Hi,
I recently moved a company having existing Office 365 accounts to Univention with the Connector App.
That worked great thanks to the support here in this forum.
However, they have now a problem with the iOS and android app “Microsoft Teams”.
When they try to log in with their username, the login process takes forever and they are not getting any further: they are not asked for a password later on.
They have a reverse proxy which sends requests to ucs-sso.firma.at back and forth to the UCS master. That works obviously since the Office-365-connector itself is running well.
So, I tried to log in using the “Microsoft Teams” app and I saw a corresponding entry in the apache access.log on the master:
"POST /simplesamlphp/saml2/idp/SSOService.php HTTP/1.1" 303 3662
"https://login.microsoftonline.com/common/oauth2/authorize?
response_type=code&
client_id=1fec8e78-bce4-4aaf-ab1b-5451cc387264&
resource=https%3A%2F%2Fapi.spaces.skype.com&
redirect_uri=msauth%3A%2F%2Fcom.microsoft.teams%2Ffcg80qvoM1YMKJZibjBwQcDfOno%253D&
state=YT1odHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vY29tbW9uJnI9aHR0cHM6Ly9hcGkuc3BhY2VzLnNreXBlLmNvbQ&
login_hint=it%40firma.at&
x-client-SKU=Android&
x-client-Ver=1.15.1&x-client-OS=22&
x-client-DM=D2303&client-request-id=73f5e6fb-7843-4d4e-8f90-8eb98aba9b70&
haschrome=1&
nux=1&
instance_aware=true"
"Mozilla/5.0 (Linux; Android 5.1.1; D2303 Build/18.6.A.0.182; wv)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.87 Mobile Safari/537.36 PKeyAuth/1.0"
I also got an entry in the error.log:
[client 192.168.15.10:40182] AH01215:
PHP Notice: MemcachePool::get():
Server unix:///var/run/univention-saml/backupdc.firma.at.socket (tcp 0, udp 0) failed with:
Read failed (socket was unexpectedly closed) (0) in /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php on line 50,
referer: https://login.microsoftonline.com/common/oauth2/authorize?
response_type=code&
client_id=1fec8e78-bce4-4aaf-ab1b-5451cc387264&
resource=https%3A%2F%2Fapi.spaces.skype.com&
redirect_uri=msauth%3A%2F%2Fcom.microsoft.teams%2Ffcg80qvoM1YMKJZibjBwQcDfOno%253D&
state=YT1odHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vY29tbW9uJnI9aHR0cHM6Ly9hcGkuc3BhY2VzLnNreXBlLmNvbQ&
login_hint=it%40firma.at&
x-client-SKU=Android&
x-client-Ver=1.15.1&
x-client-OS=22&
x-client-DM=D2303&
client-request-id=73f5e6fb-7843-4d4e-8f90-8eb98aba9b70&
haschrome=1&
nux=1&
instance_aware=true
So, it tried to connect to the backupdc and that failed.
The next thing I tried was unsetting the saml-idp-server entry for the backupdc:
root@masterdc ~ # ucr search --brief saml
ucs/server/saml-idp-server/masterdc.firma.at: masterdc.firma.at
ucs/server/saml-idp-server/backupdc.firma.at: backupdc.firma.at
root@masterdc ~ # ucr unset ucs/server/saml-idp-server/backupdc.firma.at
After reloading apache2 I get no error log entry anymore, but the behaviour on the phone stays exactly the same.
What could be the reason for this?
Thanks for reading,
Roland.