Windows Client Error: rpc error: code = PermissionDenied desc = invalid user #1545

Open
opened 2025-11-20 05:32:32 -05:00 by saavagebueno · 26 comments
Owner

Originally created by @samf-acacia on GitHub (Jan 7, 2025).

Describe the problem

A subset of Windows 11 users in our environment are having trouble connecting to our self-hosted Netbird instance. We also run Ubuntu Desktop clients, but this issue doesn't affect those devices. We run Microsoft Entra-ID for SAML/SSO authentication to connect.

When a user (who is having the issue) attempts to connect to the Netbird from Windows, they are forwarded to the Entra login page and manage to successfully authenticate, and are presented with the "Login Successful" page from Netbird. After about 15-20 seconds Netbird time out and they get the error:

rpc error: code = PermissionDenied desc = invalid user

Tried to search past issues, but couldn't find anything related to this specific issue.

The user does show up in the Management portal (successful login??) of our instance, tried removing and reconnecting, but that didn't work.

To Reproduce

Steps to reproduce the behavior:

  1. Go to Netbird VPN client and attempt to connect
  2. Log in using Entra ID credentials
  3. Wait 15-20 seconds for the client to time out
  4. See error rpc error: code = PermissionDenied desc = invalid user

Expected behavior

A successful connection to our Netbird instance since it shows Login Successful.

Are you using NetBird Cloud?

Self hosting Netbird

NetBird version

v0.35.2 on Server and Clients

Do you face any (non-mobile) client issues?

This is specifically a Windows 11 client issue

Screenshots

image

Originally created by @samf-acacia on GitHub (Jan 7, 2025). **Describe the problem** A subset of Windows 11 users in our environment are having trouble connecting to our self-hosted Netbird instance. We also run Ubuntu Desktop clients, but this issue doesn't affect those devices. We run Microsoft Entra-ID for SAML/SSO authentication to connect. When a user (who is having the issue) attempts to connect to the Netbird from Windows, they are forwarded to the Entra login page and manage to successfully authenticate, and are presented with the "Login Successful" page from Netbird. After about 15-20 seconds Netbird time out and they get the error: rpc error: code = PermissionDenied desc = invalid user Tried to search past issues, but couldn't find anything related to this specific issue. The user does show up in the Management portal (successful login??) of our instance, tried removing and reconnecting, but that didn't work. **To Reproduce** Steps to reproduce the behavior: 1. Go to Netbird VPN client and attempt to connect 2. Log in using Entra ID credentials 3. Wait 15-20 seconds for the client to time out 4. See error rpc error: code = PermissionDenied desc = invalid user **Expected behavior** A successful connection to our Netbird instance since it shows Login Successful. **Are you using NetBird Cloud?** Self hosting Netbird **NetBird version** v0.35.2 on Server and Clients **Do you face any (non-mobile) client issues?** This is specifically a Windows 11 client issue **Screenshots** ![image](https://github.com/user-attachments/assets/4a2c2f9c-97d4-4c4a-8980-72e8f52c971c)
saavagebueno added the triage-needed label 2025-11-20 05:32:32 -05:00
Author
Owner

@d-givens commented on GitHub (Jan 10, 2025):

Having the exact same problem with one user. Entra ID. Self-hosted. Same issues. But only one user. 20 other users are fine.

@d-givens commented on GitHub (Jan 10, 2025): Having the exact same problem with one user. Entra ID. Self-hosted. Same issues. But only one user. 20 other users are fine.
Author
Owner

@farezramilo commented on GitHub (Jan 10, 2025):

I had the same issue in the free tier, but it seemed like the issue was caused by the user's machine itself. The user's machine was included in another free tier group, having that machine removed everywhere else except my group fixed the issue. Maybe if a machine is included in a free tier it can't be included elsewhere?

@farezramilo commented on GitHub (Jan 10, 2025): I had the same issue in the free tier, but it seemed like the issue was caused by the user's machine itself. The user's machine was included in another free tier group, having that machine removed everywhere else except my group fixed the issue. Maybe if a machine is included in a free tier it can't be included elsewhere?
Author
Owner

@d-givens commented on GitHub (Jan 10, 2025):

I had the same issue in the free tier, but it seemed like the issue was caused by the user's machine itself. The user's machine was included in another free tier group, having that machine removed everywhere else except my group fixed the issue. Maybe if a machine is included in a free tier it can't be included elsewhere?

We're both self-hosted instead of free tier.

@d-givens commented on GitHub (Jan 10, 2025): > I had the same issue in the free tier, but it seemed like the issue was caused by the user's machine itself. The user's machine was included in another free tier group, having that machine removed everywhere else except my group fixed the issue. Maybe if a machine is included in a free tier it can't be included elsewhere? We're both self-hosted instead of free tier.
Author
Owner

@K0-RR commented on GitHub (Jan 11, 2025):

I'm having the same issue on Ubuntu 22.04 (free tier) so it's not Windows-related.

@K0-RR commented on GitHub (Jan 11, 2025): I'm having the same issue on Ubuntu 22.04 (free tier) so it's not Windows-related.
Author
Owner

@samf-acacia commented on GitHub (Jan 12, 2025):

@d-givens The exact same problem.............

Except 3 users in about 20 users see this problem.

@samf-acacia commented on GitHub (Jan 12, 2025): @d-givens The exact same problem............. Except 3 users in about 20 users see this problem.
Author
Owner

@bsmithuk commented on GitHub (Jan 13, 2025):

Same bandwagon but on Fedora 41.

@bsmithuk commented on GitHub (Jan 13, 2025): Same bandwagon but on Fedora 41.
Author
Owner

@serhiicherepanov commented on GitHub (Jan 13, 2025):

macos - same issue, the issue appears in case when the same peer already exists by another user. In my case I was authenticated as admin previously.

@serhiicherepanov commented on GitHub (Jan 13, 2025): macos - same issue, the issue appears in case when the same peer already exists by another user. In my case I was authenticated as admin previously.
Author
Owner

@samf-acacia commented on GitHub (Jan 16, 2025):

macos - same issue, the issue appears in case when the same peer already exists by another user. In my case I was authenticated as admin previously.

Yeah we tried this but were still getting the same error :(

@samf-acacia commented on GitHub (Jan 16, 2025): > macos - same issue, the issue appears in case when the same peer already exists by another user. In my case I was authenticated as admin previously. Yeah we tried this but were still getting the same error :(
Author
Owner

@bsmithuk commented on GitHub (Jan 16, 2025):

Fix for me was absolutely nuking the install and rm any directories connected to netbird and disconnecting tailscale. Fixed it for me.

@bsmithuk commented on GitHub (Jan 16, 2025): Fix for me was absolutely nuking the install and rm any directories connected to netbird and disconnecting tailscale. Fixed it for me.
Author
Owner

@d-givens commented on GitHub (Jan 17, 2025):

Fix for me was absolutely nuking the install and rm any directories connected to netbird and disconnecting tailscale. Fixed it for me.

This is on the client side that you're removing the install?

@d-givens commented on GitHub (Jan 17, 2025): > Fix for me was absolutely nuking the install and rm any directories connected to netbird and disconnecting tailscale. Fixed it for me. This is on the client side that you're removing the install?
Author
Owner

@bsmithuk commented on GitHub (Jan 17, 2025):

Yep correct removed client install completely

On January 17, 2025 2:45:28 PM GMT, d-givens @.***> wrote:

Fix for me was absolutely nuking the install and rm any directories connected to netbird and disconnecting tailscale. Fixed it for me.

This is on the client side that you're removing the install?

--
Reply to this email directly or view it on GitHub:
https://github.com/netbirdio/netbird/issues/3158#issuecomment-2598523770
You are receiving this because you commented.

Message ID: @.***>

@bsmithuk commented on GitHub (Jan 17, 2025): Yep correct removed client install completely On January 17, 2025 2:45:28 PM GMT, d-givens ***@***.***> wrote: >> Fix for me was absolutely nuking the install and rm any directories connected to netbird and disconnecting tailscale. Fixed it for me. > >This is on the client side that you're removing the install? > >-- >Reply to this email directly or view it on GitHub: >https://github.com/netbirdio/netbird/issues/3158#issuecomment-2598523770 >You are receiving this because you commented. > >Message ID: ***@***.***>
Author
Owner

@samf-acacia commented on GitHub (Jan 20, 2025):

Yep correct removed client install completely

I've actually tried this and it worked briefly but after a day it started happening again.

@samf-acacia commented on GitHub (Jan 20, 2025): > Yep correct removed client install completely > […](#) I've actually tried this and it worked briefly but after a day it started happening again.
Author
Owner

@Phillipjacob commented on GitHub (Feb 4, 2025):

Same issue OSX, self hosted with zitadel and google workspace, it only appears when using google login.

@Phillipjacob commented on GitHub (Feb 4, 2025): Same issue OSX, self hosted with zitadel and google workspace, it only appears when using google login.
Author
Owner

@wldhg commented on GitHub (Feb 5, 2025):

Same issue (Windows 11), in the team plan. We're using Google Workspace login. Resolved by restarting netbird app.

@wldhg commented on GitHub (Feb 5, 2025): Same issue (Windows 11), in the team plan. We're using Google Workspace login. Resolved by restarting netbird app.
Author
Owner

@caa commented on GitHub (Feb 18, 2025):

Same issue on Windows 11, Netbird agent version 0.36.7 doing a test rollout on the free hosted plan. Reinstalling the Netbird agent didn't work. Uninstalling the agent, deleting C:\ProgramData\Netbird, then installing the agent allowed the user's account to connect successfully.

Image Image
@caa commented on GitHub (Feb 18, 2025): Same issue on Windows 11, Netbird agent version 0.36.7 doing a test rollout on the free hosted plan. Reinstalling the Netbird agent didn't work. Uninstalling the agent, deleting _C:\ProgramData\Netbird_, then installing the agent allowed the user's account to connect successfully. <img width="437" alt="Image" src="https://github.com/user-attachments/assets/ad8992b3-7634-4d61-8317-f9f89f5fe905" /> <img width="283" alt="Image" src="https://github.com/user-attachments/assets/b8e645b3-060e-4364-be0e-92d6e410a74e" />
Author
Owner

@mlsmaycon commented on GitHub (Feb 19, 2025):

The invalid user issue happens when you try to authenticate an existing peer using a different user. This is common when you have a shared computer or a personal and company NetBird account. Can you please review that and confirm that this is not the case?

@mlsmaycon commented on GitHub (Feb 19, 2025): The invalid user issue happens when you try to authenticate an existing peer using a different user. This is common when you have a shared computer or a personal and company NetBird account. Can you please review that and confirm that this is not the case?
Author
Owner

@Phillipjacob commented on GitHub (Feb 19, 2025):

The invalid user issue happens when you try to authenticate an existing peer using a different user. This is common when you have a shared computer or a personal and company NetBird account. Can you please review that and confirm that this is not the case?

I'm not sure I follow @mlsmaycon ? I have two accounts, but same netbird instance.

@Phillipjacob commented on GitHub (Feb 19, 2025): > The invalid user issue happens when you try to authenticate an existing peer using a different user. This is common when you have a shared computer or a personal and company NetBird account. Can you please review that and confirm that this is not the case? I'm not sure I follow @mlsmaycon ? I have two accounts, but same netbird instance.
Author
Owner

@mlsmaycon commented on GitHub (Feb 19, 2025):

@Phillipjacob if you have two NetBird accounts and a single machine, you need to remove the node from one account in order to login into a new account. As an alternative, you can remove the configuration from your machine, which is located at /etc/netbird/config.json (MacOS or Linux) or C:\ProgramData\Netbird\config.json (Windows)

@mlsmaycon commented on GitHub (Feb 19, 2025): @Phillipjacob if you have two NetBird accounts and a single machine, you need to remove the node from one account in order to login into a new account. As an alternative, you can remove the configuration from your machine, which is located at /etc/netbird/config.json (MacOS or Linux) or C:\ProgramData\Netbird\config.json (Windows)
Author
Owner

@Phillipjacob commented on GitHub (Feb 19, 2025):

@Phillipjacob if you have two NetBird accounts and a single machine, you need to remove the node from one account in order to login into a new account. As an alternative, you can remove the configuration from your machine, which is located at /etc/netbird/config.json (MacOS or Linux) or C:\ProgramData\Netbird\config.json (Windows)

@mlsmaycon that did it. So it is only possible to have one account on a machine ?

@Phillipjacob commented on GitHub (Feb 19, 2025): > [@Phillipjacob](https://github.com/Phillipjacob) if you have two NetBird accounts and a single machine, you need to remove the node from one account in order to login into a new account. As an alternative, you can remove the configuration from your machine, which is located at /etc/netbird/config.json (MacOS or Linux) or C:\ProgramData\Netbird\config.json (Windows) @mlsmaycon that did it. So it is only possible to have one account on a machine ?
Author
Owner

@caa commented on GitHub (Feb 19, 2025):

I'm 99% sure that this is what happened. User A signed in with their OS user account and their Netbird account on this peer (computer). Then User B signed in with a different OS user account and their Netbird account on this same peer, which is why they got the invalid user error.

The invalid user issue happens when you try to authenticate an existing peer using a different user. This is common when you have a shared computer or a personal and company NetBird account. Can you please review that and confirm that this is not the case?

I think it would make sense to put the config files in C:\Users\Username\AppData rather than C:\ProgramData\Netbird. I know that this would require a lot of changes. For instance, which Netbird account should be used after a reboot?

So it is only possible to have one account on a machine ?

@caa commented on GitHub (Feb 19, 2025): I'm 99% sure that this is what happened. User A signed in with their OS user account and their Netbird account on this peer (computer). Then User B signed in with a different OS user account and their Netbird account on this same peer, which is why they got the _invalid user_ error. > The invalid user issue happens when you try to authenticate an existing peer using a different user. This is common when you have a shared computer or a personal and company NetBird account. Can you please review that and confirm that this is not the case? I think it would make sense to put the config files in `C:\Users\Username\AppData` rather than `C:\ProgramData\Netbird`. I know that this would require a lot of changes. For instance, which Netbird account should be used after a reboot? > So it is only possible to have one account on a machine ?
Author
Owner

@MYMaj commented on GitHub (May 1, 2025):

That worked for me too

I'm 99% sure that this is what happened. User A signed in with their OS user account and their Netbird account on this peer (computer). Then User B signed in with a different OS user account and their Netbird account on this same peer, which is why they got the invalid user error.

The invalid user issue happens when you try to authenticate an existing peer using a different user. This is common when you have a shared computer or a personal and company NetBird account. Can you please review that and confirm that this is not the case?

I think it would make sense to put the config files in C:\Users\Username\AppData rather than C:\ProgramData\Netbird. I know that this would require a lot of changes. For instance, which Netbird account should be used after a reboot?

So it is only possible to have one account on a machine ?

@MYMaj commented on GitHub (May 1, 2025): That worked for me too > I'm 99% sure that this is what happened. User A signed in with their OS user account and their Netbird account on this peer (computer). Then User B signed in with a different OS user account and their Netbird account on this same peer, which is why they got the _invalid user_ error. > > > The invalid user issue happens when you try to authenticate an existing peer using a different user. This is common when you have a shared computer or a personal and company NetBird account. Can you please review that and confirm that this is not the case? > > I think it would make sense to put the config files in `C:\Users\Username\AppData` rather than `C:\ProgramData\Netbird`. I know that this would require a lot of changes. For instance, which Netbird account should be used after a reboot? > > > So it is only possible to have one account on a machine ?
Author
Owner

@mashraf92 commented on GitHub (Jun 25, 2025):

I am also encountering this persistent configuration issue on my macOS device. Despite a full uninstallation of the Netbird agent and manual removal of its configuration files, the problem remains.

Separately, other devices are successfully connecting to my network, but they are not appearing in the peer list on the app.netbird.io dashboard. I would like to know if this peer visibility problem is related to the above mentioned issue.

@mashraf92 commented on GitHub (Jun 25, 2025): I am also encountering this persistent configuration issue on my macOS device. Despite a full uninstallation of the Netbird agent and manual removal of its configuration files, the problem remains. Separately, other devices are successfully connecting to my network, but they are not appearing in the peer list on the app.netbird.io dashboard. I would like to know if this peer visibility problem is related to the above mentioned issue.
Author
Owner

@nazarewk commented on GitHub (Jun 25, 2025):

@mashraf92

I am also encountering this persistent configuration issue on my macOS device. Despite a full uninstallation of the Netbird agent and manual removal of its configuration files, the problem remains.

Are you sure you did all of the following?

  1. netbird service stop
  2. remove /etc/netbird/config.json
  3. netbird service start

I've added more explicit instructions to the docs https://github.com/netbirdio/docs/pull/379

Separately, other devices are successfully connecting to my network, but they are not appearing in the peer list on the app.netbird.io dashboard. I would like to know if this peer visibility problem is related to the above mentioned issue.

Are you an Admin/Owner of the account? Do you have access to the full dashboard at all?

If you are an Admin and you're not seeing the Peers it most likely means the users are logging in to a different NetBird account than you do.

If you are just a regular User you will only see your own Peers in the Dashboard.

@nazarewk commented on GitHub (Jun 25, 2025): @mashraf92 > I am also encountering this persistent configuration issue on my macOS device. Despite a full uninstallation of the Netbird agent and manual removal of its configuration files, the problem remains. Are you sure you did all of the following? 1. `netbird service stop` 2. remove `/etc/netbird/config.json` 3. `netbird service start` I've added more explicit instructions to the docs https://github.com/netbirdio/docs/pull/379 > Separately, other devices are successfully connecting to my network, but they are not appearing in the peer list on the app.netbird.io dashboard. I would like to know if this peer visibility problem is related to the above mentioned issue. Are you an `Admin`/`Owner` of the account? Do you have access to the full dashboard at all? If you are an `Admin` and you're not seeing the Peers it most likely means the users are logging in to a different NetBird account than you do. If you are just a regular `User` you will only see your own Peers in the Dashboard.
Author
Owner

@DiyRex commented on GitHub (Jun 26, 2025):

Netbird Peer Conflict Fix (Client Side)

sudo rm /etc/netbird/config.json
sudo rm -rf ~/.netbird/
sudo rm -rf /var/lib/netbird/
sudo rm -rf /Library/Application\ Support/netbird/

then up netbird again

this worked for me.

@DiyRex commented on GitHub (Jun 26, 2025): Netbird Peer Conflict Fix (Client Side) sudo rm /etc/netbird/config.json sudo rm -rf ~/.netbird/ sudo rm -rf /var/lib/netbird/ sudo rm -rf /Library/Application\ Support/netbird/ then up netbird again this worked for me.
Author
Owner

@mashraf92 commented on GitHub (Jun 27, 2025):

Still stuck on this even though I signed on different devices with same credentials Admin On other devices I signed in to same account but this screen is stuck on app.netbird.io.

Also I tried to the above shared steps and the issue is resolved but not able to see the device as peer in the dashboard

Image

@mashraf92 commented on GitHub (Jun 27, 2025): Still stuck on this even though I signed on different devices with same credentials `Admin` On other devices I signed in to same account but this screen is stuck on app.netbird.io. Also I tried to the above shared steps and the issue is resolved but not able to see the device as peer in the dashboard ![Image](https://github.com/user-attachments/assets/e7ccb380-1fa8-4c66-9998-480b4dfc61be)
Author
Owner

@mlsmaycon commented on GitHub (Jun 27, 2025):

@mashraf92 it seems like this email address has user role in the account. If you are using NetBird cloud you can send an email to support@netbird.io for us to check.

@mlsmaycon commented on GitHub (Jun 27, 2025): @mashraf92 it seems like this email address has user role in the account. If you are using NetBird cloud you can send an email to support@netbird.io for us to check.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1545