Forum / Devolutions Password Server - Bug Report

Devolutions Server 4.0 - Nested Groups dont work anymore

  • Create an Issue
  • Cancel

Hi Support-Team,

I updated our Devolutions-Server to Version 4.0.

Now it seems, that nested groups in Active Directory dont work anymore. This is VERY BAD!!!
What can I do to make nested groups work again, like it was in Devolutions Server 3.2

Need a Solution ASAP, no one can access their passwords here.

thanks,

Benjamin Schrupp

Clock3 yrs

I'm back on Version 3.2 now.
Please let me know when this is fixed.

Thanks,

Benjamin Schrupp

Clock3 yrs

Hello,

We're working on it, we'll keep you posted.


Best regards,



Maurice Côté

signaturesignature

Clock3 yrs

Hello,

The issue is fixed and the version 4.0.1.0 of DVLS has been released.

Best regards,



Érica Poirier

signaturesignature

Clock3 yrs

Hi,

its not fixed! At all its worse than before.

After the Update to Version 4.0.1.0 I was able to connect with local Admin-Account (type: Custom (Devolutions)).
Domain-Accounts work sometimes. I got the following errors:


image
Credentials were definitive correct

A lot of upcoming Authentication-Windows (ca. 5 times)

image
And after a few tries to refresh with STRG + F5 I got this

image

Sometimes (very rarely) I could connect with a Domain Account. Then I saw the entries where the permissions come from nested groups, but not the entries where my account was granded access directly in an AD-Group.

Server thows the following Errors:


The following error was received by a user at 11/30/2016 10:22:22 AM
Error:
COMException - Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. at System.DirectoryServices.DirectoryEntry.RefreshCache() at System.DirectoryServices.AccountManagement.PrincipalContext.DoMachineInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue) at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue) at System.DirectoryServices.AccountManagement.AuthZSet.get_CurrentAsPrincipal() at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.get_Current() at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.System.Collections.IEnumerator.get_Current() at System.Linq.Enumerable.d__94`1.MoveNext() at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) at Devolutions.RemoteDesktopManager.Business.DirectoryServicesGetUserDetailsResult.AssignFromPrincipalSearchResult(Principal principal, PrincipalSearchResult`1 directoryGroups) in c:\Dev\devolutions\RemoteDesktopManager\Business\Results\DirectoryServicesGetUserDetailsResult.cs:line 63 at Devolutions.RemoteDesktopManager.Managers.DirectoryServicesManager.GetUserDetails(String fullName, DirectoryServicesQueryParameter directoryServicesQueryParameter, Boolean isMultiDomain, Boolean isNested, RoleInfoEntity[] roleNames) in c:\Dev\devolutions\RemoteDesktopManager\Business\Managers\DirectoryServicesManager.cs:line 367 at Devolutions.Server.Providers.RDMSMembershipProvider.CheckPasswordActiveDirectoryMultiDomain(String username, String password, MembershipLoginData membershipLoginData) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 849 at Devolutions.Server.Providers.RDMSMembershipProvider.DoValidateUserAgainstDomain(UserInfoEntity userInfoEntity, String password, MembershipLoginData membershipLoginData, Boolean addLoginData) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 1078 at Devolutions.Server.Providers.RDMSMembershipProvider.DoValidateUser(String username, String password, MembershipLoginData loginData, UserData userData, Boolean addLoginData) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 1043 at Devolutions.Server.Providers.RDMSMembershipProvider.DoValidateUser(String username, String password, MembershipLoginData loginData) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 998 at Devolutions.Server.Providers.RDMSMembershipProvider.AuthenticateUser(MembershipLoginData loginData, String userName, String password) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 754 at Devolutions.Server.Providers.RDMSMembershipProvider.DoValidateUserFull(String userName, String password, MembershipLoginData loginData) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 1183 at Devolutions.Server.Controllers.APIControllers.v2.RDMSApiController.DoLogin(HttpRequestMessage request, String userName, String password, ClientApplicationInfo clientApplicationInfo, String twoFactorID, TwoFactorInfo twoFactorInfo, String publicIPAddress, Byte[] sessionKey, String repositoryId, Boolean partialMode) in c:\Dev\devolutions\Websites\Server\Website\Controllers\APIControllers\RDMSApiController.Login.cs:line 888 at Devolutions.Server.Controllers.APIControllers.v2.RDMSApiController.Login2(HttpRequestMessage request, JObject requestData, Boolean partialMode) in c:\Dev\devolutions\Websites\Server\Website\Controllers\APIControllers\RDMSApiController.Login.cs:line 312 at lambda_method(Closure , Object , Object[] ) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.b__9(Object instance, Object[] methodParameters) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ApiControllerActionInvoker.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ActionFilterResult.d__2.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ExceptionFilterResult.d__0.MoveNext() --- Default
Source:
Active Directory


The following error was received by a user at 11/30/2016 10:25:40 AM
Error:
HttpException - Cannot redirect after HTTP headers have been sent. at System.Web.HttpResponse.Redirect(String url, Boolean endResponse, Boolean permanent) at System.Web.Security.FormsAuthenticationModule.OnLeave(Object source, EventArgs eventArgs) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) --- Default
Source:
System.Web

I hope this helps you troubleshooting the issues.

Benjamin Schrupp

Clock3 yrs

Hello,

  • We have a strategy for the COM Exception, we will do a build a soon as we have load tested our fix.
  • For the other Exception, we are missing some details, but a fix was commited yesterday afternoon that was needed because of a unexpected redirection. I hope it is what you are seeing.

Best regards,



Maurice Côté

signaturesignature

Clock3 yrs

Hello,

Could you please send me the web.config file in a private message? Remove all passwords you will find in that file.

Best regards,



Érica Poirier

signaturesignature

Clock3 yrs

Hello,

Thank you for your file.

In the Server Settings of your Devolutions Server instance, have you set an Administration credentials account in the Domain tab of the Authentication tab?

image

The administrator account must have full read permissions over the domain to be able to get all information about AD users and AD groups.

Best regards,



Érica Poirier

signaturesignature

Clock3 yrs

Hi Erica,

here is what i did:

- Updating Devolutions Server to Version 4.0.1.0
- Updateing RDM to Version 12.0.2.0
- Clicking Edit on the Devolutions Server Tab

image

- Prompting for Credentials (Credentials were correct)

image


image

- Next Windows opens after reauthentication and clicking OK
- Tried Connection successfully (Logged on Account and specific AD-Account worked)

image


- Checked the Diagnostic and installed IIS Rewrite Module

image


- Authentication does not really work at all

image

- Here the Setting Pane

image

- Server throws these Exceptions:


Error:
NullReferenceException - Object reference not set to an instance of an object. at Devolutions.Server.TokenManager.IsTokenValid(String token) in c:\Dev\devolutions11_5\Websites\Server\Common\Managers\TokenManager.cs:line 174 at Devolutions.Server.Controllers.APIControllers.v2.RDMSApiController.ValidateSession(HttpRequestMessage request) in c:\Dev\devolutions11_5\Websites\Server\Website\Controllers\APIControllers\RDMSApiController.cs:line 103 at Devolutions.Server.Controllers.APIControllers.v2.RDMSApiController.KeepAlive(HttpRequestMessage request) in c:\Dev\devolutions11_5\Websites\Server\Website\Controllers\APIControllers\RDMSApiController.Connection.cs:line 322 at lambda_method(Closure , Object , Object[] ) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.b__9(Object instance, Object[] methodParameters) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ApiControllerActionInvoker.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ActionFilterResult.d__2.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.AuthorizationFilterAttribute.d__2.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ExceptionFilterResult.d__0.MoveNext() --- Default
Source:
Devolutions.Server.Common


Error:
COMException - Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. at System.DirectoryServices.DirectoryEntry.RefreshCache() at System.DirectoryServices.AccountManagement.PrincipalContext.DoMachineInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue) at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue) at System.DirectoryServices.AccountManagement.AuthZSet.get_CurrentAsPrincipal() at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.get_Current() at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.System.Collections.IEnumerator.get_Current() at System.Linq.Enumerable.d__94`1.MoveNext() at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) at Devolutions.RemoteDesktopManager.Business.DirectoryServicesGetUserDetailsResult.AssignFromPrincipalSearchResult(Principal principal, PrincipalSearchResult`1 directoryGroups) in c:\Dev\devolutions\RemoteDesktopManager\Business\Results\DirectoryServicesGetUserDetailsResult.cs:line 63 at Devolutions.RemoteDesktopManager.Managers.DirectoryServicesManager.GetUserDetails(String fullName, DirectoryServicesQueryParameter directoryServicesQueryParameter, Boolean isMultiDomain, Boolean isNested, RoleInfoEntity[] roleNames) in c:\Dev\devolutions\RemoteDesktopManager\Business\Managers\DirectoryServicesManager.cs:line 367 at Devolutions.Server.Providers.RDMSMembershipProvider.CheckPasswordActiveDirectoryMultiDomain(String username, String password, MembershipLoginData membershipLoginData) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 849 at Devolutions.Server.Providers.RDMSMembershipProvider.DoValidateUserAgainstDomain(UserInfoEntity userInfoEntity, String password, MembershipLoginData membershipLoginData, Boolean addLoginData) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 1078 at Devolutions.Server.Providers.RDMSMembershipProvider.DoValidateUser(String username, String password, MembershipLoginData loginData, UserData userData, Boolean addLoginData) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 1043 at Devolutions.Server.Providers.RDMSMembershipProvider.DoValidateUser(String username, String password, MembershipLoginData loginData) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 998 at Devolutions.Server.Providers.RDMSMembershipProvider.AuthenticateUser(MembershipLoginData loginData, String userName, String password) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 754 at Devolutions.Server.Providers.RDMSMembershipProvider.DoValidateUserFull(String userName, String password, MembershipLoginData loginData) in c:\Dev\devolutions\Websites\Server\Providers\RDMSMembershipProvider.cs:line 1183 at Devolutions.Server.Controllers.APIControllers.v2.RDMSApiController.DoLogin(HttpRequestMessage request, String userName, String password, ClientApplicationInfo clientApplicationInfo, String twoFactorID, TwoFactorInfo twoFactorInfo, String publicIPAddress, Byte[] sessionKey, String repositoryId, Boolean partialMode) in c:\Dev\devolutions\Websites\Server\Website\Controllers\APIControllers\RDMSApiController.Login.cs:line 888 at Devolutions.Server.Controllers.APIControllers.v2.RDMSApiController.Login2(HttpRequestMessage request, JObject requestData, Boolean partialMode) in c:\Dev\devolutions\Websites\Server\Website\Controllers\APIControllers\RDMSApiController.Login.cs:line 312 at lambda_method(Closure , Object , Object[] ) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.b__9(Object instance, Object[] methodParameters) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ApiControllerActionInvoker.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ActionFilterResult.d__2.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ExceptionFilterResult.d__0.MoveNext() --- Default
Source:
Active Directory

I think this exception was during the Server Update...


Error:
HttpException - Cannot redirect after HTTP headers have been sent. at System.Web.HttpResponse.Redirect(String url, Boolean endResponse, Boolean permanent) at System.Web.Security.FormsAuthenticationModule.OnLeave(Object source, EventArgs eventArgs) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) --- Default
Source:
System.Web


Then I hab an idea:
It felt like, that the credentials used in RDM are passed to the SQL-Database. And there they are not allowed to login.
I created a user / group with no specific rights and tried again.

image


Authentication for this group / user worked well. No errors anymore.
But RDM loads only the elements with direct permission in AD. For the nested group elements I need to press STRG + F5.

Its alway the same behavior when restarting RDM. Only after pressing STRG + F5 I see the elements for nested groups.


Hope that helps to identify the issue.

regards,

Benjamin

Clock3 yrs

Hello,

I will recommend you to restore, from a backup, your last working installation of DVLS 3.2.x and reinstall RDM 11.7.6.0.

Actually, we are working on a fix for this bug and we will not release a new version this week.

Best regards,



Érica Poirier

signaturesignature

Clock3 yrs

Hi,

sure, I've already done this.
Then I'm waiting for the next Update.
Thanks,

Benjamin

Clock3 yrs

We have tried to reproduce the COMException that you are experiencing, but without success.

I have added locking instructions to protect a certain pathway. As soon as I have a build we would like to test it.

We will keep you posted


Best regards,



Maurice Côté

signaturesignature

Clock3 yrs

Hi,
are there any updates in VERSION 4.0.6.0 (January 3rd 2017) that makes its worth testing it with my AD nested Groups Problem?
regards,
Ben

Clock3 yrs

Hello,

Sorry but no updates about nested AD group in that version. You can consult the Change History web page for more information about fixes and improvements of Devolutions Server.

But for sure, I will let you know when a fix will be available!

Best regards,



Érica Poirier

signaturesignature

Clock3 yrs

Is there any indication of when this will be fixed? We can't take our environment into production status with this bug being there, as it will cause to much problems.

I don't really fancy rebuilding the environment from scratch on 3.2.x at the moment :-(

Clock3 yrs

Hello,

We feel that it is fixed in our latest internal builds, but we've asked Erica to test it out with a few customer because the bug was never reproduced in any of our three test domains.

If you'd like, just send her at note at support@devolutions.net and she'll book a session to go through the process with you.


Best regards,



Maurice Côté

signaturesignature

Clock3 yrs

Hi Maurice,

Erica is the one who turned it off during a session last week..
I'll test to see if the issue still exists.

Regards,

Clock3 yrs

Hello,

With your binaries it wont do a thing, you need our latest builds, and the one for the server is not public yet if I'm not mistaken



Maurice Côté

signaturesignature

Clock3 yrs

Then I will plan something with Erica. Thanks!

Clock3 yrs

Any Updates new Status here?

Clock3 yrs

@Benjamin, we're having a hard time getting feed back from the customers that we have asked to test out the solution.

If you are willing to work with Erica on the matter, send us a note at support@devolutions.net


Best regards,



Maurice Côté

signaturesignature

Clock3 yrs

Sure, no problem.
I send u a note.

Clock3 yrs