Users can no longer log in with Emby Connect

[harbinger1080]

Ombi build Version:

V 3.0.3111

Update Branch:

master

Media Sever:

Emby

Media Server Version:

3.3.1.10-beta

Operating System:

Ubuntu 17.10

Ombi Applicable Logs (from /logs/ directory or the Admin page):

2018-03-29 08:54:27.142 -04:00 [Error] StatusCode: Unauthorized, Reason: Unauthorized, RequestUri: https://connect.emby.media/service/user/authenticate

Problem Description:

No emby.connect users are able to log in to Ombi. All other emby connect services appear to work without issue, and I have tested manually sending a POST to the emby service, which has worked correctly. This was working until this week, when users said they could no longer access. Local accounts can log in without issue. It has persisted through the beta and the latest master release.

Server is behind a nginx reverse proxy serving SSL certificate. Cannot connect via emby connect when accessing via proxy or local network.

Reproduction Steps:

1. Connect to Ombi login screen
2. Attempt to log in with a valid imported emby.connect
3. Receive "Incorrect username or password" message

[tidusjar]

Reason: Unauthorized, RequestUri: https://connect.emby.media/service/user/authenticate

It's attmepting to authorize with emby's api but it's returning unauthorized.

That's all ombi does. Are you sure the credentails are correct

[harbinger1080]

Yes, that is why I made a small application that just connects to emby connect from that same system, and it authenticates properly. I have tried with 3 accounts as well, but only Ombi fails authenticating with Connect accounts.

[tidusjar]

Can you please share what you are doing in your POST?

[harbinger1080]

Absolutely, I took out all the sensitive bits, but I can send them to you directly if it would help.
I thought it might be an issue with this one Pi not being configured properly, but this is the only issue I'm seeing at the moment.

My actual password has symbols, numbers, and capital/lowercase letters. I've also tried a password with no special characters. Only Ombi fails authentication.

Nothing fancy, just using curl:

curl -i -H "Content-Type: application/json" -H "X-Application: FAKEAPPNAME/0.0.1" -X POST -d '{"nameOrEmail":"MYUSERNAME","rawpw":"NOTMYPASSWORD"}' https://connect.emby.media/service/user/authenticate -v

And I get the following response:

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 173.230.139.54...
* TCP_NODELAY set
* Connected to connect.emby.media (173.230.139.54) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.emby.media
*  start date: Jul 11 00:00:00 2016 GMT
*  expire date: Aug  8 23:59:59 2019 GMT
*  subjectAltName: host "connect.emby.media" matched cert's "*.emby.media"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
> POST /service/user/authenticate HTTP/1.1
> Host: connect.emby.media
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/json
> X-Application: FAKEAPPNAME/0.0.1
> Content-Length: 52
>
* upload completely sent off: 52 out of 52 bytes
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx
Server: nginx
< Date: Thu, 29 Mar 2018 17:11:28 GMT
Date: Thu, 29 Mar 2018 17:11:28 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 349
Content-Length: 349
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=60
Keep-Alive: timeout=60
< X-Powered-By: PHP/5.5.9-1ubuntu4.22
X-Powered-By: PHP/5.5.9-1ubuntu4.22
< Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: Content-Type, Range, X-Connect-Token, X-Connect-UserToken, X-Application
Access-Control-Allow-Headers: Content-Type, Range, X-Connect-Token, X-Connect-UserToken, X-Application
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
< Vary: Accept-Encoding
Vary: Accept-Encoding

<
* Curl_http_done: called premature == 0
* Connection #0 to host connect.emby.media left intact
{"AccessToken":"MASKEDACCESSTOKEN","User":{"Id":"MASKEDID","Name":"MASKEDUSERNAME","DisplayName":"MASKEDUSERNAME","Email":"[email protected]","IsActive":"true","ImageUrl":"https:\/\/www.gravatar.com\/avatar\/MASKEDGUID?s=200&d=https%3A%2F%2Fmb3admin.com%2Fimages%2Fuser.png","IsSupporter":null,"ExpDate":null}}

[m3ki]

I am having the same issue

Version | 3.0.3111
-- | --
Branch | master
Github | https://github.com/tidusjar/Ombi
Discord | https://discord.gg/KxYZ64w
Reddit | https://www.reddit.com/r/Ombi/
OS Architecture | X64
OS Description | Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07)
Process Architecture | X64
Application Base Path | /opt/ombi/

2018-03-29T23:18:00.822509137Z fail: Ombi.Api.Api[1000]

2018-03-29T23:18:00.822579490Z StatusCode: Unauthorized, Reason: Unauthorized, RequestUri: https://connect.emby.media/service/user/authenticate

Please let me know if I can provide any more info.

[harbinger1080]

One thing I have noticed, but not sure if related-- when running the user importer-- the blue Run Importer button highlights when clicked, but there is no feed back that the task has completed. Waiting a while and going to the User Management screen shows a list of Emby users that have been imported.

I have also tried deleting a user entirely from Emby, readding it, setting it up with Connect again, and re-importing to Ombi. Please let me know what I can do to continue troubleshooting. I have seen a few reports of similar issues, but the cause remains unclear to me.

If there is anything you'd like me to trace from my side, via tshark or something, please let me know. Is there a more verbose logging I can enable in Ombi?

[tidusjar]

It's fine. I think you have provided enough info. I just need to find some time to look into it

[tidusjar]

Fixed in develop branch