Scorm modules can't authenticate for checknet any more

Scorm modules can't authenticate for checknet any more

by Bogdan Mihai -
Number of replies: 6

Hello,


Recently we upgraded to Google Chrome Version 64.0.3282.167 and our Moodle started to act weird. 

When running a SCORM module Moodle checks for Internet Connection by accessing a file called checknet.txt. It seems like it can't authenticate the session to check this file any more. During the SCORM package in developer tools I can see requests to:

GET https://<LMS address/lib/yui/build/moodle-core-checknet/assets/checknet.txt?sesskey=<sessionKey>&time=1519733142960

but with status 401Authorization Required. 

Other problems that came up after this upgrade:

When I try to open the drop down menu of "Site Administration" it pops-up an alert "Syntax Error - Unexpected token < in JSON at position 0" and in developer tools I see a 401 Authorization Required for https://null:null@<LMS address>/lib/ajax/getsiteadminbranch.php


The SCORM problem is pretty nasty. I also tried upgrading from 2.9.x to 3.3.4+ but no improvements. On IE everything works great, I can't figure out what changed in this new version of Chrome that it can't authenticate sessions on specific actions.

We have SSO in place with Kerberos and it might be related to this.


Any help would be much appreciated!

Best regards,

Bogdan

Average of ratings: -
In reply to Bogdan Mihai

Re: Scorm modules can't authenticate for checknet any more

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Bogdan,
that's really strange: at first glance MDL-56896 but here you've specified the exact browser version.
Not sure if related with session cookies but it looks like you're running under HTTPS.

checknet.txt is a plan text file i.e. PHP stack is not used here: what is your env, from the user device up to the server?
Do you use Kerberos/NTLM?
Further details will help the investigation.

HTH,
Matteo

Average of ratings: -
In reply to Matteo Scaramuccia

Re: Scorm modules can't authenticate for checknet any more

by Bogdan Mihai -

Hi Matteo,

Thank you for your response!


Client specs:

- Desktop

- Windows 10 (tested with other versions, too, does not look to be related);

- Google Chrome V64.x as stated in first post


Server:

- Moodle v2.9.2+ (Build: 20150918) (also made a shadow copy and upgraded it to v3.3.4+ and I have the same results)

- OS CentOS release 6.7 (Final) (uname -a): Linux lms 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

- PHP 5.6.33 (cli) (built: Jan  3 2018 13:11:40)

Apache/2.2.15 (Unix)

- HTTPS: ON

- Authentication manual and LDAP Server+SSO with Kerberos


ssl_error_log:

[Tue Feb 27 16:52:41 2018] [error] [client x.x.x.x] gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error), referer: https://<LMS addr>/mod/scorm/player.php

Note that when you log in on LMS there is no error, everything is fine. This comes up when the SCORM module makes the checknet test.


In attachment you have a picture from developer tools.


Thank you,

Bogdan



Attachment scorm_401.png
Average of ratings: -
In reply to Bogdan Mihai

Re: Scorm modules can't authenticate for checknet any more

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Jan Dageförde posted some details about this in Moodle dev chat recently - Jan found it relates to a bug in Chrome that is fixed in M65 due in 2 weeks.

In the interim Jan posted this workaround, 
--------------------

you can patch the lib/yuilib/3.17.2/io-base/io-base-min.js as follows:

Find the part that says: s.c.open(o,p,!f,n.username||null,n.password||null),

Replace it (really also delete the trailing comma!) by the following:

if(!n.username && !n.password) {s.c.open(o,p,!f)} else {s.c.open(o,p,!f,n.username||null,n.password||null)}

No need to purge caches, but please please have a close look at the network tab after patching, because minor syntax errors in this patch might cause major problems for everyone...

more info:

https://github.com/d3/d3-request/issues/33
https://bugs.chromium.org/p/chromium/issues/detail?id=808018;
https://github.com/d3/d3-request/pull/34/files.
--------------------

Average of ratings: Useful (3)
In reply to Dan Marsden

Re: Scorm modules can't authenticate for checknet any more

by Bogdan Mihai -

Indeed this is the case! Thank you and thanks to Jan and the other people who were interested in my issue!


The workaround works on both Moodle v2.9.2+ and v3.3.4+.

I guess this won't impact Moodle when we upgrade Google Chrome.


Best regards,

Bogdan



Average of ratings: -
In reply to Dan Marsden

Re: Scorm modules can't authenticate for checknet any more

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

TNX Dan Yes!
And kudos to Jan Dageförde too approve!

Some more context info from Jan, which perfectly summarize the tech references about the Chromium bug:

You might be affected if your Moodle installation is behind HTTP authentication. The bug shows itself whenever a YUI script performs AJAX requests (e.g. the request to autosave-ajax.php by the atto editor). If you have developer tools open in chrome you will notice that the request goes to https://null:null@yourmoodleinstallation.whatever/lib/editor/atto/autosave-ajax.php and of course the null:null part is bogus and causes the browser to forget your current login, so all following requests get a 401 / request your username and password again, which is very annoying.

Ref. (for those w/ the proper acces permissions): https://moodle.org/local/chatlogs/index.php?conversationid=21642 (February 14, 2018, 11:50 AM)

Average of ratings: Useful (1)
In reply to Dan Marsden

Re: Scorm modules can't authenticate for checknet any more

by Jan Dageförde -

Thanks Dan and Matteo for summarising my findings. Glad to see that this has helped, Bogdan! smile

Regarding my statement of "no need to purge caches": I later found out that this isn't exactly wrong, because purging Moodle caches wouldn't help. Nevertheless, the YUI scripts are aggressively cached by browsers (they are set to never expire). That is usually a good thing, but in this case quite annoying. You will have to advise your (affected) users that they need to clear their Chrome browser cache so that they can obtain the fixed version.

Average of ratings: -