Speckle Server Invites of Guests

Help
1

Hello dear Specklers,

before I can describe the issue i need to inform you about the boundaries:

  • our server has SSO via Entra ID (former Azure AD).

  • We set up our Speckle Server, that only Entra ID (=open ID connect) is visible. There should not be any login form or the possibility for others to create accounts on our server.
    image

  • as the login via username is hidden external guests need to be invited via Entra ID

  • Our Speckle App in Entra ID has three different Groups assigned (Admin, Member, Guests)

  • The guests are a new category … the ones before worked

  • The guest group in Entra ID contains external parties (invited via mail address to Entra ID), architects from other firms e.g.

In general … no rocket science despite being a bit complicated.

Now to the issue itself:
Invited people listed in EntraID can login … get a token to their mail address and access Speckle. This works for the first time. When they log out and log in … they see this. They don’t get any verification mail and are not able to access.

image
image1919×782 38.3 KB

Our Speckle Server is now on 2.18.10 version

Hope this can be resolved as we want to use Speckle in an active project with architects.

CC: @ltascheva

Best,
Alex

2

Regarding the above verification mails of Speckle:
On this note the Speckle Server itself does not send out e-mails anymore since March 1st (we are usually updating every version of yours with only slight delay).

image
image1354×350 8.77 KB

Did we miss modifications of the mail function?

3

Hi @AlexHofbeck - do the server logs provide any insight as to what is occurring?

Iain

1 Like
4

The issue was solved in the following way … it took us a while to figure it out :skull:.

Our mail account for the Speckle Server (a Microsoft 365 Outlook address) has an MFA (which was there from the beginning) … somehow, maybe due to an update of Microsoft or our internal doings, Nodemailer from the Speckle Server was not able to send mails through the account anymore.

By taking a look at the logs of the server (we did a docker-compose down and docker-compose up to see the start of the server and have a less cluttered log) we found out the following:

{"@l":"Error","err":{"type":"Error","message":"Invalid login: 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator. [FR2P281CA0125.DEUP281.PROD.OUTLOOK.COM 2024-03-18T21:26:34.920Z 08DC46A1C25080EA]","stack":"Error: Invalid login: 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator. [FR2P281CA0125.DEUP281.PROD.OUTLOOK.COM 2024-03-18T21:26:34.920Z 08DC46A1C25080EA]\n    at SMTPConnection._formatError (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:790:19)\n    at SMTPConnection._actionAUTHComplete (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:1564:34)\n    at SMTPConnection.<anonymous> (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:1518:18)\n    at SMTPConnection._processResponse (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:969:20)\n    at SMTPConnection._onData (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:755:14)\n    at SMTPConnection._onSocketData (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:193:44)\n    at TLSSocket.emit (node:events:517:28)\n    at TLSSocket.emit (node:domain:489:12)\n    at addChunk (node:internal/streams/readable:368:12)\n    at readableAddChunk (node:internal/streams/readable:341:9)","code":"EAUTH","response":"535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator. [FR2P281CA0125.DEUP281.PROD.OUTLOOK.COM 2024-03-18T21:26:34.920Z 08DC46A1C25080EA]","responseCode":535,"command":"AUTH LOGIN"},"@t":"2024-03-18T21:26:34.921Z","@x":"Error: Invalid login: 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator. [FR2P281CA0125.DEUP281.PROD.OUTLOOK.COM 2024-03-18T21:26:34.920Z 08DC46A1C25080EA]\n    at SMTPConnection._formatError (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:790:19)\n    at SMTPConnection._actionAUTHComplete (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:1564:34)\n    at SMTPConnection.<anonymous> (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:1518:18)\n    at SMTPConnection._processResponse (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:969:20)\n    at SMTPConnection._onData (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:755:14)\n    at SMTPConnection._onSocketData (/speckle-server/node_modules/nodemailer/lib/smtp-connection/index.js:193:44)\n    at TLSSocket.emit (node:events:517:28)\n    at TLSSocket.emit (node:domain:489:12)\n    at addChunk (node:internal/streams/readable:368:12)\n    at readableAddChunk (node:internal/streams/readable:341:9)","@mt":"📧 Email provider is misconfigured, check config variables."}
{"@l":"Warning","component":"modules","@t":"2024-03-18T21:26:34.921Z","@mt":"📧 Email provider is not configured. Server functionality will be limited."}

The important segment was this one:
":"Invalid login: 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator.

After taking a look at the page above and the log of the mail account in the Microsoft 365 Admin center we learned that the MFA blocked the Speckle server.

We had to remove the MFA of the mail address and added an alternative safety measure. Nodemailer and the mail address are now best friends again. I’m not sure why this happened, but I’m happy now that it is fixed. As the mail service was still in sleepy mode, we had to restart the server so that it became active again.

Going back to the beginning of this post:
As the Speckle team introduced this notice page (which actually is important :slight_smile: ) our dear friends from the Architects-side were not able to enter the server anymore after the first login, as they were not able to verify their accounts. There was no mail in their account to verify :slight_smile:

We had to verify them manually via the database (and PGadmin) to make the notice page vanish.

In sum, it was not the best impression of onboarding our dear architects to a new workflow, and we went a bit too passive with Speckle in the project … but I hope we can still turn it around :slight_smile:.

1 Like
5

Thanks for the insight and sharing a solution. We try very hard to have first interaction as easy as possible, but as you see it can be things out of our control to sour the experience.

Did anyone successfully onboard and verify after your mailer changes to improve matters?

1 Like
6

Thanks for the detailed report @AlexHofbeck

There are at least two things I’d like to improve upon here:

  1. If the email service is enabled in the server configuration and it fails during initialization, this should cause a fatal error in server startup. The operator of the server should get immediate feedback that the configuration or email system is broken, rather than waiting until users report problems.
  2. If the email service is enabled and an email fails to be sent, this should result in a warning message being logged. We may also wish to surface this error message to the user.

Hopefully these improvements will make this type of problem more easy to detect in future.

Iain

2 Likes
7

With on-boarding I meant accepting Speckle as a plattform for the internal coordination. The on-boarding function worked :slight_smile:

1 Like