Windows Authentication after upgrade to 2.0.3

Has anyone else seen issues with Windows Authentication outside of IIS since upgrading to 2.0.3?
We did an upgrade from 1.5.19 and now have problems using Windows Authentication. We can get Forms with LDAP to work, but enabling Windows Authentication doesn’t seem to.
Prior to the upgrade, we’d see SSO work - no sign-in page ever came up.

Anything we should be looking at?

Product: PowerShell Universal
Version: 2.0.3

I’d start by looking in the PSU logs. I’d also suggest increasing the log level to debug. You can do that in appsettings.json. Logs will be in %ProgramData%\PowerShellUniversal by default.

Here’s an excerpt from our logs - nothing stands out to me other than mentions of CORS errors

2021-06-15T15:25:28.8275364-03:00 0HM9G58T40JA5:00000002 [DBG] OnConnectedAsync ending. (ed779a33)
2021-06-15T15:25:28.8277010-03:00 0HM9G58T40JA5:00000002 [DBG] Waiting for the client to close the socket. (11a322cc)
2021-06-15T15:25:28.8338716-03:00 0HM9G58T40JA5:00000002 [DBG] Socket closed. (440e5bb1)
2021-06-15T15:25:28.8340092-03:00 0HM9G58T40JA5:00000002 [DBG] Removing connection “1FK2SNfEWU1G99Kb-jwAoA” from the list of connections. (20ab60da)
2021-06-15T15:25:28.8340539-03:00 0HM9G58T40JA5:00000002 [INF] Executed endpoint ‘“/notificationhub”’ (99874f2b)
2021-06-15T15:25:28.8343050-03:00 0HM9G58T40JA5:00000002 [INF] Request finished HTTP/1.1 GET http://my-server.my-domain.tld:5000/notificationhub?id=1FK2SNfEWU1G99Kb-jwAoA - - - 101 - - 121970.0793ms (791a596a)
2021-06-15T15:25:28.8343522-03:00 [DBG] Connection id ““0HM9G58T40JA5"” disconnecting. (b29b9868)
2021-06-15T15:25:28.8343690-03:00 [DBG] Connection id ““0HM9G58T40JA5"” stopped. (056149f8)
2021-06-15T15:25:28.8344179-03:00 [DBG] Connection id ““0HM9G58T40JA5"” sending FIN because: ““The Socket transport’s send loop completed gracefully.”” (59510695)
2021-06-15T15:25:28.8453068-03:00 [DBG] Connection id ““0HM9G58T40JA7"” accepted. (b16f4713)
2021-06-15T15:25:28.8454577-03:00 [DBG] Connection id ““0HM9G58T40JA7"” started. (1426b994)
2021-06-15T15:25:28.8481926-03:00 0HM9G58T40JA7:00000002 [INF] Request starting HTTP/1.1 POST http://my-server.my-domain.tld:5000/notificationhub/negotiate?negotiateVersion=1 text/plain;charset=UTF-8 0 (ca22a1cb)
2021-06-15T15:25:28.8483267-03:00 0HM9G58T40JA7:00000002 [DBG] AuthenticationScheme: “Negotiate” was not authenticated. (1152f827)
2021-06-15T15:25:28.8483738-03:00 0HM9G58T40JA7:00000002 [DBG] The request has an origin header: ‘“http://my-server.my-domain.tld:5000”’. (e0d3e4a6)
2021-06-15T15:25:28.8483866-03:00 0HM9G58T40JA7:00000002 [INF] CORS policy execution failed. (09b6f179)
2021-06-15T15:25:28.8483948-03:00 0HM9G58T40JA7:00000002 [INF] Request origin “http://my-server.my-domain.tld:5000” does not have permission to access the resource. (a03d560b)
2021-06-15T15:25:28.8486539-03:00 0HM9G58T40JA7:00000002 [DBG] “POST” requests are not supported (1c759b4c)
2021-06-15T15:25:28.8486816-03:00 0HM9G58T40JA7:00000002 [DBG] “POST” requests are not supported (1c759b4c)
2021-06-15T15:25:28.8487150-03:00 0HM9G58T40JA7:00000002 [DBG] 1 candidate(s) found for the request path '”/notificationhub/negotiate”’ (9406aaa8)
2021-06-15T15:25:28.8487243-03:00 0HM9G58T40JA7:00000002 [DBG] Request matched endpoint '”/notificationhub/negotiate”’ (cbf60c4b)
2021-06-15T15:25:28.8513749-03:00 0HM9G58T40JA7:00000002 [INF] Executing endpoint '”/notificationhub/negotiate"’ (500cc934)
2021-06-15T15:25:28.8514616-03:00 0HM9G58T40JA7:00000002 [DBG] New connection “vg93BQ4Sr-hTzlczBg85rw” created. (6fadaaee)
2021-06-15T15:25:28.8515690-03:00 0HM9G58T40JA7:00000002 [DBG] Sending negotiation response. (898972b7)
2021-06-15T15:25:28.8516363-03:00 0HM9G58T40JA7:00000002 [DBG] The response will be compressed with ‘“gzip”’. (468e3546)
2021-06-15T15:25:28.8517442-03:00 0HM9G58T40JA7:00000002 [INF] Executed endpoint ‘“/notificationhub/negotiate”’ (99874f2b)
2021-06-15T15:25:28.8518532-03:00 0HM9G58T40JA7:00000002 [DBG] Connection id ““0HM9G58T40JA7"” completed keep alive response. (9784cde9)
2021-06-15T15:25:28.8518994-03:00 0HM9G58T40JA7:00000002 [INF] Request finished HTTP/1.1 POST http://my-server.my-domain.tld:5000/notificationhub/negotiate?negotiateVersion=1 text/plain;charset=UTF-8 0 - 200 - application/json 3.7339ms (791a596a)
2021-06-15T15:25:28.8662676-03:00 [DBG] Connection id ““0HM9G58T40JA8"” accepted. (b16f4713)
2021-06-15T15:25:28.8664181-03:00 [DBG] Connection id ““0HM9G58T40JA8"” started. (1426b994)
2021-06-15T15:25:28.8691125-03:00 0HM9G58T40JA8:00000002 [INF] Request starting HTTP/1.1 GET http://my-server.my-domain.tld:5000/notificationhub?id=j38u5fo2CdsG5IaE58QXiQ - - (ca22a1cb)
2021-06-15T15:25:28.8692038-03:00 0HM9G58T40JA8:00000002 [DBG] AuthenticationScheme: “Negotiate” was not authenticated. (1152f827)
2021-06-15T15:25:28.8692455-03:00 0HM9G58T40JA8:00000002 [DBG] The request has an origin header: ‘“http://my-server.my-domain.tld:5000”’. (e0d3e4a6)
2021-06-15T15:25:28.8692585-03:00 0HM9G58T40JA8:00000002 [INF] CORS policy execution failed. (09b6f179)
2021-06-15T15:25:28.8692643-03:00 0HM9G58T40JA8:00000002 [INF] Request origin “http://my-server.my-domain.tld:5000” does not have permission to access the resource. (a03d560b)
2021-06-15T15:25:28.8694893-03:00 0HM9G58T40JA8:00000002 [DBG] The request path “/notificationhub” does not match a supported file type (4910e68e)
2021-06-15T15:25:28.8695762-03:00 0HM9G58T40JA8:00000002 [DBG] The request path “” does not match the path filter (c4ce145c)
2021-06-15T15:25:28.8696097-03:00 0HM9G58T40JA8:00000002 [DBG] 1 candidate(s) found for the request path '”/notificationhub”’ (9406aaa8)
2021-06-15T15:25:28.8696200-03:00 0HM9G58T40JA8:00000002 [DBG] Request matched endpoint '”/notificationhub"’ (cbf60c4b)
2021-06-15T15:25:28.8722606-03:00 0HM9G58T40JA8:00000002 [INF] Executing endpoint ‘“/notificationhub”’ (500cc934)
2021-06-15T15:25:28.8724139-03:00 0HM9G58T40JA8:00000002 [DBG] Establishing new connection. (6a968e45)
2021-06-15T15:25:28.8724880-03:00 0HM9G58T40JA8:00000002 [DBG] OnConnectedAsync started. (d90d43b4)
2021-06-15T15:25:28.8725197-03:00 0HM9G58T40JA8:00000002 [DBG] Socket opened using Sub-Protocol: ‘null’. (021bc393)
2021-06-15T15:25:28.8800475-03:00 0HM9G58T40JA8:00000002 [DBG] Found protocol implementation for requested protocol: “json”. (c5c3bb54)
2021-06-15T15:25:28.8801315-03:00 0HM9G58T40JA8:00000002 [DBG] Completed connection handshake. Using HubProtocol ‘“json”’. (421947a1)
2021-06-15T15:25:45.8255500-03:00 [DBG] Connection id "“0HM9G58T40JA2"” disconnecting. (b29b9868)
2021-06-15T15:25:45.8256779-03:00 [DBG] Connection id "“0HM9G58T40JA2"” stopped. (056149f8)
2021-06-15T15:25:45.8257326-03:00 [DBG] Connection id "“0HM9G58T40JA2"” sending FIN because: ““The Socket transport’s send loop completed gracefully.”” (59510695)

Looking a bit closer at this 2.0.3 install, particularly the note on Integrated Environment:

It looks like we should have ‘Integrated’ as an option, but we only have pwsh 7 and powershell 5.1 - the same as we had before the upgrade from 1.5.19

If you have a customized environments.ps1 file, you can add the integrated environment by adding a new environment named “Integrated”

Something like this. The path doesn’t matter.

New-PSUEnvironment -Name "Integrated" -Path "C:\src\universal\src\output\Universal.Server.exe" -Variables @('*') 

I’ve reproduced and resolved the issue with Windows auth. The fix will be included in 2.1.0. It will also be included in tonight’s nightly build.

Awesome! It got me to look really close at our config, glad you found the cause.

I’m going to guess I still have something mis-configured. After the update to 2.1.0 and enabling Windows Auth in my config file, I get redirected to this URL, /login?returnUrl=%2f and have a form for username and password.

Still working on this, but it looks like somebody on my team (me) may have forgot to edit roles.ps1 to make sense now that Windows Auth works again after modifying it to work with Forms authentication…

Getting closer to having this working 100% again.

Fixed my roles.ps1 - now all my dashboards work again.

$AdminGroupSIDS = @("S-1-1-11-313113131313-1122111-1221213444-1231331") 
   $User | ConvertTo-Json | Out-File C:\Temp\myUser.json
  
   foreach ($SID in $AdminGroupSIDS)
   {
    if ($User.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", $SID))
    {
        "Role check for $($User.Identity.Name) : 'Administrator'. " | Out-File "C:\UniversalAuthLogs\Role-Evaluation.txt" -Append  
        $true
    }
   }

Still having trouble getting the /admin URLs to load. I’m wondering if that’s got more to do with the authentication.ps1

I can reproduce this. Working on a fix ASAP.

I’ve released a new version to resolve this.

https://imsreleases.blob.core.windows.net/universal/production/2.1.1/PowerShellUniversal.2.1.1.msi
https://imsreleases.blob.core.windows.net/universal/production/2.1.1/Universal.win7-x64.2.1.1.zip

Thanks Adam, that fixed it