Redirect loop when using defender for cloud apps application control (reverse proxy)
Moderator: crythias
Redirect loop when using defender for cloud apps application control (reverse proxy)
I'm trying to use Microsoft Defender for Cloud Apps Conditional Access App Control (MDCA CAAC) CASB solution (also called MCAS session control).
I'm already using Mellon auth for Azure AD authentication on the Apache server which works fine.
CAAC is supposed to work seamlessly with most web interfaces, and was for a good while, but now some pages work and others go in an endless redirect loop. It keeps redirecting to:
index.pl?Action=PreLogin&RequestedURL=<the unproxied version of the URL requested>
Is there any way to prevent Znuny from enforcing these redirects?
I'm already using Mellon auth for Azure AD authentication on the Apache server which works fine.
CAAC is supposed to work seamlessly with most web interfaces, and was for a good while, but now some pages work and others go in an endless redirect loop. It keeps redirecting to:
index.pl?Action=PreLogin&RequestedURL=<the unproxied version of the URL requested>
Is there any way to prevent Znuny from enforcing these redirects?
-
- Administrator
- Posts: 3983
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: Redirect loop when using defender for cloud apps application control (reverse proxy)
Hi,
No, there is no setting to prevent this. The client accesses an URL that requires a login. If no session can be detected, the authentication is triggered and the initially requested URL is "stored" in the URL param.
It is unclear to me if Znuny is used by two different FDQNs. This might become a problem. Make sure that it is only one FQDN s used and this is properly set in the system configure (together with HttpType).
- Roy
No, there is no setting to prevent this. The client accesses an URL that requires a login. If no session can be detected, the authentication is triggered and the initially requested URL is "stored" in the URL param.
It is unclear to me if Znuny is used by two different FDQNs. This might become a problem. Make sure that it is only one FQDN s used and this is properly set in the system configure (together with HttpType).
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: Redirect loop when using defender for cloud apps application control (reverse proxy)
Thanks Roy,
So from what I understand Znuny can never with with a CASB reverse proxy in front of it, as I understand all CASB session control reverse proxies use one generated FQDN for external traffic from the browser to the proxy and the original service FQDN for "internal" traffic from the proxy to the web server.
Should I give up on session control of Znuny?
So from what I understand Znuny can never with with a CASB reverse proxy in front of it, as I understand all CASB session control reverse proxies use one generated FQDN for external traffic from the browser to the proxy and the original service FQDN for "internal" traffic from the proxy to the web server.
Should I give up on session control of Znuny?
-
- Administrator
- Posts: 3983
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: Redirect loop when using defender for cloud apps application control (reverse proxy)
Hi,
I do not know the exact details of how a CASB reverse proxy works, and I don't need to. And before you ask: I will only read it if a customer requests this. From over 20 years, I can tell you it was always misconfiguration on the reverse proxy when it did not work.
In your situtation I would also ask if the loop might be introduced by mod_auth_mellon. Enable LogLevel debug on the web server and use a SAML tracer to check this.
- Roy
I do not know the exact details of how a CASB reverse proxy works, and I don't need to. And before you ask: I will only read it if a customer requests this. From over 20 years, I can tell you it was always misconfiguration on the reverse proxy when it did not work.
In your situtation I would also ask if the loop might be introduced by mod_auth_mellon. Enable LogLevel debug on the web server and use a SAML tracer to check this.
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: Redirect loop when using defender for cloud apps application control (reverse proxy)
Roy,
Thanks a million for helping look into this.
I think I've found a key piece of evidence when going through the CASB solution: Those 302 redirects obviously don't show when loading directly.
So I fired up mod_forensic and looked at the request parameters for each thinking these may be how Znuny determines browser capabilities, but didn't find anything:
Direct:
via CASB:
So I think it may be some javascript itself in the itself. Can I ask what criteria would trigger this message to be displayed? Looking through Kernel/Output/HTML/Templates/Standard/Login.tt and other code it looks like this only shows up if Core.App.BrowserCheck('Agent'); returns false.
Any thoughts on this would be greatly appreciated. As this is happening even after authentication it's leading me away from auth_mellon being the root cause. I'd love to get this working for me and others.
Thanks a million for helping look into this.
I think I've found a key piece of evidence when going through the CASB solution: Those 302 redirects obviously don't show when loading directly.
So I fired up mod_forensic and looked at the request parameters for each thinking these may be how Znuny determines browser capabilities, but didn't find anything:
Direct:
Code: Select all
Accept-Encoding:gzip, deflate, br
Accept-Language:en-GB,en;q=0.5
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection:keep-alive
Cookie:OTRSAgentInterface=HpN2TLxxxxxxxxxxxxxxxxxxk2ZCPPn; mellon-cookie=777d5xxxxxxxxxxxxxxxx45c586d2d4
DNT:1
GET /znuny/index.pl?Action=AgentTicketZoom;TicketID=90 HTTP/1.1
Host:xxxxxx.yyyyyy.com
Referer:https%3a//xxxxxx.yyyyyy.com/znuny/index.pl?
Sec-Fetch-Dest:document
Sec-Fetch-Mode:navigate
Sec-Fetch-Site:same-origin
Sec-Fetch-User:?1
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv%3a109.0) Gecko/20100101 Firefox/115.0
Code: Select all
accept-encoding:gzip, br
accept-language:en-GB,en;q=0.5
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
cookie:OTRSAgentInterface=5fSd5FGuxxxxxxxxxxxxxxxxxxxxxOXHEtU; mellon-cookie=e32dxxxxxxxxxxxxxxxxxxxxxa6092cc
dnt:1
Forwarded:for=55.55.55.55;proto=https;by=MS-CAAC
GET /znuny/index.pl?Action=AgentTicketZoom;TicketID=90 HTTP/1.1
Host:xxxxxx.yyyyyy.com
sec-fetch-dest:document
sec-fetch-mode:navigate
sec-fetch-site:none
sec-fetch-user:?1
upgrade-insecure-requests:1
user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv%3a109.0) Gecko/20100101 Firefox/115.0
x-mcas-forwarded:true
Any thoughts on this would be greatly appreciated. As this is happening even after authentication it's leading me away from auth_mellon being the root cause. I'd love to get this working for me and others.
You do not have the required permissions to view the files attached to this post.
Re: Redirect loop when using defender for cloud apps application control (reverse proxy)
Actually I just realised that it's likely that auth_mellon isn't passing the username to Znuny correctly and that's why it's redirecting to the authentication page repeatedly. I'll look into this now and try to debug.
Re: Redirect loop when using defender for cloud apps application control (reverse proxy)
Okay I've confirmed that the correct username is being passed for all requests in the Remote User variable (LogFormat %u), so this isn't the issue.
-
- Administrator
- Posts: 3983
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: Redirect loop when using defender for cloud apps application control (reverse proxy)
Hi,
A problem could also be the cookie domain. If the cookie domain differs from the one in the URL the browser might not set/return the correct cookie value.
- Roy
A problem could also be the cookie domain. If the cookie domain differs from the one in the URL the browser might not set/return the correct cookie value.
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: Redirect loop when using defender for cloud apps application control (reverse proxy)
The proxy modifies all URLs and cookies in real time before sending them to the web server, so this shouldn't be an issue.
If you're interested: https://learn.microsoft.com/en-us/defen ... trol-works
If you're interested: https://learn.microsoft.com/en-us/defen ... trol-works
Re: Redirect loop when using defender for cloud apps application control (reverse proxy)
Going to learn how to debug Znuny and dive in...