Forum / Devolutions Password Server - Support

Domain Authentication Not Working in DPS 6.1.0.0

  • Create an Issue
  • Cancel

Upgraded to DPS 6.1.0.0 and can't authenticate through web client. Receive the error below through admin email.

Unfortunately, I have been awaiting upon these authentication issues to be resolved since DPS 6 was initially released, to roll out this tool to our entire company. Auth was really slow (90sec) in the previous build, now can't auth at all. Worked great in DPS 5.x.

What's going on here?


The following error was received by at 12/17/2018 11:51:52 AM
Error:
NullReferenceException - Object reference not set to an instance of an object. at Devolutions.Server.Managers.AuthenticationProvider.ProcessDomainUserInfo(String userName, String password, LoginContext membershipLoginData) at Devolutions.Server.Managers.AuthenticationProvider.DoValidateUserAgainstDomain(LoginContext loginData, UserEntity userEntity, String password) at Devolutions.Server.Managers.AuthenticationProvider.DoValidateUser(LoginContext loginData, String username, String password, UserData userData) at Devolutions.Server.Managers.AuthenticationProvider.DoValidateUser(LoginContext loginData, String username, String password) at Devolutions.Server.Managers.AuthenticationProvider.AuthenticateUser(LoginContext loginData, String userName, String password) at Devolutions.Server.Managers.AuthenticationProvider.DoValidateUserFull(LoginContext loginData, String userName, String password) at Devolutions.Server.Controllers.APIControllers.V2.BackendApiController.DoLogin(SessionContext context, String userName, String password, ClientApplicationInfo clientApplicationInfo, String twoFactorID, TwoFactorInfo twoFactorInfo, String publicIPAddress, Byte[] sessionKey, String repositoryId, Boolean partialMode, Boolean useWindowsAuthentication, Boolean useAzureADAuthentication, String localMachineName, String localMachineUserName) at Devolutions.Server.Controllers.APIControllers.V2.BackendApiController.Login(LoginData loginData, Boolean partialMode) at lambda_method(Closure , Object , Object[] ) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass10.b__9(Object instance, Object[] methodParameters) at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ApiControllerActionInvoker.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Web.Http.Filters.ActionFilterAttribute.d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Filters.ActionFilterAttribute.d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ActionFilterResult.d__2.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Web.Http.Controllers.ExceptionFilterResult.d__0.MoveNext() --- Default
Source:
Devolutions.Server.Common

Clock10 mths

Hello,

Does the Administration credentials field is populated with a domain account in the Domain tab of the DPS settings? This account needs to be is a member of the Account Operators AD group.

image


If this field is already configured, we could do a remote session to help you troubleshooting this issue. I still have availability today for a remote session to also check your performance issues.


Best regards,



Érica Poirier

signaturesignature

Clock10 mths

Adding the service account to Account Operators would provide the account with elevated permissions to modify AD users. This is not recommended for a read only LDAP server that is exposed externally. Why would this be recommended when the application should only be reading LDAP anyway? Can you explain how the application requires write access and what it is doing with this level of access?

Clock10 mths

Hello,

Thank you for the information.

At least, the service needs read permissions on AD but some properties and/or groups needs more privileges to be fetch using LDAP queries. We have found that sometimes, the service account also needs read permissions over the builtin Users OU and the Computers OU in order to work. We have also seen that some old accounts that have been created a while ago in AD could cause some problems because of old properties that aren't available anymore.

Could you please test the domain authentication with a dummy account that is only member of the Domain Users group?

Best regards,



Érica Poirier

signaturesignature

Clock10 mths

Hello,

Could you please check if the Domain Users And Roles Cache feature is enabled?

2018+12+18+9+25+43

If so, you have two possibilities. The first one is to disable that option. The second possibility is to configure the Log On As for the DevolutionsSchedulerService service with a service account that has proper permissions on the SQL database to update the content of the tables. If you want to use that last option, let me know and I will send you the information by email.


2018+12+18+9+30+30

Best regards,



Érica Poirier

signaturesignature

2018-12-18_9-25-43.png
2018-12-18_9-30-30.png
Clock10 mths

Hello,

The issue has been fixed internally and will be available in the next DPS version.

DPS will not trigger that error message anymore. It was caused when Domain Users and Roles cache option is enabled and the user account wasn't available in that cache.

Best regards,



Érica Poirier

signaturesignature

Clock10 mths