Login Error: There is a problem with your account. Please contact the site's administrator

SSO
1

Login Error: There is a problem with your account. Please contact the site’s administrator.

I’m running into a login error that is only reported by two users, and comes and goes with time. I, and many other users, are able to log in just fine. According to the Discourse CAS SSO service logs, the user is handed off to the forum without any logged issue. Is this an error that any of you are familiar with? Where can I find more logs to help me track down this bug?

User names are the same, except that one account has different casing of the letters. The other user’s user name is exactly the same. Email addresses on our CAS server match their address on the forum. We are running the latest version of Discourse, as of a few days ago. We are not running any patches in the application code.

This may be coincidental, but the problem once went away for one of our users temporarily after restarting the CAS SSO service, but now they are unable to log into the forum. (At that time, only one user was reporting this issue.) I’m hoping to find a permanent solution to the problem.

I suggested to one of the users that they enter the forum domain name alone, without any path, in their browser, but they did not report success with that. According to the logs, at least one user is getting through the initial login process, so I doubt that the problem is caused by typing the wrong URL in their browser, or using a bad bookmark.

Here’s a screen shot of the error:

login-error
login-error1910×372 26.5 KB

I found the SSO provider logs associated with the failed login, by matching a paramter in their screen shot. I compared that to a successful login by me, and the only changes were to the sso and sig parameters, CAS ticket number, date stamps, the IP address, etc. Both logs were very similar, which implies that the early SSO validation steps are working properly. I’m including an edited version of the SSO provider login log associated with the failed login:

I, [2019-02-05T05:31:33.683842 #18023]  INFO -- : Started GET "/?sso=...&sig=..." for ... at 2019-02-05 05:31:33 -0500
I, [2019-02-05T05:31:33.685726 #18023]  INFO -- : Processing by LoginController#login as HTML
I, [2019-02-05T05:31:33.685829 #18023]  INFO -- :   Parameters: {"sso"=>"...", "sig"=>"..."}
I, [2019-02-05T05:31:33.687034 #18023]  INFO -- : Redirected to https://forum.members.fsf.org/auth/cas
I, [2019-02-05T05:31:33.687299 #18023]  INFO -- : Completed 302 Found in 1ms (ActiveRecord: 0.0ms)
I, [2019-02-05T05:31:33.812099 #18023]  INFO -- : Started GET "/auth/cas" for ... at 2019-02-05 05:31:33 -0500
I, [2019-02-05T05:31:49.217709 #18023]  INFO -- : Started GET "/auth/cas/callback?url&ticket=ST-..." for ... at 2019-02-05 05:31:49 -0500
I, [2019-02-05T05:31:49.256905 #18023]  INFO -- : Processing by LoginController#create as HTML
I, [2019-02-05T05:31:49.257047 #18023]  INFO -- :   Parameters: {"url"=>nil, "ticket"=>"ST-...", "provider"=>"cas"}
I, [2019-02-05T05:31:49.259105 #18023]  INFO -- : inside allow_groups ["is_member"] empty? false
I, [2019-02-05T05:31:49.259686 #18023]  INFO -- : Redirected to https://forum.members.fsf.org/session/sso_login?sso=...&sig=...
I, [2019-02-05T05:31:49.260007 #18023]  INFO -- : Completed 302 Found in 3ms (ActiveRecord: 0.0ms)

Any help with this issue would be greatly appreciated.

Thanks! : D

1 Like
2

I’ve seen the error you reported in the screenshot for users who were imported, but have never before logged in. In my case WP is the SSO provider and the “problem users” don’t have a Single Sign On section at the bottom of their user page.

1 Like
3

Thanks for the input. In my case, they have logged in before, and they do have the SSO section at the bottom of their user account page.

1 Like
4

Great news! I figured out how to reproduce the error. If I try to log in as “Sudoman” instead of “sudoman”, then this error appears. Our CAS server (i’m not referring to the CAS SSO service connected with Discourse) allows people to log in lto our systems like that.

In any case, presuming that the SSO provider is passing the user to Discourse with the user name of “Sudoman”, is this error message the desired behavior in Discourse, or is it a bug?

In my case, it would make sense to allow the user to log in, but in other systems, that could be a different user who is trying to log in.

I tried creating an account with capitalized letters in the user name, and an account was created with the same capitalization. Trying to log in again with all lower case letters caused an error. That makes sense to me.

Maybe it would make sense to create a resource that lists the list of possible causes that produces this error message. It would help systems administrators track down the issue when this happens to their users.

Thanks! :smiley:

4 Likes