Cannot connect to server: assembleUserIdentityToken failed

Questions regarding the use of the UaExpert.

Moderator: uaexpert

Post Reply
milgner
Jr. Member
Jr. Member
Posts: 1
Joined: 02 Dec 2024, 12:18

Cannot connect to server: assembleUserIdentityToken failed

Post by milgner »

Just tried to connect to a server that uses SecurityPolicy None / MessageSecurityMode None and no certificates, but still requires username and password.

I could connect using https://github.com/node-opcua/opcua-commander but in UA Expert I get the following error messages:

General - Error: UaSessionPrivate::activateSession - assembleUserIdentityToken failed BadInvalidArgument
Server Node - Error 'BadInvalidArgument' was returned during ActivateSession

The second error message is a bit of a fluke because I can see in Wireshark that no `ActivateSessionRequest` ever goes out to the server.

User avatar
Support Team
Hero Member
Hero Member
Posts: 3220
Joined: 18 Mar 2011, 15:09

Re: Cannot connect to server: assembleUserIdentityToken failed

Post by Support Team »

Hi,

if your Server has "no certificate", AND you are using the "none" SecurityPolicy, AND you are using the "user/password" authentication token, how is the PWD being encrypted/protected?

You are going to use and "unencrypted" channel and you want to activate a session by sending a "clear text" password over the wire. Anybody sniffing the network will be able to see/steel the pwd. This operation mode is not allowed by the OPC UA specification. This must be considered "misconfiguration" in the server. However, a good client should reject such operation.

1) From your description the open sourced "opcua-commander" is really dangerous UA client software, it has massive securtiy bug sending PWD over the wire.

2) The UaExpert instead, recognizes that the "roge" server tries to trick the client to send clear text PWD, and rejects this with "BadInvalidArgument", before sending the ActivateSession Request (with cleart text PWD) over the wire.

For me is pretty clear which UA client I would use.

In any case, you should contact the server manufacturer and get the "invalid" configuration repaired (roge server).
Best regards
Unified Automation Support Team

Post Reply