Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Only Administrators can log in
-
Starting today, we have an issue that only Administrators can log in to ProGet. We use the built-in accounts. Non- Admins will be redirected to the login screen without any message. No error message in the log, nothing. Since that is a serious issue (only the Admins can work currently), please point me to how I can investigate the reason of that strange behaviour.
Product: ProGet
Version: 3.8.6
-
If you run the ProGet.Service.exe, then you'll be able to reset the password with one of the options.
-
Hi,
sorry, I think I have not made clear the problem. It's not a problem of forgotten passwords or the like. The server is up and running for long time. I have
- Users who are member of the administrators group. These users can log in and everything is good.
- User that are member of any other group (= users who are not member of the administrators group). These users cannot log in since this morning.
There were no changes on the system. Nothing! When I try to log in such a user with a - by itention - wrong password, i get the message "Your login attempt was not successful...". That is expected and ok.
When I use the correct password, the screen reloads, I'm still (or better - again) on the login page and i can enter my credentials again. That is the problem. Until yesterday, a login was possible, since this morning not. It's pretty unlikely that 20 user forget their passords over night. There must be a technical problem and since I cannot see an error message when I log in as administrator (administration page says "There are no recent errors."), I ask you what I can do to figure out the problem.Best regards,
Joachim Roppert
-
Did a bit more investigation so I get add an additional info:
Seems users with LegacyPassword_Indicator set to "Y" in the ProGet DB Users table can login, the Users with LegacyPassword_Indicator = "N" cannot. What is a legacy password? What can be the problem?
-
I had exactly the same issue, but after assigning privileges to a user group I was able to login.
So the things I did to get it working:
- create a group, i.e. "developers"
- create a user belonging to the group developers
- assign "developer" privileges to the group developers
Of course, the next time I would assign privileges before creating users ;)
Best,
Yvette
-
Hi Yvette,
thanks foy your feedback. I've tried exactly the procedure you've described but unfortunately, the problem remains the same.
So we're still a bit lost and think about replacing ProGet with a file share since it's currently just unusable :-(
-
Seems users with LegacyPassword_Indicator set to "Y" in the ProGet DB Users table can login, the Users with LegacyPassword_Indicator = "N" cannot. What is a legacy password? What can be the problem?
We changed the way hashing was performed in 3.5, so a Legacy Password is one that's hashed in a pre-3.5 manner. When a user logs-in with a Legacy Password, the existing password is re-hashed, saved, and the LegacyPassword_Indicator is set to N.
It's possible there's a bug with this behavior, but this would have impacted a lot of other users too, and this is the first report.
I suspect it's related to privileges, so I would diagnose by giving everyone admin, or a specific user all privileges, then working down from there. You can also try to create a new user, and then see if that user can log-in with admin privileges.
-
May it be a problem that I've jumped over some releases and updated from 3.4.7 to 3.8.6 directly. I did that end of last week so it could be possible that the update is related to the issue.
-
Maybe there is a problem in BuildInDirectory.TryGetAndValidateUser? What happens to users with a non-legacy password (= with an Indicator "N") there?
-
I'm not sure, that method hasn't changed since 3.5; unfortunately we can't test/validate this quickly or easily, but here is the code if anything comes to mind:
public override IUserDirectoryUser TryGetAndValidateUser(string userName, string password) { if (string.IsNullOrEmpty(userName)) throw new ArgumentNullException("userName"); try { var userInfo = StoredProcs.Users_GetUser(userName).Execute(); var user = userInfo.Users.FirstOrDefault(); if (user == null) return null; if ((YNIndicator)user.LegacyPassword_Indicator) { if (StoredProcs.Users_ValidateLogin(userName, password, null).Execute() == YNIndicator.No) return null; SetPassword(userName, password); } else { using (var rfc2898 = new Rfc2898DeriveBytes(password, user.Salt_Bytes, 10000)) { var bytes = rfc2898.GetBytes(20); if (!StructuralComparisons.StructuralEqualityComparer.Equals(bytes, user.Password_Bytes)) return null; } } return new BuiltInUser(user, userInfo.UserGroups); } catch (Exception ex) { Log("TryGetAndValidateUser: " + ex.ToString()); return null; } }This is the set method...
public static void SetPassword(string userName, string password) { using (var rfc2898 = new Rfc2898DeriveBytes(password, 10, 10000)) { var bytes = rfc2898.GetBytes(20); StoredProcs.Users_SetPassword(userName, bytes, rfc2898.Salt).Execute(); } }
-
First thing to mention is that this is different from what was delivered with 3.8.6. Not sure if that makes a difference but it is.
My guesses:
-
if ((YNIndicator)user.LegacyPassword_Indicator)checks if the LegacyIndicator exists at all (so checks if it's a 3.5 or later version). In my installed 3.8.6, this part isif (user.LegacyPassword_Indicator != null). -
if user has a legacy password, password is upgraded (
SetPassword...) -
If user has no legacy password (Indicator "N"), null is returned:
if (StoredProcs.Users_ValidateLogin(userName, password, null).Execute() == YNIndicator.No)
return null;As I see, null is also returned if user is null (
if (user == null) return null;) or the password is wrong (if (!StructuralComparisons.StructuralEqualityComparer.Equals(bytes, user.Password_Bytes)) return null;). So returning null seems to mean "No valid login". And it seems that users with an Indicator "N" (these users have the problem in my installation) always get a return null in versions 3.5 and later?! So that may be the problem. What do you think?
-
-
That logic seems correct... we can repro this issue only if the users are not granted the "General_ViewHomePage" task.
Once a user has a failed login, can they browse directly to a particular feed if it's typed into the URL, e.g. http://{proget-server}/feeds/{feed-name} ?
-
Yes, navigating to the feed directly works after the failed login.
-
The users who cannot log in are mapped to the roles "Package Consumer and Adder" and "Package Consumer".
From the ProGet DB:
Roles Table:
Role_Id Role_Name
...
9 Package Consumer and Adder
8 Package Consumer
Tasks Table:
Task_Id Task_Name Feed_Scopeable_Indicator
...
28 General_ViewHomePage N
RoleTask Table
Role_Id Task_Id
...
8 1
8 2
8 5
8 28
9 1
9 2
9 4
9 5
9 28
-
Are those privileges assigned to a feed? If so, the General_ViewHomePage task will be ignored.
Make sure to grant General_ViewHomePage at the SYSTEM level and not scoped to a particular feed, that should resolve the issue.
-
Yes, the privileges are scoped to a certain feed. You're right, As soon as i scope to "All Feeds", login works. That's great!
I'm still abit confued about how to limit some people to only one feed. They should be able to Add, View, Download packages of one feed only (including uploading packages using the web ui). Other feeds should not be visible to them. How to achieve that without scoping my privilege to a certain feed.
What I didis to create a new Role "HomePageViewer" Role with only the General_ViewHomePage Task. Then, I've created two assignments for my ProductDevelopers group:
- Principal:ProductDevelopers, Role:Package Consumer and Adder, Scope: MyFeed
- Principal:ProductDevelopers, Role:HomePageViewer, Scope: (System)
Would that be a recommended way or did I think too complicated?