Forum / Devolutions Password Server - Support

Getting 401 errors instead of 2FA challenge

  • Create an Issue
  • Cancel

DVLS 4.0.6.0, RDM 12.0.8:

Trying to enable 2FA for our administrators. Configuring and validating the 2FA for a user works fine (DUO and Google Auth both tested), but when we attempt to connect RDM to the DVLS server, it just throws a 401 error instead of presenting the 2FA challenge. For Duo, we were able to bypass it by removing the 2FA requirement on user (we suspected it was just a problem with our Duo implementation), so we tried to enable Google Authenticator instead, but the same issue happens there. Now we don't really have any rollback option except modifying the backend database directly (removing the 2FA details from the SecurityKey column XML data). Any idea what we might be missing here?

Stacktrace from RDM:

System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Devolutions.Server.ApiWrapper.RestClient.GetInfoDataFromBodyRequest[T,K](String apiUrl, T postObject)
at Devolutions.Server.ApiWrapper.RDMSWebClient.GetData(DataOptionsEntity options)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.ca672ee2e2ecd95333b49c186092d0277.c20e7a175c4cf686430ff4e87fb942e7b()
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.c4cfebae48c715cba5241d6a671d47c8d[cb75a0a5d15a1ad8b8a8a5e57cca214a3](c31561c0d54939abd223ac7c0cf30e7e6`1 c6cc9ab02b2ea9ccd42c7c0497677bcc2, String ce54111a2f696be07240ffb02871e6867)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.c5f4f6c72c053c0cd60a62abeeaa43fdf[cb75a0a5d15a1ad8b8a8a5e57cca214a3](c31561c0d54939abd223ac7c0cf30e7e6`1 c6cc9ab02b2ea9ccd42c7c0497677bcc2)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.GetData(String proxyConnectionCacheID, Byte[] version)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSConnectionDataSource.GetDataSourceSettings()
at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.c29fbd34504079a3525ca4c390d5d4074(BaseConnectionDataSource cf40b69955d088020784eb92737f0a505)

DVLS shows the 401 on a POST request to /api/connection/data:


2017-01-18 10:16:24 ::1 POST /RDM/api/login - 443 - ::1 - - 200 0 0 317
2017-01-18 10:16:24 ::1 GET /RDM/api/login/twofactor - 443 - ::1 - - 200 0 0 0
2017-01-18 10:16:24 ::1 POST /RDM/api/security/twofactorbyusername - 443 - ::1 - - 200 0 0 15
2017-01-18 10:16:24 ::1 POST /RDM/api/security/twofactorbyusername - 443 - ::1 - - 200 0 0 0
2017-01-18 10:16:24 ::1 POST /RDM/api/connection/data - 443 - ::1 - - 401 0 0 0
2017-01-18 10:16:24 ::1 GET /RDM/api/logout - 443 - ::1 - - 200 0 0 0

Clock3 yrs

Hello,

Could you please upgrade your DVLS to version 4.0.7.0? This should help to resolve your issue.

Best regards,



Érica Poirier

Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 24th, 2019, to January 1, 2020, inclusively.

signaturesignature

Clock3 yrs

Can do - there's no mention of 2FA changes in the change history at https://server.devolutions.net/Home/ChangeHistory though - if I had seen it there I would have tried that first. Just sayin' smile

Clock3 yrs

Hello,

Could you please check if the WebDAV server role is enabled on the server? This server role must be disabled.

Do you have something relevant about this issue in the Server Logs of your DVLS instance?

Best regards,



Érica Poirier

Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 24th, 2019, to January 1, 2020, inclusively.

signaturesignature

Clock3 yrs

Hello,

Ran the DVLS server diagnostic tool and it's all green. WebDAV is not installed. Upgrading to 4.0.7.0 did not fix the issue unfortunately.

Set up failed request tracing in IIS, getting the following (not much to work with I suppose):


ModuleName
__DynamicModule_Microsoft.Owin.Host.SystemWeb.OwinHttpModule, Microsoft.Owin.Host.SystemWeb, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35_67a026a1-11ca-4e37-b18d-63c6adf2f28b

Notification
PRE_EXECUTE_REQUEST_HANDLER

HttpStatus
401

HttpReason
Unauthorized

HttpSubStatus
0

ErrorCode
The operation completed successfully.
(0x0)


I've enabled the 'Log debug information' setting, but I'm not sure where/if this produces any additional log data anywhere? I suppose I could point it to a syslog server if necessary.

Clock3 yrs

Hello,

You can access the Server Logs from the Devolutions Server console.

image

Have you enabled the Integrated Security option in the Database tab of the Server Settings?

Best regards,



Érica Poirier

Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 24th, 2019, to January 1, 2020, inclusively.

signaturesignature

Clock3 yrs

Ok, log just says:

RDMSMembershipProvider: CheckPasswordActiveDirectoryMultiDomain - EnterBig Grinebug
RDMSMembershipProvider: CheckPasswordActiveDirectoryMultiDomain - EXITBig Grinebug
Unable to update logHistory:Invalid data:Warning

Same error in syslog:


1 2017-01-18T17:27:07.103845+01:00 ::1 Devolutions Server 11200 LoginHistory - n++Invalid data
1 2017-01-18T17:27:07.150745+01:00 ::1 Devolutions Server 11200 Login - n++CheckPasswordActiveDirectoryMultiDomain - Enter
1 2017-01-18T17:27:07.369597+01:00 ::1 Devolutions Server 11200 Login - n++CheckPasswordActiveDirectoryMultiDomain - EXIT

Clock3 yrs

Oh, and database already uses Integrated Security.

Clock3 yrs

Hello,

Could you please run this SQL statement over the SQL database to list which permissions are granted on it? Please send the result to support@devolutions.net.

select 
class_desc
,USER_NAME(grantee_principal_id) as user_or_role
,CASE WHEN class = 0 THEN DB_NAME()
WHEN class = 1 THEN ISNULL(SCHEMA_NAME(o.uid)+'.','')+OBJECT_NAME(major_id)
WHEN class = 3 THEN SCHEMA_NAME(major_id) END [Securable]
,permission_name
,state_desc
FROM sys.database_permissions dp
LEFT OUTER JOIN sysobjects o
ON o.id = dp.major_id
-- where major_id >= 1 -- ignore sysobjects

order by
class_desc desc
,USER_NAME(grantee_principal_id)
,CASE WHEN class = 0 THEN DB_NAME()
WHEN class = 1 THEN isnull(schema_name(o.uid)+'.','')+OBJECT_NAME(major_id)
WHEN class = 3 THEN SCHEMA_NAME(major_id) end
,permission_name

Best regards,



Érica Poirier

Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 24th, 2019, to January 1, 2020, inclusively.

signaturesignature

Clock3 yrs

Sure thing.

Clock3 yrs

Hello,

Thank you for the report. Is it possible that the RDMS... account has the db_owner role membership on your DVLS database?

Best regards,



Érica Poirier

Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 24th, 2019, to January 1, 2020, inclusively.

signaturesignature

Clock3 yrs

Hi, yes, the SQL account has dbo role.

Clock3 yrs

Hello,

Could you please try to login into the DVLS web page?
Do you also get an error?

Best regards,



Érica Poirier

Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 24th, 2019, to January 1, 2020, inclusively.

signaturesignature

Clock3 yrs

Login to the DVLS web page works fine smile So maybe the problem is with the RDM client?

Clock3 yrs

Hello,

Could you please try RDM beta version 12.0.10.0? A fix has been made about a possible issue with DVLS and the Web API Service type and maybe it could help to fix your issue.

You can download it here https://remotedesktopmanager.com/Home/Download/beta

Best regards,



Érica Poirier

Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 24th, 2019, to January 1, 2020, inclusively.

signaturesignature

Clock3 yrs

DVLS: 4.0.7.0 RDM: 12.0.8.0
(note. DVLS installed in root of IIS website)

We have the exact same problem...

2017-01-23 13:16:57 xx.xx.xx.xx POST /api/login - 443 - xx.xx.xx.xx - - 200 0 0 734
2017-01-23 13:16:57 xx.xx.xx.xx GET /api/login/twofactor - 443 - xx.xx.xx.xx - - 200 0 0 15
2017-01-23 13:16:57 xx.xx.xx.xx POST /api/security/twofactorbyusername - 443 - xx.xx.xx.xx - - 200 0 0 15
2017-01-23 13:16:57 xx.xx.xx.xx POST /api/security/twofactorbyusername - 443 - xx.xx.xx.xx - - 200 0 0 15
2017-01-23 13:16:57 xx.xx.xx.xx POST /api/connection/data - 443 - xx.xx.xx.xx - - 401 0 0 62
2017-01-23 13:16:57 xx.xx.xx.xx GET /api/logout - 443 - xx.xx.xx.xx - - 200 0 0 15

System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Devolutions.Server.ApiWrapper.RestClient.GetInfoDataFromBodyRequest[T,K](String apiUrl, T postObject)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.c4cfebae48c715cba5241d6a671d47c8d[cb75a0a5d15a1ad8b8a8a5e57cca214a3](c31561c0d54939abd223ac7c0cf30e7e6`1 c6cc9ab02b2ea9ccd42c7c0497677bcc2, String ce54111a2f696be07240ffb02871e6867)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.c5f4f6c72c053c0cd60a62abeeaa43fdf[cb75a0a5d15a1ad8b8a8a5e57cca214a3](c31561c0d54939abd223ac7c0cf30e7e6`1 c6cc9ab02b2ea9ccd42c7c0497677bcc2)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.GetData(String proxyConnectionCacheID, Byte[] version)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSConnectionDataSource.GetDataSourceSettings()
at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.c29fbd34504079a3525ca4c390d5d4074(BaseConnectionDataSource cf40b69955d088020784eb92737f0a505)


DVLS server log not working fro some reason, showing multiple of
Title: Unable to update logHistory
Content: Invalid data

Clock3 yrs

Hello,

@Michael, does the Integrated Security option is activated in the Database tab of the Server Settings?

If yes, does the Service account have proper permissions over the DVLS database? Please run the SQL statement that you will find in this thread (https://forum.devolutions.net/topic27274-getting--errors-instead-of-fa-challenge.aspx?lastpage=1#post101372) and send the results at support@devolutions.net.

Best regards,



Érica Poirier

Happy Holiday Season!
Although our various support queues will be monitored during the coming holiday season, Devolutions' offices will be closed from December 24th, 2019, to January 1, 2020, inclusively.

signaturesignature

Clock3 yrs

Hi Érica, 12.0.10 beta works! So hopefully it will make its way out of beta relatively quickly and we can all go on with our day. smile

Clock3 yrs

Same here, works fine in 12.0.10.0 Beta

Clock3 yrs