Forum / Devolutions Password Server - Support

Upgraded to 5.0.1.0 RDMS, Goggle 2FA weirdness / not working

  • Create an Issue
  • Cancel

Hi,

Yesterday upgraded to rdms 5.0.1.0 and everything seemed to be ok after testing, Including the google authenticators. There were no errors during the upgrade.

Today no ones google 2fa works (invalid code), this includes the users that were working yesterday.

If I reset the users 2FA and get them to scan the new QR when they login, it works for that login only. Once they logout and back in, put the code in they get the invalid code message. I can repeat the reset process and it works again(for that login only)

I've checked clocks on local machines, the RDMS Server and the phones with the authenticator app, they are all in sync.

We're using an SQL backend, people were using the latest RDM(13.5.4.0) before the upgrade when everything was working ok. I was using the beta it was working in that before the server upgrade too.

Database version is at 414

I have 2FA usage set to required in the rdms server settings. The Default required 2FA is set to Google Authenticator

Users are from AD (but that seems to be working)

Any ideas on what may be causing this issue?

Regards,
Craig

Clock2 yrs

Hello,

I do not find you in our CRM so cannot identify your time zone.

I will ask Erica to look at this tomorrow morning, we are currently in EDT. I hope you arent stuck for your workday.

best regards,



Maurice Côté

signaturesignature

Clock2 yrs

Hi Maurice,

We're in Australia/Brisbane GMT+10

In the meantime i've disabled the 2FA. Not ideal but staff need to use the program.

Cheers,
Craig

Clock2 yrs

we might be in the crm as this account, think this is the one they purchased it under

Clock2 yrs

jackpot, found you. Wow you guys are really autonomous, havent found an email from you in the support account.

As per https://www.timeanddate.com/worldclock/meetingtime.html?iso=20180406&p1=165&p2=47, she will come in and you'll be well home by then.

I will ask her to set aside an hour at the earliest synchronization of our working schedules, sadly it looks like our Monday evening and your tuesday morning. I do not know if she would be available our Sunday evening....

We'll do our best and send you instructions if they are known... (you already stated responses to all of our usual initial questions....)

You will get a response in about 12 hours.

Thank you for your patience.



Maurice Côté

signaturesignature

Clock2 yrs

Hello,

I am clueless about your issue. I can't reproduce it on our environment.

Which username format are you using to connect on DVLS and which username format is saved in the database (Administration - Users)?

Do you have something relevant in the DVLS logs about this problem?
https://helpserver.devolutions.net/configure_dvlslogs.htm

Best regards,



Érica Poirier

signaturesignature

Clock2 yrs

Hi,

We are just using our ad login SAM name, and that's whats configured in the username format, but that's working. It's purely the google auth 2FA that doesn't after the upgrade.

I'm seeing this in the log when the Google Authenticator says the codes invalid. I don't see the below when logging in and scanning the QR code, using the authenticator code for that first login. I note that it talks about username and password however they are correctly entered and turning off the 2fa it works fine. See my attached screenclip


ArgumentException - The user name and password must either both be null or both must be non-null.

at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
at Devolutions.RemoteDesktopManager.Managers.DirectoryServicesManager.GetPrincipalContext(ContextType contextType, String contextName, String username, String password, Boolean ldapsEnable, Int32 ldapsPort)

log.jpg
Clock2 yrs

Hello,

An engineer has found something and we were able to reproduce the issue internally.

Does the Administration credentials field is filled in with a domain account in the Domain tab of your DVLS configuration?

If not, adding an account for the LDAP queries in the Administration credentials field should fix the issue.

https://helpserver.devolutions.net/settings_domain.htm

Best regards,



Érica Poirier

signaturesignature

Clock2 yrs

We're using Duo 2FA and experiencing a similar issue.

This may 'force' us to abandon 2FA until we can get this resolved.

Can someone from support assist??

The following error was received by joe_user at 4/9/2018 5:01:18 PM
Error:
ArgumentNullException - Value cannot be null. Parameter name: identityValue at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue) at Devolutions.RemoteDesktopManager.Managers.DirectoryServicesManager.FindUserByIdentity(String userName, DirectoryServicesQueryParameter parameters, PrincipalContext principalContext) at Devolutions.RemoteDesktopManager.Managers.DirectoryServicesManager.FindUserByIdentity(String userName, DirectoryServicesQueryParameter parameters) at Devolutions.Server.UserManager.FindUserInDomain(String userName, String password) at Devolutions.Server.Controllers.APIControllers.V2.BackendApiController.DoLogin(SessionContext context, String userName, String password, ClientApplicationInfo clientApplicationInfo, String twoFactorID, TwoFactorInfo twoFactorInfo, String publicIPAddress, Byte[] sessionKey, String repositoryId, Boolean partialMode, Boolean useWindowsAuthentication, String localMachineName, String localMachineUserName) at Devolutions.Server.Controllers.APIControllers.V2.BackendApiController.Login(LoginData loginData, Boolean partialMode) at lambda_method(Closure , Object , Object[] ) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.b__9(Object instance, Object[] methodParameters) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ApiControllerActionInvoker.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at

Clock2 yrs

Hi Erica,

I checked the field and it was blank, I think the update must have cleared it as it previously had an account in there. I readded the account after confirming I had the right password.

Now there's a different issue.


- I enable 2fa for myself only (i've got the server set to optional 2fa now for testing)
- Open RDM and login using my AD user

- Scan the QR and enter a code
- RDM connects to RDMS ok
- Close RDM


- Open RDM and login using my AD user

- Enter Google Auth code, I no longer get invalid auth code, I get a windows message box saying unable to connect to the data source. Do you want to go in offline mode.

- Clicking yes(go offline) on that brings up the login box again
- Enter AD details again
- RDM opens in offline mode.

- Clicking no (don't go offline) I get the RDM message box (one with the blue bar that doesn't look like standard windows message box) with the following
Devolutions.RemoteDesktopManager.Business.TryGoOfflineException: Unexpected exception ---> System.Net.WebException: Unexpected exception
at Devolutions.Server.ApiWrapper.RestClient.GetResponse[T](HttpWebRequest request)
at Devolutions.Server.ApiWrapper.RDMSWebClient.Login(String route, String userName, RDMOLoginParameters parameters)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.cba2d075b9d5d7ff70cb004276ee25dfc.c77d0eaf9cc2aad7d81235affb2e7e8e4()
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.Login(String userName, RDMOLoginParameters parameters)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSConnectionDataSource.cfd5a34f5d07fc88d4e80bd65d54ea43c(String c18973cea236a9feff75c32ca7d1697d5, String ceb81d1ee93f91e0bc57f34876c263863, String cb50ec7aadfaa7e89f2b5694e72d1e841, TwoFactorInfo c7bf7c79d7781c7b960a67d7061274a24)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSConnectionDataSource.c23f6d0afb290ae96fa7779029070da0d(String ceb81d1ee93f91e0bc57f34876c263863, String c18973cea236a9feff75c32ca7d1697d5)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSConnectionDataSource.Login(Boolean useCredentials)
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.get_c3e2a9eaefc85e07772d691a26117253e()
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.cae356a0eae8f067f8384e2b245439614.cd14da9e5db3492e4c95f914049f3f28a()
at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.c5f4f6c72c053c0cd60a62abeeaa43fdf[cb75a0a5d15a1ad8b8a8a5e57cca214a3](c31561c0d54939abd223ac7c0cf30e7e6`1 c6cc9ab02b2ea9ccd42c7c0497677bcc2, ExecuteActionLogMode c92f46156e371279a4f61cd5822be5fee)
--- End of inner exception stack trace ---


- Close RDM
- Turn off my 2FA and RDM works fine again and can connect.


Checking the logs on the server i now see this exception when i get the unable to connect to data source message.


ArgumentNullException - Value cannot be null.
Parameter name: identityValue

at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)
at Devolutions.RemoteDesktopManager.Managers.DirectoryServicesManager.FindUserByIdentity(String userName, DirectoryServicesQueryParameter parameters, PrincipalContext principalContext)
at Devolutions.RemoteDesktopManager.Managers.DirectoryServicesManager.FindUserByIdentity(String userName, DirectoryServicesQueryParameter parameters)
at Devolutions.Server.UserManager.FindUserInDomain(String userName, String password)
at Devolutions.Server.Controllers.APIControllers.V2.BackendApiController.DoLogin(SessionContext context, String userName, String password, ClientApplicationInfo clientApplicationInfo, String twoFactorID, TwoFactorInfo twoFactorInfo, String publicIPAddress, Byte[] sessionKey, String repositoryId, Boolean partialMode, Boolean useWindowsAuthentication, String localMachineName, String localMachineUserName)
at Devolutions.Server.Controllers.APIControllers.V2.BackendApiController.Login(LoginData loginData, Boolean partialMode)
at lambda_method(Closure , Object , Object[] )
at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.<GetExecutor>b__9(Object instance, Object[] methodParameters)
at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__0.MoveNext()

Clock2 yrs

Hello,

@William, which RDM and DVLS version are you using? Does the Administration field is filled with a domain account for LDAP queries?

@Craig, I will check tomorrow morning with an engineer about your error message. In the meantime, could you please check if you are able to update the account information with the Refresh User Information from Active Directory button in the Users Management dialog?


image

Best regards,



Érica Poirier

signaturesignature

Clock2 yrs

RDM: 13.5.0.0 & 13.5.4.0
DVLS: 5.0.1.0

-- See attached screenshot.

Erica Poirier wrote:

Hello,

@William, which RDM and DVLS version are you using? Does the Administration field is filled with a domain account for LDAP queries?

@Craig, I will check tomorrow morning with an engineer about your error message. In the meantime, could you please check if you are able to update the account information with the Refresh User Information from Active Directory button in the Users Management dialog?


image

Best regards,

Capture.JPG
Clock2 yrs

The account refreshes fine.

ok.jpg
Clock2 yrs

Hello,

@Craig and @William,


We have found something. Do the Always ask username and Always ask password options are enable in the data source configuration (File - Data Sources)?
RDM tries to send those values for the 2FA validation and because these fields are blank, you get that error.

Could you please try it with the username and password saved in the data source configuration?

image

Best regards,



Érica Poirier

signaturesignature

Clock2 yrs

In my configuration, always ask for password is checked, username is prepopulated, but not working properly - and prompts for username.
Erica Poirier wrote:

Hello,

@Craig and @William,


We have found something. Do the Always ask username and Always ask password options are enable in the data source configuration (File - Data Sources)?
RDM tries to send those values for the 2FA validation and because these fields are blank, you get that error.

Could you please try it with the username and password saved in the data source configuration?

image

Best regards,

Capture.JPG
Clock2 yrs

Hello,

@William, could you please modify the data source configuration and put the correct username and password and disable the Always ask password option box to test if it is working properly?

Best regards,



Érica Poirier

signaturesignature

Clock2 yrs

Hi Erica,

Ours is set similar to williams. We specifically require that in our security policies, as for example if someone has RDM on their BYOD phone (where their google authenticator is), loses the phone and it has no pin/etc on it they may as well not have a password or 2fa at all. We'd have to wait for them to realise they lost it then reset their AD account.

You have found the issue as in my testing it works saving it. Seems the 2fa doesn't read the settings from the popup when you haven't saved those settings, so i guess that needs to get fixed.


Testing process,
- Enabled my 2fa on the server

- Open RDM
- Changed my RDM to save the user/password(was already saving the username) on the source.


- connect to datasource, AD login does not appear (logs in automatically)

- Scan the QR that pops up and enter a code
- RDM connects to RDMS ok
- Close RDM


- Open RDM

- connect to datasource, AD login does not appear (logs in automatically)

- enter google authenticator code
- RDM connects to RDMS ok

Clock2 yrs

Same issue here (after upgrading our staging DVLS server)

RDM 13.5.5.0
DVLS 5.0.1.0

After setting datasource to save username and password, 2FA works again.
Our users will not be able to edit the datasource, as it is locked.

What needs to be updated to fix this issue? (DVLS, RDM or both?)

BR

Michael Leeming

Clock2 yrs

Hello,

The issue has been fixed internally and the patch will be available in the next beta version of RDM (13.5.6.0). This will be sufficient to resolve the issue on your end.

Also, the internal code of DVLS has been fixed and the next version will be more stable.

Best regards,



Érica Poirier

signaturesignature

Clock2 yrs

We don't install Beta releases, only test them.
Is it possible to install hotfixes?

Clock2 yrs

Hello,

We do not have hot fixes for our products.

You will have to wait for the next release and there is no ETA for it.

Best regards,



Érica Poirier

signaturesignature

Clock2 yrs

This issue is so bad you need to make a quick release and remove the release with this issue.
Replace the latest release with a new release where the only difference is this issue fixed.
The workaround around the issue is very bad for security.

Clock2 yrs

Hello,
We are working on an official release.

Regards

David Hervieux

signaturesignature

Clock2 yrs

Hello,

Just to inform you that we have released RDM 13.5.6.0 and DVLS 5.0.2.0. These versions include the fix for your 2FA issue.

You can download them here :

https://server.devolutions.net/home/download

https://remotedesktopmanager.com/home/download

Please consult the following online documentation about Upgrading Devolutions Server.

If you need assistance for the upgrade, please contact us at support@devolutions.net and we will send you our online calendar to book an appointment.


Best regards,



Érica Poirier

signaturesignature

Clock2 yrs

Hi Erica,

Just confirming that these updates fix the issue.

Thanks for your help.

Craig

Clock2 yrs

Hello,

@Craig, thank you for your feedback. Glad that it's working now.

Best regards,



Érica Poirier

signaturesignature

Clock2 yrs