client certificate does not match Azure AD user
PenChien opened this issue · 2 comments
I want to use SSO with Azure AD to login openvpn. After importing profile then input multi-factor authencation. I met error message as below. I don't know how to fix this issue. Thanks for help.
root@vpn:~# openvpn-auth-azure-ad --client-id xxxxxxx -H 127.0.0.1 -P 7505 --token-authority https://login.microsoftonline.com/xxxxx.onmicrosoft.com
2022-04-14 18:56:49,815 INFO Connection to OpenVPN management interfaced established.
2022-04-14 18:56:49,816 INFO Running openvpn-auth-azure-ad 1.2.0
2022-04-14 18:56:54,200 INFO [cid: 4]: Received client connect
2022-04-14 18:56:54,200 INFO [cid: 4]: Start to authenticate using device token flow
2022-04-14 18:56:55,286 INFO [cid: 4]: Received client disconnect event
2022-04-14 18:57:21,425 INFO [cid: 5]: Received client connect
2022-04-14 18:57:21,425 INFO [cid: 5]: Continue to authenticate using device token flow
2022-04-14 18:57:21,865 INFO [cid: 5]: client certificate does not match Azure AD user.
2022-04-14 18:57:22,491 INFO [cid: 5]: Received client disconnect event
OpenVPN Clinet log
[Apr 14, 2022, 18:03:18] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Mar 17 2022 11:42:02
⏎[Apr 14, 2022, 18:03:18] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Apr 14, 2022, 18:03:18] UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
11 [auth-nocache]
13 [ignore-unknown-option] [block-outside-dns]
14 [block-outside-dns]
15 [verb] [3]
⏎[Apr 14, 2022, 18:03:18] EVENT: RESOLVE ⏎[Apr 14, 2022, 18:03:18] EVENT: WAIT ⏎[Apr 14, 2022, 18:03:18] WinCommandAgent: transmitting bypass route to 192.168.3.76
{
"host" : "192.168.3.76",
"ipv6" : false
}
⏎[Apr 14, 2022, 18:03:18] Connecting to [192.168.3.76]:1194 (192.168.3.76) via TCPv4
⏎[Apr 14, 2022, 18:03:18] EVENT: CONNECTING ⏎[Apr 14, 2022, 18:03:18] Tunnel Options:V4,dev-type tun,link-mtu 1523,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-128-GCM,auth [null-digest],keysize 128,key-method 2,tls-client
⏎[Apr 14, 2022, 18:03:18] Creds: DynamicChallenge
⏎[Apr 14, 2022, 18:03:18] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
IV_GUI_VER=OCWindows_3.3.6-2752
IV_SSO=webauth,openurl,crtext
[Apr 14, 2022, 18:03:19] SSL Handshake: peer certificate: CN=server_tQbNQlk72SYn6Xol, 256 bit EC, curve:prime256v1, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
[Apr 14, 2022, 18:03:19] Session is ACTIVE
⏎[Apr 14, 2022, 18:03:19] EVENT: GET_CONFIG ⏎[Apr 14, 2022, 18:03:19] Sending PUSH_REQUEST to server...
⏎[Apr 14, 2022, 18:03:20] Sending PUSH_REQUEST to server...
⏎[Apr 14, 2022, 18:03:20] AUTH_FAILED
⏎[Apr 14, 2022, 18:03:20] EVENT: AUTH_FAILED ⏎[Apr 14, 2022, 18:03:20] EVENT: DISCONNECTED ⏎
Server.conf
port 1194
proto tcp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 168.95.1.1"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
client-cert-not-required
cert server_tQbNQlk72SYn6Xol.crt
key server_tQbNQlk72SYn6Xol.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
management localhost 7505
#management socket-name unix [pw-file]
management-client-auth
Hi,
i extend the logging in #9, you may able to see the difference in the future.
The error appears, if the common name different from preferred_username token claim.
It works, thanks!