OpenConnect on a Windows11-ARM VM

Dev Faye dev.laminefaye at gmail.com
Sat Dec 18 08:48:14 PST 2021 

Hi Daniel,

A great thanks for your help and time.

> I assume you're the same person who started this thread, asking for
> help getting gp-saml-gui working?
> https://gitlab.com/openconnect/openconnect/-/issues/53#note_766233185
Yes I am. I tried to deploy gp-saml-gui, but I think there's something
with my VM that keeps it from being installed properly. I will give it
a deeper try when I'll have more bandwidth.

> Exactly what are you trying to do or illustrate here? I *think* that
> what you are doing is trying to "manually" follow the SAML login
> behavior since you can't use gp-saml-gui to automate it…
That's right ! I'm hoping that going through the manual step-by-step
SAML authentication, if it works, would allow me to work while
searching a solution to deploy gp-saml-gui.

I just tried your recommendation with following commands :

First :
openconnect --protocol=gp --usergroup=gateway--user=91000318 at CORP
--os=win --passwd-on-stdin fr.ras.biomerieux.com -vvv --verbose

Then
openconnect --protocol=gp --usergroup=gateway:prelogin-cookie
--user=91000318 at CORP --os=win --passwd-on-stdin --cookie-on-stdin
fr.ras.biomerieux.com -vvv --verbose

And I have the same error with the new syntax --os=win:

______________________________________________________________________________________________________
C:\Program Files (x86)\OpenConnect>openconnect --protocol=gp
--usergroup=gateway--user=91000318 at CORP --os=win --passwd-on-stdin
fr.ras.biomerieux.com -vvv --verbose
PASSWORD
POST https://fr.ras.biomerieux.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Attempting to connect to server 193.240.245.231:443
Connected to 193.240.245.231:443
SSL negotiation with fr.ras.biomerieux.com
Connected to HTTPS on fr.ras.biomerieux.com with ciphersuite
(TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 18 Dec 2021 16:27:25 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1891
Connection: keep-alive
ETag: "15615f6b6d78"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; path=/; secure; httponly
Set-Cookie: PHPSESSID=b80ef8876a2488ad88677c021954a344; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (1891)
SAML REDIRECT authentication is required via
https://auth.biomerieux.com/adfs/ls/?SAMLRequest=lZFBb4JAEIX%2FCtm7rKygMgESqoea2JQI7aGXZsGxbgK7dmdp%2FPlFbVPbg0mPk3nz5s03CcmuPUDeu73e4HuP5Lxj12qCcyNlvdVgJCkCLTskcA2U%2BcMahD%2BGgzXONKZlXk6E1imjF0ZT36Et0X6oBp8265TtnTsQcL6zvpXk18oMAoX90W9MB2E44SdHMeZlwfNFybzlkEJpefL7mZZDxD%2BzXG53xFvizFstU%2FYaTpqtnIowjuuojmdiHkQyxlm8C4MoRpSDjKjHlSYntUuZGItgFIhRMK%2BCKYgZiOiFecXXVXdKb5V%2Bu42gvogI7quqGBWPZcW8Z7R0jj4IWJacQMJ5sb1Ce9tWfvNk2T%2FoJfxqV3apfv82%2BwQ%3D&RelayState=FIdmABd8MWBiODBlZjg4NzZhMjQ4OGFkODg2NzdjMDIxOTU0YTM0NA%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=ZRR6mjDrSS8JjcW3VDnUKUGgXZVhbxpzpD6KMPvWBphCHvVet2Zqxn7p2FEVJnp6II4jf%2BOOYz%2FuUTgtYgb5IWqvEu2lREDLmxHvdYN2umofzP8aUhCP3d1qvrx6T3q%2Fdn9KgJsDKP585b2GqzLJN4BFOSEDz8X4EZMwf6Nkj%2B0GstpagWn73PZY4ISuy2%2FrEkUtOOKPPlhcN%2BdUk0S4slVVizVk6PtQDXFoAUeNIN5opBLHM%2BVQ8dvo1VYP7zKPdOmDBK3diQP0QJ1uCkFwY%2FwYKiRMxAEx2X0vBqpoliZdv6tG%2BJdpQ6mgeX9LSd5MTxeKv0osVqtb1%2ByzMTXtqw%3D%3D
When SAML authentication is complete, specify destination form field
by appending :field_name to login URL.
Failed to complete authentication

C:\Program Files (x86)\OpenConnect>openconnect --protocol=gp
--usergroup=gateway:prelogin-cookie --user=91000318 at CORP --os=win
--passwd-on-stdin --cookie-on-stdin fr.ras.biomerieux.com -vvv
--verbose
PASSWORD
Q07i/ONBL3Jr1j5bmHW+IsPc/q8sjB+vx4YZlCGH4G0R+pUaZLJjm8pdZczdORZl
POST https://fr.ras.biomerieux.com/ssl-vpn/getconfig.esp
Attempting to connect to server 193.240.245.231:443
Connected to 193.240.245.231:443
SSL negotiation with fr.ras.biomerieux.com
Connected to HTTPS on fr.ras.biomerieux.com with ciphersuite
(TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 18 Dec 2021 16:30:05 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 29
Connection: keep-alive
ETag: "1f35f6b6d78"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=e0e9f705ef60e6cf72e65b89fd5e7bb6; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self'
'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (29)
Failed to parse server response
Response was: errors getting SSL/VPN config
Creating SSL connection failed
Cookie was rejected by server; exiting.

______________________________________________________________________________________________________


Just before running the commands, being unaware of how x86/x64 works
on ARM, I reinstalled OpenConnect in "Program Files (x86)" directory.
Last time I performed the installation on the 32-bit installer, it
went directly to Program Files directory by default.

Plus, during the installation process (both the first and the second
time I installed it), TAP drivers failed to install. Can it be related
to my errors ?

My next actions tonight :
1. Try to force-install TAP drivers
2. Try to use Wireshark to have a look on the XML server response

Thank you.


Le ven. 17 déc. 2021 à 18:12, Daniel Lenski <dlenski at gmail.com> a écrit :
>
> On Tue, Dec 14, 2021 at 10:08 PM Daniel Lenski <dlenski at gmail.com> wrote:
> >
> > What you've specified, `--os=windows`, is not a value that OpenConnect
> > understands; per the manual,
> > (https://www.infradead.org/openconnect/manual.html), `--os=win` is the
> > legal value. Does that work?
>
>
> Have you had a chance to test this? Does it make a difference?
>
> Dan

More information about the openconnect-devel mailing list