BigFix WebReports prompts for PIV Card authentication after Upgrading to 10.0.8

gregoryjj 2023-01-11 21:07:03 UTC #1

Hello,

After upgrading BigFix to 10.0.8 in our dev environment, when I go to webreports, it’s asking me to authenticate with a PIV card. If click on cancel, it takes me to the username/password fields. When I do the same steps for our production environment, it doesn’t do that as it’s still on 10.0.7.

Is this expected behavior with the new upgrade going forward?

Justin

BigFix platform 10.0.8 - Client registration issue

beachbound 2023-01-12 14:15:42 UTC #2

We are getting that in our newly upgraded test environment as well. Not only do I get it when I first attempt to log in, but I also get it randomly while working on reports. Hoping to hear if this is expected as well.

ageorgiev 2023-01-12 14:29:17 UTC #3

Are you using SAML authentication in the problematic environments?

gregoryjj 2023-01-12 20:07:23 UTC #4

We are not using SAML in our environment.

ageorgiev 2023-01-13 08:20:47 UTC #5

My suggestion is open a support case and let L2/L3 review debug logs.

DanieleColi 2023-01-13 15:11:54 UTC #6

Is it possible you enabled Windows Integrated Authentication (WIA) on browser of your dev env?
If SAML is not enabled (remember to restart services if you switch enable/disable) you should land on the login page of Web Reports and nothing else…

gregoryjj 2023-01-13 15:22:39 UTC #7

No, I didn’t enable anything because after upgrading, I went to Webreports to check if it was up and prompted for pIV authentication.

Jeff 2023-01-13 18:45:25 UTC #8

We have also upgraded two of our test instances to 10.0.8 and are seeing this issue in both. We are not using SAML on one of these but have SAML on the other. It does work to get us to the Web Reports login screen after we put in our smart card pin on both.

DerrickD 2023-01-13 19:07:40 UTC #9

For what it’s worth, I have upgraded two environments (10.0.7 to 10.0.8) and (10.0.4 to 10.0.8), but running Windows, the later has DSA. Auth is handled by AD groups. I have not had any issues so far with Webreports, but it’s day 1.

ageorgiev 2023-01-16 14:07:26 UTC #10

For SAML specifically - I was involved in Beta-testing of new/re-written/updated SAML component which is a lot more secure but respectively “enforceful” of certain configurational requirements - what I saw that older version was accepting pretty much anything in certain fields in the config without double-checking it against the SAML Authentication provider responses where the new component would fail the authentication if things don’t match up. Raise a case with Support and I am sure L2/L3 would be able to help you fix it - they can provide you with the old SAML module, have it applied so that things work and allow you to correct the SAML configuration before swapping back to the new version of the module.

amelgares 2023-01-18 20:04:51 UTC #11

We just upgraded our test server to 10.0.8 and are being prompted for a certificate before connecting to the web reports URL. We’re not using SAML. Accounts are local and AD.

itsmpro92 2023-01-18 20:47:35 UTC #12

I wonder if this is something introduced by a browser upgrade. I have had 10.0.8 in my lab environment since it was released on Dec 15th, but I don’t recall this certificate request happening until now.

amelgares 2023-01-19 01:00:14 UTC #13

We’re seeing this client cert request in:
Windows: Edge, Chrome, Firefox
macOS: Safari, Chrome, Firefox
All are current browser versions

ematteag 2023-01-20 16:02:32 UTC #14

Hi,
The reason why you are seeing the popup is because in 10.0.8 the WebReports sends a certificate request during the initial TLS handshake.
We have a DA opened for that and we’ll revert the behaviour to 10.0.7.