Search the Community
Showing results for tags 'authentication'.
-
CURRENT STATUS: SSO: Not yet planned LDAP: Development COMPLETED - BETA AVAILABLE >180 direct endorsements >30 MONTHS (>2.5 years) >12,000 views PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP - - - - - PLEASE LIKE - - - - - PLEASE BUMP This would greatly expand Emby's usage, and possibly more enterprise level adoption, user templating, user groups, SSO, etc. There are also users who have completely abandoned Emby and ended subscriptions due to the lack of this necessary basic functionality. Note: SAML2 is also part of this request. (header auth is also acceptable, at a minimum.) Context: I am trying to use something like openfire as a Instant Messaging solution which already supports LDAP and SAML2. So this would allow the current user of emby to seamlessly use web-based instant messenger with the same username and password as Emby without the need to enter them into a form. This would also allow universal login to be shared with my home PC's, Spiceworks, Ombii, Organizr, etc. The multitude of possible flexible functionality this could add is truly incredible. THIS NEEDS TO BE DONE, myself and others cannot manage a userbase with proprietary passwords for a single service (with no self-service password reset/recovery), when things that have only months of development implement it within days, easily. Status: LDAP - Development Completed - BETA AVAILABLE! Common LDAP solutions to test against:Open LDAP (Open Source) [use this] ApacheDS OpenDJ 389 Directory Server Microsoft Active Directory SSL is NOT actually needed, but Emby team insisted on it anyways: Simply offering a toggle option for auth to send plaintext or encrypted passwords would work just fine. It is ironic to claim the need to be overly security conscious of user passwords, while lagging behind on basic SSL. If SAML is implemented, a SAML request/response can just be signed by an x509 and it is just as secure as TLS using SSL. SSL does not need to be natively supported, as it is perfectly possible to run it through an SSL reverse proxy tunnel and have the same effect. SSL Feature Request: https://emby.media/community/index.php?/topic/33983-ssl-integrationsupport/&do=findComment&comment=322526As of now username and password is encrypted client-side as security as SSL is not natively implemented. Emby team has said this impedes the adoption of both SSO and LDAP. Please see our SSL request topic; like, comment, and endorse it to show how many people would enjoy/gain from this basic security. Ways to satisfy this FR: Direct LDAP connector SAML2 connector General SSO functionality (SSO Header, etc) Allowing user header auth NGINX auth support RADIUS Authentication Other features that are inherently possible if this is implemented: Self service passwords Ability for users to invite users/guests Expiring Accounts (after duration/trigger) Unified credentials for many services Corporate level authentication security User groups Mass User management Update 1: I encourage others to work on this but I am currently seeing what I can do to develop a solution to this myself. If you have experience in this LDAP/SSO/SAML2/SSL/.NET contact myself, @@Luke, @@ebr or the Emby team to let them know, any help is greatly appreciated! By everyone! Update 2: I know there is always the question of "well how many users actually want/will use this", so I compiled a list of some of the other threads/sites where people request this (to apparently no effectiveness in motivating the team). Update 3 (18 MONTH UPDATE): This request has now hit 18 months in age, NO progress made thus far whatsoever. ( ) Update 4: This FR is now the 4th most liked post ON THE ENTIRE FORUM and the 3rd most liked FR ON THE ENTIRE FORUM (ever), the 1st most liked active FR ON THE ENTIRE FORUM and over 4000 views. Counting endorsements besides those on this thread show over 115 direct requests/endorsements for this basic functionality. Lets get this moving guys, this is getting to be a bit much. Almost 2 years waiting on this now. Source Update 5 (9/20/2017): This feature request is now the MOST DESIRED REQUEST EVER MADE TO EMBY, sadly, that has not merited any progress at all. The staff has been working on things they believe Emby users want or may want, but it is clear what people want. We can only hope now our wishes are respected instead of being told what we want and having our requests dismissed. Source Update 6 [2 year update] (10/17/2017): Two years and not a single bit of progress has been made. TWO YEARS!!! To say this is disappointing is an understatement. The entire reason I went from Plex to Emby was because of local user management. THIS IS THE ONLY REASON, so naturally I wanted to have complete control over my users, but after TWO YEARS, still nothing. Update 7 (3/6/2018): DEVELOPMENT HAS STARTED!!! Check Luke's recent comments, if you want to test it out, download the latest beta and install/configure the LDAP plugin to test and give feedback!!! Update 8 (4/6/2018): Development on the LDAP connector has completed from what I gather, not sure if this is only a beta or a primary release; SSO is still a plan for the future but has not been touched. Progress made by other users (looks to be nearly, if not fully complete): https://github.com/MediaBrowser/Emby/pull/1885 https://github.com/MediaBrowser/Emby/pull/2139 Exploits shown by other users against Emby (emphasizing the need for a centralized authentication solution): https://emby.media/community/index.php?/topic/12335-unauthenticated-access-over-the-internet-to-logs-folder/ https://emby.media/community/index.php?/topic/20376-all-folders-visible-to-all-users-after-upgrade/ Related FR that could be helpful: https://emby.media/community/index.php?/topic/46635-support-for-logging-users-in-though-url-scheme/?hl=user Any of these could be interesting to have compatibility with: http://lemonldap-ng.org/welcome/ https://github.com/Jasig/cas http://passportjs.org/ https://www.nginx.com/resources/admin-guide/restricting-access-auth-request/ LDAP/SSO/SAML Requests (~180 endorsements) [>12,000 views] > 95 endorsements on this post ~ 30 endorsementshttps://github.com/MediaBrowser/Emby/issues/1146 > 35 endorsementshttps://www.bountysource.com/issues/24943821-authenticate-users-using-ldap > 14 endorsementshttps://feathub.com/tidusjar/Ombi/+122 > 4 endorsementshttps://www.reddit.com/r/emby/comments/5o44wd/creating_deleting_updating_users_with_the_api/ Interview, in article comments user said lack of LDAP STOPPED him from using Emby (Emby is actually losing customers due to the lack of this NECESSARY basic functionality):https://www.linux.com/news/software/multimedia/856128-exclusive-interview-emby-founder-luke-pulverenti Duplicate, user had no progress on first 2 posts (no one from Emby actually tracked this or even replied to him):http://emby.media/community/index.php?/topic/861-mb3-and-active-directory/ http://emby.media/community/index.php?/topic/867-mb3-and-active-directory/ Auth announcement, user 'Drashna' in comments requested LDAP/ADhttp://emby.media/community/index.php?/blog/1/entry-177-manage-your-home-with-emby-users/ Various similar requestshttps://github.com/MediaBrowser/Emby/issues/2494 https://github.com/MediaBrowser/Emby/issues/2493 https://forum.yunohost.org/t/integration-emby/912 http://emby.media/community/index.php?/topic/13081-active-directory-integration/ http://emby.media/community/index.php?/topic/11200-media-browser-3-server-ldap-active-directory/ External SQL auth request:http://emby.media/community/index.php?/topic/27986-emby-and-shared-mysql-database/ http://emby.media/community/index.php?/topic/23509-authenticate-users-via-external-mysql-database/ http://emby.media/community/index.php?/topic/12001-external-login-to-mysql/ #ADFS #SSO #LDAP #ActiveDirectory #MSAD #SAML #SAML2.0 #SAML1.1 #PingFederate #OKTA #LemonLDAP #JASIG #authentication #auth #TLS #SSL #Usergroup #usertemplate #header #authheader #headerauth #security #hardening #authhardening #authenticationheader #externalauth #centralauth #centralizedauth #centralizeddb #exploit #authexploit #security #loginhardening #authenticationhardening #accesscontrol #.NET #SelfService #RADIUS
- 214 replies
-
- 114
-
-
Hello! I am trying to configure the LDAP Plugin to work without success. I have an Emby server and my LDAP server deployed as a docker container, they have access to the same docker network. I have ensured that the Emby container can reach the LDAP one successfully. These are my settings on the LDAP Plugin: If I run this from a docker container in the same network (I couldn’t install the required package openldap-clients on the Emby server container). As you see these settings are working here: These are the logs related to the login attempt 2024-03-04 14:59:37.467 Error UserManager: Error authenticating with provider LDAP *** Error Report *** Version: 4.8.1.0 Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3 Operating system: Linux version 6.1.64-Unraid (root@Develop-612) (gcc (GCC) 12.2.0, GNU ld version 2.40-slack151) #1 SMP PREEMPT_DYNAMIC Wed Nov 29 12:48:16 PST 2023 Framework: .NET 6.0.25 OS/Process: x64/x64 Runtime: system/System.Private.CoreLib.dll Processor count: 4 Data path: /config Application path: /system Novell.Directory.Ldap.LdapException: LdapException: Invalid Credentials (49) Invalid Credentials LdapException: Matched DN: Source: LDAP TargetSite: Void ChkResultCode() 2024-03-04 14:59:37.468 Error DefaultAuthenticationProvider: Invalid username or password. No user named alessandro exists 2024-03-04 14:59:37.469 Error UserManager: Error authenticating with provider Default *** Error Report *** Version: 4.8.1.0 Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3 Operating system: Linux version 6.1.64-Unraid (root@Develop-612) (gcc (GCC) 12.2.0, GNU ld version 2.40-slack151) #1 SMP PREEMPT_DYNAMIC Wed Nov 29 12:48:16 PST 2023 Framework: .NET 6.0.25 OS/Process: x64/x64 Runtime: system/System.Private.CoreLib.dll Processor count: 4 Data path: /config Application path: /system System.Exception: System.Exception: Invalid username or password. at Emby.Server.Implementations.Library.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser) at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken) Source: Emby.Server.Implementations TargetSite: System.Threading.Tasks.Task`1[MediaBrowser.Controller.Authentication.ProviderAuthenticationResult] Authenticate(System.String, System.String, MediaBrowser.Controller.Entities.User) 2024-03-04 14:59:37.470 Warn Server: AUTH-ERROR: 162.154.134.188 - Invalid username or password entered. 2024-03-04 14:59:37.470 Error Server: Invalid username or password entered. Any suggestion? Thank you in advance
-
I'm very tired of Plex and am looking for something better that isn't so unstable and invasive. I've had at least two big problems with Plex lately. The first was when I discovered that ALL of our content was being relayed OUT of our LAN to their company's servers and then back IN to our LAN just to get it to our iOS devices. I disabled remote access and believe I may have that under control now. Our internet usage has gone down significantly, but I still see a lot of chatter and calling home, but hopefully it is just to pull metadata and not streaming our content to/through their servers. The second problem I had with Plex was and still is, the iOS apps want to authenticate or login through the Plex company's services. Even with our server configured to not require authentication for local IPs, the iOS apps have all sorts of problems with accessing our library. It's all become very unstable, unreliable, unfriendly, invasive, and just unbearable to use. So, what I'm looking for is a simple media server to run on our Synology NAS, and complementary apps for iOS devices so that we can easily access all of our content, just our content, directly, within our LAN. Ideally, the server and apps would respect people's privacy, not require authentication when running within a LAN, and stream our content directly from the internal server to our devices. I think this boils down to a couple questions. Does Emby require an internet connection to deliver content from an Emby server within our LAN on a DiskStation to iOS Emby clients also within our LAN? Do Emby clients (or the server) perform or require any authentication with external servers?
- 5 replies
-
- requirements
- features
-
(and 1 more)
Tagged with:
-
Hello, How do I skip emby connect and just login to my server with url / user+pw? I dont see any way to skip emby connect it just goes back and forth between "OK" and using a pin to login. This is my second apple tv and the first one works just fine but I don't remember how setup went with it. They are both on the same subnet. Thanks, Wolf Larson
- 30 replies
-
- emby connect
- authentication
-
(and 2 more)
Tagged with:
-
Hello all, I'm using the emby built in ssl for external announcement and i'm trying to write a fail2ban filter for direct emby log support. In reviewing the logs i was only able to find a log line with the connecting IP in the HTTP 401 response. Initially I was just going to regex that however on further review I'm seeing non-auth fail 401 messages returned. That leaves me having to try to mangle together some multiline regex nightmare trying to match first the authentication failure line then the 401 for the <HOST> ip. I've been working on this all day, I'm not even sure it's possible. I know many people use reverse proxy and fail2ban on the apache logs but i'd prefer to use the emby native ssl since it's there. Has anyone figured out the regex for this? _______________________________________________________________________________________________________________________________ 2016-02-14 15:55:43.8718 Info UserManager: Authentication request for <username> has been denied. 2016-02-14 15:55:43.8820 Error DtoUtils: ServiceBase<TRequest>::Service Exception *** Error Report *** Version: 3.0.5821.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 3.19.0.25 Processor count: 8 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.2.1 (Stable 4.2.1.102/6dd2d0d Thu Dec 3 04:04:55 UTC 2015) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe Invalid user or password entered. MediaBrowser.Controller.Net.SecurityException at MediaBrowser.Server.Implementations.Session.SessionManager+<AuthenticateNewSession>c__asyncC.MoveNext () <0x41c76b00 + 0x0080b> in <filename unknown>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () <0x7fa7314f36d0 + 0x00029> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) <0x7fa7314f16b0 + 0x000a7> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) <0x7fa7314f1630 + 0x0006b> in <filename unknown>:0 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) <0x7fa7314f15e0 + 0x0003a> in <filename unknown>:0 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () <0x7fa7314f1d10 + 0x00017> in <filename unknown>:0 at MediaBrowser.Api.UserService+<Post>c__async1.MoveNext () <0x41c75ea0 + 0x00680> in <filename unknown>:0 2016-02-14 15:55:43.8849 Error HttpServer: Error processing request for /emby/Users/authenticatebyname *** Error Report *** Version: 3.0.5821.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 3.19.0.25 Processor count: 8 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.2.1 (Stable 4.2.1.102/6dd2d0d Thu Dec 3 04:04:55 UTC 2015) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe Invalid user or password entered. ServiceStack.HttpError No Stack Trace Available 2016-02-14 15:55:43.8913 Info HttpServer: HTTP Response 401 to <Offending IP>. Time: 32ms. https://<server address>:8920/emby/Users/authenticatebyname ____________________________________________________________________________________________________________________________________ It would be nice it the emby logs included the offending IP in the authentication failure line. That regex would be straight forward. 2016-02-14 15:55:43.8718 Info UserManager: Authentication request for <username> has been denied from <Offending IP> Thanks ahead of time -everydayevil
- 51 replies
-
- fail2ban
- authentication
-
(and 1 more)
Tagged with:
-
Hello all, Just wondering if there is any current functionality (can't find any, but I might not be looking hard enough) or plans for any future functionality to be able to whitelist an IP prefix for passwordless auth? Want to make dad's life slightly easier so he doesn't have to enter passwords in on each of his Fire TV sticks! Look forward to hearing back! Cheers, Jack :-)
-
Hello, I'm having difficulty authenticating via LDAP through the Roku client. I am able to authenticate through the web browser, and I am 100% sure that I am entering the correct password. Attached is my embyserver.txt. I noticed that when attempting to authenticate through the Roku a post request to https://connect.emby.media/service/user/authenticate is logged. Emby Version 3.5.3.0 Roku Version 3.0.111 Roku Express+ Both Emby + OpenLDAP are running inside of docker containers. Please help me debug this! Not sure how long my parents will go without entertainment! Thanks embyserver.txt
- 11 replies
-
- ldap
- authentication
-
(and 2 more)
Tagged with:
-
Emby Server 3.5.2.0 on QNAP (x64) Kodi 17.6 on Windows 7 x64 Pro -Logs can be provided if needed- I have two users setup on Emby and matching profiles in Kodi. The Kodi plugin is installed on the server. Issue: Anytime Kodi switches profiles (user1 to user2 -or- user2 to user1) the message of Emby Authentication Failed is displayed, and the user is prompted to type in the password again. Example: User1 uses the User1 profile in Kodi, prompted to authenticate. Once authenticated, sync happens and no issues. If User1 closes and reopens Kodi, sync happens. No authentication prompt, and everything works as expected. User1 Kodi profile continues to function perfectly as expected, no matter how many times Kodi is reopened, until... User2 loads User2 profile. User2 is prompted to authenticate. Like User1, everything works as expected from then on. If User2 continues to reopen Kodi, no issues just like User1. If User1 opens Kodi (after User2), the whole process starts over with authentication. If User2 opens Kodi (after User1), again, the whole process starts over with authentication. All media is displayed properly, and all sync's occur properly, the issue is the re-authentication if you were not the last person using the system. It is like Kodi is only saving one password, the last password entered, and trying to use it for every user. Additional Details: This started around July 29th, I believe that is when I upgraded Emby to the current version (3.5.2.0). It was using the direct previous version before it. I keep my system current. This occurs on 4 different computers with existing Kodi installations. I've clean installed a fresh Kodi setup, with Emby Add-on only, still occurs. I've reinstalled Emby server over itself, still occurs. I've delete and recreated the user accounts on the Emby Server itself, still occurs. I'm about to remove Emby Server entirely from the QNAP, and clean install it on the server. Since the media scan will take forever on my large collection, I thought I would ask for assistance first. I’m a lifetime Emby Premiere user and have been enjoying the work that has been done on the project for several years. Thank you for the project and any assistance that can be provided.
- 41 replies
-
Server unable to contact Emby Admin Servers to authenticate Plugins/Connect
PurposelyCryptic posted a topic in General/Windows
I wasn't sure if I should start a new topic for this, as I experiencing pretty much the same issues that Swynol and Daedalus experienced HERE: I originally posted this on that thread simply because it seemed directly related, but between worrying over whether that constituted thread-jacking, and the topic now having been marked 'Answered', I thought it might be better to start fresh (I will edit my post there to reflect this). I'm running Emby Server Beta on Windows 8.1. The main symptom is that all my supporter plugins are showing as "Trial expired", and when I go to their pages in the catalog, I just get a never-ending 'Loading' Circle. Emby Connect also seems wonky, as I can't link local users with their online Emby accounts; Users already linked can still use Connect to access the server over cellular (My only other internet connection), although when I try to log in through Connect in Chrome on the machine itself, my credentials aren't recognized. The logs show errors on every attempt to connect to verify plugin authorization, to the Emby Connect service and so on, in each case the log states "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.". It seems to be throwing A LOT of these errors, too, as I've had several 100MB+ logs over the past few days (The attached log from a fresh boot yesterday afternoon has since grown to 50MB overnight). The odd thing is that, despite the connection issues for plugin and Connect authorization, Emby Server updated both itself and the plugins just fine, and, as mentioned, I can use Connect to access the server from my cell on 4G. The "Thank you for supporting Emby" badge shows up properly on the Dashboard too (Not sure if that's relevant, but the last time I had a connection problem it disappeared). This is all happening as I finally have my server (the machine, that is) up and running again, after the motherboard and processor died a couple months ago, forcing me to use my laptop as a temporary server. I know from the fact that I didn't have these issues on the laptop that the cause should be located within the server, I've temporarily disabled my firewall entirely and placed the server in my router's DMZ just to eliminate that part of the equation, and I am fairly certain the issue isn't with my Emby configuration, as I've performed a series of fresh installs (both Release and Beta), and the issue was still present, but all I've discovered so far is what's NOT causing the problem, leaving me with no more of a clue as to what actually IS :-/ If anyone could help shed light on this, I would be seriously grateful, as while I do have a certain small amount of pride in my technical skills, I'm also pretty sure that I've come about as far as those skills will take me. Help me, Obi-Wan Kenobi. You're my only hope. server-63605748225.txt -
I am trying to programatically get the server Library to rescan. This used to work using a simple curl command couple months ago, but I understand that additional token-based security has been added, according to http://mediabrowser.tv/community/index.php?/topic/72-user-authentication/ I am trying to follow the instructions to authenticate as per the first step in https://github.com/MediaBrowser/MediaBrowser/wiki/Authentication but to no avail. I have tried a variety of curl commands, similar to this (note: I do not have a password set): curl -d 'Authorization=MediaBrowser UserId="0d2c22c2debe62c66cc552b00adbfad4", Client="iOS", Device="iPhone", DeviceId="8912f03b961d76e736637d5d6014a586406de64c", Version="1.0.0.0"' -d "username=Foo" --dump-header headers http://192.168.0.30:8096/mediabrowser/Users/AuthenticateByName but the error I receive is: HTTP/1.1 500 NullReferenceException Transfer-Encoding: chunked Content-Type: text/html Vary: Accept Server: Microsoft-HTTPAPI/2.0 X-UA-Compatible: IE=Edge X-Application-Error-Code: Object reference not set to an instance of an object. X-Powered-By: ServiceStack/4.00 Win32NT/.NET Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token Please help! I know that the username (and empty pass) step I've entered is successfully, because if I deliberately enter it incorrectly I get a difference error ("Invalid username or password entered").
- 5 replies
-
- auth
- authenticate
-
(and 3 more)
Tagged with: