Login failed on Desktop App but works on Web and browser extension


I’m on macOS, I downloaded the Bitwarden Desktop app since is the only way to have the Safari extension.

Funny thing: I’m perfectly able to login on the extension and via web but no on the desktop app.
Since the safari extension comes embedded with the desktop app I totally cannot understand why it works on one side but no on the other.

I already tried to change the master password, rotating the encryption key, completely removed the app and downloaded again from the App Store but nothing work.

I’m using my company’s private vault server, but I’ve never had problem. Just got a new machine and installed the client (maybe an update came out recently?)

Thanks in advice

Hi @johnny_parafango and welcome to the community forums :tada:

I’m sorry to hear you are having trouble connecting to your companies hosted instance.

Could you please check the environment settings on the login screen (top left)? Here’s a link to our help site with detailed instructions.
The URLs should be set to point to your company’s instance, if none of them are set, it will default to connect to vault.bitwarden.com.

If connecting via the browser extension works, then please try using the URLs set in the extension on the desktop app?

Kind regards,

Hello @djsmith85,

thank you for the quick reply.

The URL is set correctly on both the safari extension and desktop app.
No difference in any place. It just works on the extension and web but not the app.

Is the there any way to look at low level logs?

Here what I found on Console.app

default	15:45:03.075959+0100	runningboardd	[app<application.com.bitwarden.desktop.1688581.1688981(501)>:11500] Ignoring suspend because this process is not lifecycle managed
default	15:45:03.076020+0100	runningboardd	[app<application.com.bitwarden.desktop.1688581.1688981(501)>:11500] Ignoring GPU update because this process is not GPU managed
default	15:45:03.076087+0100	runningboardd	[app<application.com.bitwarden.desktop.1688581.1688981(501)>:11500] Ignoring memory limit update because this process is not memory-managed
default	15:45:03.298808+0100	runningboardd	Acquiring assertion targeting [xpcservice<com.bitwarden.desktop.safari([app<application.com.apple.Safari.11833.12262(501)>:9588])(501)>:11089] from originator [app<application.com.apple.Safari.11833.12262(501)>:9588] with description <RBSAssertionDescriptor| "com.apple.extension.session" ID:371-9588-46647 target:11089 attributes:[
	<RBSLegacyAttribute| requestedReason:ViewService reason:ViewService flags:( AllowIdleSleep PreventTaskSuspend PreventTaskThrottleDown WantsForegroundResourcePriority )>,
	<RBSAcquisitionCompletionAttribute| policy:AfterValidation>
default	15:45:03.298866+0100	runningboardd	Assertion 371-9588-46647 (target:[xpcservice<com.bitwarden.desktop.safari([app<application.com.apple.Safari.11833.12262(501)>:9588])(501)>:11089]) will be created as active
default	15:45:03.299885+0100	safari	+[NSExtensionContext _allowedItemPayloadClasses] not implemented. Setting the allowed payload classes to <private>
default	15:45:03.300131+0100	safari	Received message from browser.runtime.sendNativeMessage: <private>
default	15:45:08.540841+0100	runningboardd	Invalidating assertion 371-9588-46625 (target:[xpcservice<com.bitwarden.desktop.safari([app<application.com.apple.Safari.11833.12262(501)>:9588])(501)>:11089]) from originator [app<application.com.apple.Safari.11833.12262(501)>:9588]
default	15:45:11.521019+0100	com.cisco.anyconnect.macos.acsockext	(404668666): New flow: NEFlow type = datagram, app = com.bitwarden.desktop.helper, name = , fe80::807:f13d:d1e2:e3c7.0 <-> 2001:4860:4860::8888.53, filter_id = , interface = en5
error	15:45:11.521325+0100	kernel	Sandbox: Bitwarden Helper(11504) deny(1) network-bind local:*:5594
error	15:45:11.521533+0100	kernel	Sandbox: Bitwarden Helper(11504) deny(1) network-bind local:*:29850
error	15:45:11.521578+0100	kernel	Sandbox: Bitwarden Helper(11504) deny(1) network-bind local:*:31668
error	15:45:11.521603+0100	kernel	Sandbox: Bitwarden Helper(11504) deny(1) network-bind local:*:21555
default	15:45:11.521365+0100	com.cisco.anyconnect.macos.acsockext	[Extension com.cisco.anyconnect.macos.acsock]: Calling handleNewUDPFlow with UDP com.bitwarden.desktop.helper[{length = 20, bytes = 0xd2b020982b8ec53cbc5179ceb8044da43d2c28ea}] local port 0 interface en5, remoteEndpoint = 2001:4860:4860::8888.53
error	15:45:11.521650+0100	kernel	Sandbox: Bitwarden Helper(11504) deny(1) network-bind local:*:47305
error	15:45:11.521671+0100	kernel	Sandbox: Bitwarden Helper(11504) deny(1) network-bind local:*:18065
default	15:45:11.521430+0100	com.cisco.anyconnect.macos.acsockext	[Extension com.cisco.anyconnect.macos.acsock]: provider accepted new flow UDP com.bitwarden.desktop.helper[{length = 20, bytes = 0xd2b020982b8ec53cbc5179ceb8044da43d2c28ea}] local port 0 interface en5
error	15:45:11.521687+0100	kernel	Sandbox: Bitwarden Helper(11504) deny(1) network-bind local:*:18162
error	15:45:11.521704+0100	kernel	Sandbox: Bitwarden Helper(11504) deny(1) network-bind local:*:20549
default	15:45:11.521948+0100	mDNSResponder	[R23179] DNSServiceQueryRecord(1D000, 0, <mask.hash: 'eCmPWFXsWVA3CXoRzR9Ftg=='>, Addr) START PID[11504](Bitwarden Helpe)
default	15:45:11.522562+0100	mDNSResponder	[R23180] DNSServiceQueryRecord(1D000, 0, <mask.hash: 'eCmPWFXsWVA3CXoRzR9Ftg=='>, AAAA) START PID[11504](Bitwarden Helpe)
default	15:45:11.522910+0100	mDNSResponder	[R23179] DNSServiceQueryRecord(1D000, 0, <mask.hash: 'RTZABV/ieVK727Gbwuyw5w=='>, Addr) STOP PID[11504](Bitwarden Helpe)
default	15:45:11.522950+0100	mDNSResponder	[R23180] DNSServiceQueryRecord(1D000, 0, <mask.hash: 'RTZABV/ieVK727Gbwuyw5w=='>, AAAA) STOP PID[11504](Bitwarden Helpe)

EDIT: I tried to uninstall AnyConnect VPN client (I had no problem with Bitwarden before) but still no success

Just in case - have you double checked that you have typed in your account’s email address correctly in the BW desktop app?

Yes… even funnier: the desktop extension got the info (vault server and email) from the desktop app, except for the master password.
Then, copy n pasting the master password to both the app and extension works only for the latter, while the former returns authentication failed

Screenshot 2022-12-07 at 16.09.30

The only two parameters that I set are the vault server and the email. Than the master password is literally copy-pasted so no typos…

I’m experiencing a similar issue. If I try to use the newer version (2022.11.0) of the desktop app on my Mac, I can’t login (same user/password works fine in Chrome on the same computer). I was only able to get the desktop app to work by copying over an old version (2022.9.1) from another Mac.

Hey @odmcgill, can you submit a ticket with the support team at bitwarden.com/contact

I’m just jumping in on this to report similar issues.

Can login via:
Safari Version 15.6.1 – web ui
Chrome Version 108.0.5359.98 (Official Build) (x86_64) – web ui
Chrome Extension 2022.10.1

Can’t login:
Safari Extension (Unknown version number)
MacOS Desktop App Version 2022.11.0 (5788)

Both report user/password incorrect.

Access log shows a token for web logins but nothing for Safari Extension + MacOS Desktop app.

XXX.XX.X.X - - [15/Dec/2022:01:14:47 +0000] "POST /api/accounts/prelogin HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36" "XXX.XX.XXX.XXX"
XXX.XX.X.X - - [15/Dec/2022:01:14:47 +0000] "POST /identity/connect/token HTTP/1.1" 400 139 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36" "XXX.XX.XXX.XXX" - - [15/Dec/2022:01:14:52 +0000] "GET /alive HTTP/1.1" 200 5 "-" "curl/7.64.0" "-"
XXX.XX.X.X - - [15/Dec/2022:01:15:06 +0000] "POST /identity/connect/token HTTP/1.1" 200 2765 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36" "XXX.XX.XXX.XXX"
XXX.XX.X.X - - [15/Dec/2022:01:15:07 +0000] "GET /notifications/hub?access_token=XXXXXXXXXXXXXXXXX HTTP/1.1" 400 33 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36" "XXX.XX.XXX.XXX"
XXX.XX.X.X - - [15/Dec/2022:01:19:41 +0000] "POST /identity/accounts/prelogin HTTP/1.1" 404 0 "-" "(Windows NT 10.0; Win64; x64)" ""
XXX.XX.X.X - - [15/Dec/2022:01:19:43 +0000] "POST /identity/connect/token HTTP/1.1" 400 177 "-" "(Windows NT 10.0; Win64; x64)" "XXX.XX.XXX.XXX"


-Self-Hosted Vaultwarden, docker container, on Synology NAS
-[Sudden] login failure error
-Bitwarden desktop client login failed
-Chrome/Brave extension login failed
-Edge extension login successful
-iPhone/iPad app login successful

Root Cause:
-old/deprecated docker image

-spun up Watchtower container for long-term fix
-Watchtower automatically detected and updated Vaultwarden image and recreated container with latest image
-manually pruned all unused Docker images

Had same issue with my self-hosted vaultwarden container after a fresh Windows 11 install. I was also suddenly unable to login on my Mac laptop.

I was absolutely sure I was using the correct username/password, but kept getting the “Invalid username/password” error when logging in to the Bitwarden Desktop app and Brave/Chrome extensions. Somehow, our iPhone Bitwarden apps were still working, and I was able to login using the Bitwarden extension for Edge.

I’ve spent many hours over several days reading stuff online and found a lot of people experienced the same issue over several years, spanning over various versions. Discussion threads would just end and go stale without any real working solutions.

For self-hosted instances, it seemed to me that this issue occurs whenever a container is using a deprecated vaultwarden/server image.

So I ssh’d into my server and ran a few docker commands.

#To get my current Vaultwarden docker container ID

$ sudo docker container ls
CONTAINER ID   IMAGE                       COMMAND         CREATED          STATUS                    PORTS                                          NAMES
273aebcda9c7   vaultwarden/server:latest   "/start.sh"     33 minutes ago   Up 33 minutes (healthy)>3012/tcp,>80/tcp   vaultwarden-serve

#To inspect the container and see which image it’s using
$ sudo docker container inspect 273aebcda9c7

sections of the resulting output clued me in that my container was definitely using an old image…

"Labels": {
            "org.opencontainers.image.created": "2021-04-30T14:49:52+00:00",
            "org.opencontainers.image.documentation": "https://github.com/dani-garcia/vaultwarden/wiki",
            "org.opencontainers.image.licenses": "GPL-3.0-only",
            "org.opencontainers.image.revision": "1e5306b8203a7ebe24047910e6c690c18c6d827a",
            "org.opencontainers.image.source": "https://github.com/dani-garcia/vaultwarden",
            "org.opencontainers.image.url": "https://hub.docker.com/r/vaultwarden/server",
            "org.opencontainers.image.version": "1.21.0"

Then, I also decided to prune any unused docker images
$ sudo docker image prune -a

At this point, I knew my next step was to update my docker image – which I’ve never done before. And I was scared that I’d somehow lose my vault if I messed things up. Then, I remembered somewhere in my research that someone mentioned a “watchtower” docker which automates docker image updates. This seemed like a much better short-term and long-term solution for this issue.

Thanks to all the wonderful contributors to this small but outstanding docker!

So I used the quick-start script and spun up a Watchtower container. I then stopped it to add an Environment Variable: “WATCHTOWER_RUN_ONCE”, with a value of “true”, to force a one-time update of all running containers.

With my Vaultwarden container running, I restarted the Watchtower container. After a few minutes, I got a notification from my server that my Vaultwarden container had stopped unexpectedly, indicating that Watchtower was doing its job. The container logs also provides good documentation.

Once I verified Vaultwarden was running, and I was able to pull up and login to the webvault, I tried logging into the Desktop client and Chrome/Brave extensions.

Everything works again!

Hopefully this helps other people experiencing the same issue.

This is Because of this:

Resolved! See my other post.