WEB-Mail Session expire after approx 5 min - Keycloak-SSO System

Aaelvit_se · 12 Jan

Since one of the last Updates users get the massage "Session expired, please login again...".

When the massage is ignored and the page is just refreshed/reloaded ... all works until 5 mins of user inactivity again.

_

What I understand from the logs (also Keycloak´s) is that Grommunio-Web-App only ask the IDP after User Interaction + 5 mins for new Auth-Token.

Idea 1: Is there an easy way to disable this "wrong" message?
Idea 2: Can the Grommunio-WebApp/PHP-Pool/Auth-mechanism be changed to ask the IDP by self if needed?

Try to comment out grommunio.php line #66-#71 leads to Webapp Error "Invalid data received from server"

gromox zcore log:

...
[31mrhost=[94.234.102.63] user= zs_logon_token rejected: Token did not validate[0m
[31mrhost=[94.234.102.63] user= zs_logon_token rejected: Token did not validate[0m
...

php-fpm.log

[12-Jan-2025 16:31:09] WARNING: [pool grommunio-web-pool] child 4743 said into stderr: "PHP message: grommunio Web user: xxx@xxx.se: authentication failure at MAPI"
[12-Jan-2025 16:31:09] WARNING: [pool grommunio-web-pool] child 2264 said into stderr: "PHP message: grommunio Web user: xxx@xxx.se: authentication failure at MAPI"
[12-Jan-2025 16:36:09] WARNING: [pool grommunio-web-pool] child 1670 said into stderr: "PHP message: grommunio Web user: xxx@xxx.se: authentication failure at MAPI"
[12-Jan-2025 16:36:09] WARNING: [pool grommunio-web-pool] child 2264 said into stderr: "PHP message: grommunio Web user: xxx@xxx.se: authentication failure at MAPI"

nginx-web-error.log

`2025/01/12 16:31:09 [error] 1696#1696: *13530 FastCGI sent in stderr: "PHP message: grommunio Web user: xxx@xxx.se: authentication failure at MAPI" while reading response header from upstream, client: 94.234.102.63, server: _, request: "POST /web/grommunio.php?subsystem=webapp_1736693484063 HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/php-grommunio-web-fpm.sock:", host: "mail.xxxx.se"

2025/01/12 16:31:09 [error] 1696#1696: *13530 FastCGI sent in stderr: "PHP message: grommunio Web user: xxx@xxx.se: authentication failure at MAPI" while reading response header from upstream, client: 94.234.102.63, server: _, request: "POST /web/grommunio.php?subsystem=webapp_1736693484063 HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/php-grommunio-web-fpm.sock:", host: "mail.xxxx.se"

2025/01/12 16:36:09 [error] 1696#1696: *13946 FastCGI sent in stderr: "PHP message: grommunio Web user: xxx@xxx.se: authentication failure at MAPI" while reading response header from upstream, client: 94.234.102.63, server: _, request: "POST /web/grommunio.php?subsystem=webapp_1736696017463 HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/php-grommunio-web-fpm.sock:", host: "mail.xxxx.se"

2025/01/12 16:36:09 [error] 1696#1696: *13945 FastCGI sent in stderr: "PHP message: grommunio Web user: xxx@xxx.se: authentication failure at MAPI" while reading response header from upstream, client: 94.234.102.63, server: _, request: "POST /web/grommunio.php?subsystem=webapp_1736696017463 HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/php-grommunio-web-fpm.sock:", host: "mail.xxxx.se"

...
System-Information:

switched repository from Subscription to Community to check, but no changes. Now on:

grommunio-admin-api-1.16.11.23c560a-lp155.125.1.noarch
grommunio-admin-common-38.f4553bd-lp155.30.1.noarch
grommunio-admin-web-3.1.0.60.d69e9f4-lp155.115.1.noarch
grommunio-antispam-3.10.2-lp155.1.4.x86_64
grommunio-auth-0.2.18.d93e151-lp155.33.1.noarch
grommunio-common-26.a6f127d-lp155.43.1.x86_64
grommunio-cui-1.0.273.9a6e6de-lp155.74.1.noarch
grommunio-dav-1.3.74.94260cb-lp155.4.1.noarch
grommunio-dbconf-1.1.1.da20a46-lp155.23.1.x86_64
grommunio-error-pages-1.0.10.bb2df37-lp155.24.1.noarch
grommunio-imapsync-2.264-lp155.2.1.noarch
grommunio-index-1.2.3.gc345703-lp155.90.1.x86_64
grommunio-release-2023.11.3-lp155.12.1.x86_64
grommunio-setup-1.1.9.718dcd5-lp155.59.1.noarch
grommunio-sync-2.0.141.9aa611d-lp155.180.1.noarch
grommunio-web-3.9.231.g35325e7b-lp155.181.1.noarch
gromox-2.38.77.gcc7528b-lp155.52.1.x86_64
gromox-debuginfo-2.38.77.gcc7528b-lp155.52.1.x86_64
gromox-debugsource-2.38.77.gcc7528b-lp155.52.1.x86_64

Mmwilliams · 12 Jan

aelvit_se

For this functionality you need to activate the "Remember Me" functionality within Keycloak: https://www.keycloak.org/docs/latest/server_admin/#enabling-remember-me

Aaelvit_se · 13 Jan

Thanks for that fast response. "Remember Me" was already on, just dubble checked. System was running since around Februar 2024 with same keycloak settings. Also 5 mins is not every time correct.

here: LOGIN (me) and CODE_TO_TOKEN (Grommunio-Server) 1:12AM ... WebApp close 1:27AM

Mmwilliams · 13 Jan

aelvit_se

Has the user also logged in with the "Remember Me" checkbox enabled at login time?

Aaelvit_se · 13 Jan

mwilliams

Thanks again, the direction was helpfull.

The Problem may came after some Keycloak Update? More investigation in the sense of Security would maybe advisable.

In Keycloak inside the Realm->Client("grommunio")->Advanced->"Access Token Lifespan" was 5 mins.
I Changed it to 2 Hours (in this case) and the problem was gone.