    Participant

    Those files are in the first zip file I sent.  I can send them again.

    #20472
    itguy92075
    Participant

    Hello,

    I followed your suggestion to put the key into to the .nx\cofig folder.  At that point, I still could not connect, the error was “Cannot accept key.”

    Using the client interface, I reimported the key into my session file, this time using .nx\config\nx_client_rsa_key instead of Downloads\nx_client_rsa_key which I had done previously.  This is the working formula — I am able to connect with the keys, no password.

    All is well, thanks for your help!

     

    #20489
    shiba
    Participant

    We are glad that your problem has been solved! 🙂

Viewing 13 posts - 1 through 13 (of 13 total)

This topic was marked as solved, you can't post.