Invalid Username/Password Fire Stick via SSL

[Skrumpy 3]

One of my users has a Fire Stick and is unable to login to the server. She can "connect" to the server, see her user profile icon, click on that and it auto populates with her name, but when she enters the password it throws an "invalid user name or password" error. The password has been reset multiple times and I've verified she's entering the right password.

 

Relevant information:

 

Server running on Windows 10. Behind a LetsEncrypt Unraid docker (nginx) reverse proxy (auto generates/renews certs). User logs in by putting in the DDNS host.domain.net and clears the port. nginx is setup to listen to http and https ports and redirect to https from that DDNS and to the correct server ip/port which matches the below 'remote (WAN) access' shown below (obfuscated). 'Allow remote connections' is selected with 'Auto port mapping'. I did not point Emby to the LE created certs (via 'Custom Cert Path' nor select 'Require SSL for external connection') as no user has had issues logging in via SSL with this same method given this is a reverse proxy. This exact login method has been tested on Chrome/Firefox browsers (pointed at host.domain.net, no port) as well as a Roku device, android/Apple apps, and Emby Theater. This login method even worked via the Frefox app on the Fire Stick.

 

 

It looks like SSL has been an issue with Fire Stick in the past, but that particular work-around isn't applicable as I am running a reverse proxy. On the Fire Stick the user clicked the "Send log" and it said it was sent off to a developer. Is there a particular format that this needs to be entered in to get working correctly? Any other information that can I can provide (didn't want to display server logs here with my IP/Domain) to help debug this particular issue?

 

Thanks

[mastrmind11 717]

So by "clearing the port" I assume you mean you have port 80 open on your router w/ nginx redirecting to https?  Does it work when you explicitly enter the port instead of blanking it out?  I've never heard of anyone connecting like that before.

[Skrumpy 3]

So by "clearing the port" I assume you mean you have port 80 open on your router w/ nginx redirecting to https?  Does it work when you explicitly enter the port instead of blanking it out?  I've never heard of anyone connecting like that before.

 

Port 80 and 443 are remapped to open ports in my LE docker as 80 & 443 are used by Unraid GUI. All HTTP traffic is redirected to HTTPS (as my site-confs file below shows) so no one has to type in https:/host.domain.net and as far as I'm aware, the rest is all pretty standard for a reverse proxy. I can show my SSL settings, as well, which are all standard options for A+ rating from Qualys SSL labs. As I stated in my last post, this works flawlessly on every other platform or app that I've tested. It really shouldn't be an issue, as both the client and server are tricked into thinking the host.domain is a standard http connection and nginx handles everything else.

# REDIRECT HTTP TRAFFIC TO HTTPS
server {
     listen 80;
     server_name HOST.DOMAIN.NET;
     return 301 https://$server_name$request_uri;
    }

server {
        listen 443 ssl http2;
        server_name HOST.DOMAIN.NET;

#SSL settings
   include /config/nginx/strong-ssl.conf;

#Organizr auth
    include /config/nginx/serverauth.conf;    

location / {
#   auth_request /auth-user; #Allows only users logged into Org to access Emby
    proxy_pass http://192.168.X.X:8096; #Emby server IP:PORT
    proxy_hide_header X-Powered-By;
    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#Next three lines allow websockets
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
        }
}

Does it work when you explicitly enter the port instead of blanking it out?  I've never heard of anyone connecting like that before.

 

 

No, including the port when putting in the host.domain.net won't even allow you to connect to the server within the Fire Stick. Which makes sense given that nginx already has Emby's local IP:PORT included in the proxy_pass argument. She can definitely connect (sees all available user profiles) and when she clicks on hers it brings up the correct name. It's just not taking the password.

Edited April 13, 2018 by Skrumpy

[mastrmind11 717]

Port 80 and 443 are mapped to 81 and 444 in my LE docker and these are the ports open in my router. This is because the Unraid GUI uses 80 and 443.

 

 

So the LE docker (nginx) thinks any traffic coming in via 81 is actually 80 and 444 is 443. All HTTP traffic is redirected to HTTPS (as my site-confs file below shows) so no one has to type in https:/host.domain.net and as far as I'm aware, the rest is all pretty standard for a reverse proxy. I can show my SSL settings, as well, which are all standard options for A+ rating from Qualys SSL labs. As I stated in my last post, this works flawlessly on every other platform or app that I've tested. It really shouldn't be an issue, as both the client and server are tricked into thinking the host.domain is a standard http connection and nginx handles everything else.

# REDIRECT HTTP TRAFFIC TO HTTPS
server {
     listen 80;
     server_name HOST.DOMAIN.NET;
     return 301 https://$server_name$request_uri;
    }

server {
        listen 443 ssl http2;
        server_name HOST.DOMAIN.NET;

#SSL settings
   include /config/nginx/strong-ssl.conf;

#Organizr auth
    include /config/nginx/serverauth.conf;    

location / {
#   auth_request /auth-user; #Allows only users logged into Org to access Emby
    proxy_pass http://192.168.X.X:8096; #Emby server IP:PORT
    proxy_hide_header X-Powered-By;
    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#Next three lines allow websockets
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
        }
}

No, including the port when putting in the host.domain.net won't even allow you to connect to the server within the Fire Stick. Which makes sense given that nginx already has Emby's local IP:PORT included in the proxy_pass argument. She can definitely connect (sees all available user profiles) and when she clicks on hers it brings up the correct name. It's just not taking the password.

Yeah that all looks fine.  Have you tried making her another account with a different password and having her try with that?

Edited April 13, 2018 by mastrmind11

[Skrumpy 3]

Yeah that all looks fine.  Have you tried making her another account and having her try with that?

 

I have a 'test' account on the site, just for tooling around with, and tried having her logging in on that account as well, to no avail. I also confirmed that I could login to both of those accounts via the web and my android phone app.

[mastrmind11 717]

I have a 'test' account on the site, just for tooling around with, and tried having her logging in on that account as well, to no avail. I also confirmed that I could login to both of those accounts via the web and my android phone app.

That's really bizarre.  FYI, @@ebr is going to need the time and username of the user when she submitted the logs from the stick in order to identify the correct log.

[Skrumpy 3]

That's really bizarre.  FYI, @@ebr is going to need the time and username of the user when she submitted the logs from the stick in order to identify the correct log.

 

Yea.. it truly is. Especially since it's working on everything else (yes even for other users outside of my local network and on other devices), I was initially getting peeved and just figured she was doing something wrong. So I had her send pictures of every step and confirmed that it was all as it was supposed to be. I even had her delete and reinstall the Emby app on the Fire Stick. Standard connection methods work (without nginx), but are obviously not preferred.

 

I can narrow the time down from around 2200 to 2220 CST, username = Sara. Also willing to provide IP and whatever else I can to help find a solution.

[mastrmind11 717]

Yea.. it truly is. Especially since it's working on everything else (yes even for other users outside of my local network and on other devices), I was initially getting peeved and just figured she was doing something wrong. So I had her send pictures of every step and confirmed that it was all as it was supposed to be. I even had her delete and reinstall the Emby app on the Fire Stick. Standard connection methods work (without nginx), but are obviously not preferred.

 

I can narrow the time down from around 2200 to 2220 CST, username = Sara. Also willing to provide IP and whatever else I can to help find a solution.

Have you tried tailing the nginx and emby logs when she submits her login info?  Might shed some light on where the hickup is.  You can also try implementing HSTS in nginx, which removes the redirect and makes the certification happen on the client device, though I doubt that's the issue, it might be, and HSTS is kind of the way things seem to be going lately.

[Skrumpy 3]

Have you tried tailing the nginx and emby logs when she submits her login info?  Might shed some light on where the hickup is.  You can also try implementing HSTS in nginx, which removes the redirect and makes the certification happen on the client device, though I doubt that's the issue, it might be, and HSTS is kind of the way things seem to be going lately.

 

Yea I poked around some in the logs last night and this morning. This is really the only relevant piece I could find:

2018-04-12 22:13:28.339 Info HttpServer: HTTP GET http://host.domain.net:8096/emby/Users/AuthenticateByName?format=json. UserAgent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)
2018-04-12 22:13:28.349 Error HttpServer: Error processing request
    *** Error Report ***
    Version: 3.3.1.0
    Command line: C:\Users\emby\AppData\Roaming\Emby-Server\system\EmbyServer.dll
    Operating system: Microsoft Windows NT 6.2.9200.0
    64-Bit OS: True
    64-Bit Process: True
    User Interactive: True
    Processor count: 6
    Program data path: C:\Users\emby\AppData\Roaming\Emby-Server\programdata
    Application directory: C:\Users\emby\AppData\Roaming\Emby-Server\system
    MediaBrowser.Controller.Net.SecurityException: Access token is required.
       at Emby.Server.Implementations.HttpServer.Security.AuthService.ValidateSecurityToken(IRequest request, String token)
       at Emby.Server.Implementations.HttpServer.Security.AuthService.ValidateUser(IRequest request, IAuthenticationAttributes authAttribtues)
       at Emby.Server.Implementations.HttpServer.HttpListenerHost.ApplyRequestFilters(IRequest req, IResponse res, Object requestDto)
       at Emby.Server.Implementations.Services.ServiceHandler.<ProcessRequestAsync>d__15.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Emby.Server.Implementations.HttpServer.HttpListenerHost.<RequestHandler>d__74.MoveNext()
    MediaBrowser.Controller.Net.SecurityException
       at Emby.Server.Implementations.HttpServer.Security.AuthService.ValidateSecurityToken(IRequest request, String token)
       at Emby.Server.Implementations.HttpServer.Security.AuthService.ValidateUser(IRequest request, IAuthenticationAttributes authAttribtues)
       at Emby.Server.Implementations.HttpServer.HttpListenerHost.ApplyRequestFilters(IRequest req, IResponse res, Object requestDto)
       at Emby.Server.Implementations.Services.ServiceHandler.<ProcessRequestAsync>d__15.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Emby.Server.Implementations.HttpServer.HttpListenerHost.<RequestHandler>d__74.MoveNext()
    
2018-04-12 22:13:28.350 Info HttpServer: HTTP Response 401 to X.X.X.X. Time: 11ms. http://host.domain.net:8096/emby/Users/AuthenticateByName?format=json
2018-04-12 22:13:40.338 Info HttpServer: HTTP GET http://host.domain.net:8096/emby/system/info/public. UserAgent: Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36
2018-04-12 22:13:40.339 Info HttpServer: HTTP Response 200 to X.X.X.X. Time: 1ms. http://host.domain.net:8096/emby/system/info/public
2018-04-12 22:13:40.459 Info HttpServer: HTTP GET http://host.domain.net:8096/users/public. UserAgent: Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36
2018-04-12 22:13:40.460 Info HttpServer: HTTP Response 200 to X.X.X.X. Time: 2ms. http://host.domain.net:8096/users/public
2018-04-12 22:13:40.475 Info HttpServer: HTTP GET http://host.domain.net:8096/Branding/Configuration. UserAgent: Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36
2018-04-12 22:13:40.476 Info HttpServer: HTTP Response 200 to X.X.X.X. Time: 1ms. http://host.domain.net:8096/Branding/Configuration
2018-04-12 22:14:17.064 Info HttpServer: HTTP GET http://host.domain.net:8096/emby/Users/AuthenticateByName?format=json. UserAgent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)

I'm assuming 'UserAgent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)' is the Fire Stick (the Pixel is me). So a possible issue with access token? I haven't looked into implementing HSTS on my server yet but, from my limited understanding, it isn't perfect and also has a number of vulnerability issues. I'll undoubtedly research it a bit more into the future. However, I am a bit hesitant to swap my current protocols presently given that everything else is working (and who's to say that switching won't unveil another issue?).

[mastrmind11 717]

Could be.  @@Luke?

[Skrumpy 3]

Could be.  @@Luke?

 

Thanks for trying to run through it with me. I'm planning to write up a comprehensive guide on how to set it all up (LE, nginx, w/Radarr, Sonarr, Ombi, Organizr) but I suppose I should wait until it's all working.. (which until last night I thought it was..   ) haha

[Skrumpy 3]

Not sure if it will help, but here's a snippet of the nginx access log around the same time (nothing generated in nginx error log). It shows both her (107.x.x.x) failing to login on her Fire Stick and my successful login (172.x.x.x) via the web on my cell network. IPs, API, user/device IDs obfuscated.

107.X.X.X - - [12/Apr/2018:21:54:33 -0500] "GET /emby/system/info/public?format=json HTTP/1.1" 301 185 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)"
107.X.X.X - - [12/Apr/2018:21:54:33 -0500] "GET /emby/system/info/public?format=json HTTP/2.0" 200 171 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)"
107.X.X.X - - [12/Apr/2018:21:54:33 -0500] "GET /emby/Users/Public?format=json HTTP/1.1" 301 185 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)"
107.X.X.X - - [12/Apr/2018:21:54:33 -0500] "GET /emby/Users/Public?format=json HTTP/2.0" 200 1529 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)"
107.X.X.X - - [12/Apr/2018:21:54:47 -0500] "POST /emby/Users/AuthenticateByName?format=json HTTP/1.1" 301 185 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)"
107.X.X.X - - [12/Apr/2018:21:54:47 -0500] "GET /emby/Users/AuthenticateByName?format=json HTTP/2.0" 401 25 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)"

172.X.X.X - - [12/Apr/2018:21:55:04 -0500] "POST /Users/authenticatebyname HTTP/2.0" 200 1312 "-" "Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36"
172.X.X.X - - [12/Apr/2018:21:55:05 -0500] "GET /DisplayPreferences/usersettings?userId=USERID2&client=emby HTTP/2.0" 200 388 "-" "Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36"
172.X.X.X - - [12/Apr/2018:21:55:05 -0500] "POST /Sessions/Capabilities/Full HTTP/2.0" 204 0 "-" "Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36"
172.X.X.X - - [12/Apr/2018:21:55:05 -0500] "GET /Users/USERID2 HTTP/2.0" 200 858 "-" "Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36"
172.X.X.X - - [12/Apr/2018:21:55:05 -0500] "GET /Users/USERID2/Views HTTP/2.0" 200 1531 "-" "Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36"
172.X.X.X - - [12/Apr/2018:21:55:05 -0500] "GET /Users/USERID2 HTTP/2.0" 200 858 "-" "Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36"
172.X.X.X - - [12/Apr/2018:21:55:05 -0500] "GET /Users/USERID2 HTTP/2.0" 200 858 "-" "Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36"
172.X.X.X - - [12/Apr/2018:21:55:05 -0500] "GET /Users/USERID2/Views HTTP/2.0" 200 1528 "-" "Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36"
172.X.X.X - - [12/Apr/2018:21:55:05 -0500] "GET /Users/USERID2/Views HTTP/2.0" 200 1529 "-" "Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36"
172.X.X.X - - [12/Apr/2018:21:55:05 -0500] "GET /LiveTv/Programs/Recommended?userId=USERID2&IsAiring=true&limit=1&ImageTypeLimit=1&EnableImageTypes=Primary%2CThumb%2CBackdrop&EnableTotalRecordCount=false&Fields=ChannelInfo%2CPrimaryImageAspectRatio HTTP/2.0" 200 516 "-" "Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM2.171019.029; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36"

Edited April 13, 2018 by Skrumpy

[ebr 14948]

107.X.X.X - - [12/Apr/2018:21:54:47 -0500] "GET /emby/Users/AuthenticateByName?format=json HTTP/2.0" 401 25 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)"

That sure looks like an actual incorrect user ID or password.  Did you say you did create a new user with a simple password and have her try that?

 

Are there any funny characters in either the user name or password?

[Luke 37178]

have you tried comparing to http?

[Skrumpy 3]

107.X.X.X - - [12/Apr/2018:21:54:47 -0500] "GET /emby/Users/AuthenticateByName?format=json HTTP/2.0" 401 25 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)"

That sure looks like an actual incorrect user ID or password.  Did you say you did create a new user with a simple password and have her try that?

 

Are there any funny characters in either the user name or password?

 

 

 

Yes, I also had her try another account, also confirmed that she entered it correctly. As I mentioned, I also just assumed she was doing it incorrectly as it is working everywhere else. But here are the pictures she sent me:

 

EDIT: Photos editted out. But showed access to user list and use of simple 6 digit alphnumeric password.

Edited April 13, 2018 by Skrumpy

[ebr 14948]

If it were something like a certificate problem, it seems that she wouldn't be able to get to the list of users.  Seems like something is garbling the information somehow...

 

Can you send me the server address and a temporary account so I can try?

[Skrumpy 3]

have you tried comparing to http?

 

Sorry, comparing what to http? Login via the nginx access logs or Emby's server logs? I haven't done either, as I'm not sure what information that would provide me. As far as Emby server is concerned it sees everyone connecting as http due to the nginx proxy. Prior to setting up nginx, my DDNS host.domain.net:8096 was connecting through everything, including her Fire Stick, I could try trolling through my logs if that would shed some light on something specifically.

[Skrumpy 3]

If it were something like a certificate problem, it seems that she wouldn't be able to get to the list of users.  Seems like something is garbling the information somehow...

 

Can you send me the server address and a temporary account so I can try?

 

Yes sir, it has been sent via PM.

[ebr 14948]

Yes sir, it has been sent via PM.

 

Thanks.  I just logged in successfully from both my Nexus Player and Fire TV...

 

[Skrumpy 3]

Thanks.  I just logged in successfully from both my Nexus Player and Fire TV...

 

What the hell.. where could the difference be? I don't think it could be in the router. She's able to login normally via the Emby Theater and Android apps with the same login and username. Maybe I'll head over there tonight and give it a try myself. I got her fire stick ethernet adapter anyways so may as well while I'm over there. Thanks for giving it a go and I'll report back again after I personally try to login.

Edited April 13, 2018 by Skrumpy

[ebr 14948]

Just to re-confirm - I just logged in as her as well...

 

Please let us know what you discover.

[Skrumpy 3]

Just to re-confirm - I just logged in as her as well...

 

Please let us know what you discover.

 

OK, thanks for ruling that out. I'm scratching my head over here.. unless she had a space or something in the password field that I couldn't see in her photo, I don't really have any idea where the issue could be. There's probably no chance that things are handled differently with a Fire TV Stick vs Fire TV?

Edited April 13, 2018 by Skrumpy

[Skrumpy 3]

Just to re-confirm - I just logged in as her as well...

 

Please let us know what you discover.

 

 

@@ebr So, it turned out that the IP field needs to be in the format https://host.domain.net and the https:// is not optional. This is departure from the Android app and Emby Theater logins which do not require this format (i.e. they both work with only host.domain.net). It seems like a simple oversight, but I expected Emby's login experience to be consistent across all devices. Unfortunately, this turns out to not be the case. Prior to discovering this, I actually went out and purchased an Amazon Fire and Roku to see if it was her device specifically causing the issue.

 

As I was testing the Roku, I realized you cannot clear the port (or at least I couldn't figure a way to) which prevented me from logging in. I have a couple of other users who have Roku's so I'm not sure what to tell them to get it working again. Emby connect is inconsistent and was not working on her Firestick (she could login and see everything, but playback would result in each video stopping before playback). The whole point of moving to a DDNS is to make it easier on the end user without necessitating additional work and having to remember another password/login and port.

 

Since switching over to a reverse proxy based SSL I've had really nothing but problems with Emby. First the above login experience discrepancy, then the Roku porting issue (is there a workaround aside from connect?) and now I am experiencing random video artifacts over web based video playback. This only occurs over the web browser (not via the other apps), it seems to happen during fast motion scenes, only occurs for a couple of frames, and seems to happen in roughly the same spot each time. I was able to capture the following screenshot from a movie where it occurred. This can happen dozens of times over the course of a movie. Again, this occurs in all movies over web playback via nginx's SSL reverse proxy, but not via Android, Firestick, or Theater.

 

[ebr 14948]

@@ebr So, it turned out that the IP field needs to be in the format https://host.domain.net and the https:// is not optional. This is departure from the Android app and Emby Theater logins which do not require this format (i.e. they both work with only host.domain.net). It seems like a simple oversight, but I expected Emby's login experience to be consistent across all devices. Unfortunately, this turns out to not be the case. 

 

 

Hi.  I believe the apps are consistent here.  The only way we would know, when entering the address manually, to use https would be if it is specified.  Sorry for that confusion.

 

Were your other apps all on the local network where http would have worked?

[Skrumpy 3]

I assure you that they are not consistent. I'm at a cafe right now on their network and can login via host.domain.net as below without issue on the Android app.