Active Directory Groups

We support now the Active Directory users for the authentication but the group are not supported yet. This on the server roadmap for version 1.1. There is a small chance that it could be in the first version too.

By the way, we already have started to develop this feature. I'm just not sure if we will have the time to complete it.

David,

I've been following each of the new beta versions as they have come out, and noticed in the last version that there was a new section added for "Roles", which searches Active Directory for groups. It doesn't look to be working quite yet, though. When I log in with my AD credentials (As an aside, integrated authentication doesn't seem to be available when using Remote Desktop Manager Server data sources. That would be a nice feature to continue to be able to use going forward), it seems to create a user for me in the users section, but it doesn't apply any of the permissions I specified for the role. I'm guessing that not all of the code is in place to make that feature work properly as of yet. If it works the way it looks like it should, this definitely looks like a very nice feature addition to your product.

As you can tell, I'm itching to utilize this feature. I just finished up a quick hack of a PHP script to create users in the SQL database without so much manual intervention. We're up to 20 separate data sources now, and creating new users on each of them can be surprisingly time consuming. I know it would be less work with fewer data sources, but different sets of users need varying degrees of permissions on different sets of machines (and pretty much everyone needs to be able to at least connect to most everything). So the simplest solution at this time is to create data sources for the different sets of machines.

Hi,
What version of Remote Desktop Manager Server do you use? Have you configured correctly the machine name for the authentication? You need to enter the machine name and not the domain.

I just upgraded to RDMS 1.0, actually. When you say that I need to correctly configure the machine name for authentication... Do you mean configure the machine account in the SQL Management Studio? Or do you mean that I need to change the settings for the "Authenticate with domain user" option to use the local machine name instead of my domain name?

Here is what I've tried:
- Authenticate with domain user set to domain name
- Authenticate with domain user set to specific domain controller FQDN
- Authenticate with domain user set to local machine
- In data source configuration:
__- Authenticate as domain user without specifying domain (of AD domain)
__- Authenticate as domain user with specifying domain (of AD domain)
__- Authenticate as local user without specifying domain (of local machine name)
__ - Authenticate as local user with specifying domain (of local machine name)
- In Roles configuration:
__ - AD Groups with only users as members
__ - AD Groups with other groups as members
__ - Local groups with only AD users as members
__ - Local groups with only AD groups as members
__ - Local groups with only local users as members
__ - Local groups with only local groups as members

All of the above have been tried with SQL authentication for the database connection and with integrated authentication for the database. They have all also been tried with every combination possible of turning on/off the built-in user auth and local machine user auth in the RDMS instance configuration.

I'm guessing from your initial follow-up question that the group authentication piece is supposed to be working, and that I'm just failing to configure a small piece to make it work. Currently, the authentication does work, in a way. I can connect to the data source with a domain user that I didn't manually add. RDMS then creates a user for that authenticated person. The user that gets created just doesn't have any rights assigned, so I have to manually edit their permissions in order for the user to be useful.
edited by abwalters on 3/21/2012

Hi,
From what I see, if the server create the user, it's because it's able to connect to the Active Directory. Have you assigned any rights to an Active Directory Group? All those rights are supposed to be inherited to the user when he logs in.

I assigned administrator permissions to each of the various groups I tested with. Specifically, I assigned those permissions under the "Roles" section.

Do you think that you could send me a print screen of a role? You can send it to infos@dev....

I'm having the same issue, please do a follow up in this thread.

Hi,
Could you try to install the version 1.0.0.1 of the RDMS and this version of RDM

http://remotedesktopmanager.com/download/Devolutions.RemoteDesktopManager.Bin.7.0.4.0.zip

Select the data source and send me a print screen of the File->My Data Source Information.

I found a workaround for this particular issue. If you manually create your users (with the integrated security checkbox ticked), like you needed to do prior to AD group integration being implemented, your roles will assign permissions to your users.

I will try to fix that for real. I think that RDM should authenticate the user with AD before trying with SQL Server.
edited by dhervieux on 3/29/2012

Okay. I figured you were working on a more permanent fix. I mostly posted that for xrs and any others currently experiencing this particular problem. The workaround will at least allow the intended functionality, though with a bit of manual intervention needed. I actually meant to post it shortly after I sent the information to you via email, but forgot.

I have reproduced the problem and fixed it.

This is now in the version 1.0.0.2

Regards

David,

I can confirm that user creation does work now. Any users that are meant to be administrators are created properly (except that setting offline mode doesn't seem to be assignable via roles).

Users that are not a member of an administrator role aren't receiving any permissions, though. I sent you more information via email.

I request this feature for RDM also.

Unfortunately for RDM with the SQL Server it's not possible to dynamically create the user because the database user must be a a SYS_DBA to create the user in the database. I will see what I can do.

I have the RDMS instance configured to use SQL authentication, and the RDMS user holds the sysadmin role in SQL, so RDMS should be able to create users without a problem.

Hi,
I was answering to @Steffen Hornung about the possibility to add this feature in RDM with a SQL Server data source. For the bug you reported, I'm working on it. Sorry about the confusion

The confusion was on my part. I didn't really read his post to see that it was a feature request for RDM (not RDMS).

It should already work, if add the a AD Groupe "employees" to the sql server as allowed users, so RDM/RDMS should only have to create the permissions to the Database of RDM(s). For this, the right as db_owner should be enough, or?

@Xanacas

You're right that this could be possible but this will create a big problem. They will all be administrator of the database and they will all be able to delete, update any rows in the database by using SQL Management Studio.

I think the problem you discribe exists with every sort of integrated security, or?

Not really because you can use the Integrated Security without being a DB_OWNER

we have the following configuration:
Security-.>Logon-> Employees - Serverrole: "public"
I'm the of the database "RDM". Our AD-Admin adds new employees to the groupe and i create the users through RDM.
So RDM shouldn't create the logon, but should create the database user. Where do you see a security problem?

The problem is that only an Administrator have can update or insert into the table userinfo but I will see what I can do. Maybe I could add an option to allow this. Thank you

The advantage of our solution ist, that the RDMS-SQL-User / RDM-Administrator don't need SQL-Server-Administrator-Rights, just db_owner. And the SQL-Server-Admin just need to add new employees the the group with general access to the server...

Any news no the role assignment for non admins? We are running 1.0.0.5, but simple users don't get their role assignments from AD

Ugs, sorry, works now in client 7.0.5.0, but not via web interface. Weird!

I will verify the web interface. Thank you

That is what I also know. Is it not?

I am having the problem where new users that is a member of an AD group that has been configured within the RDMS roles is not being assigned with the same permissions as what the AD Group / Role has been assigned. The new user is created but with no RDMS groups assigned. Once the user is assigned RDMS group membership they they can access items.

I am running 1.1.3.0

The RRDMS Server uses a SQL account that has 'db_owner' rights to the RDM DB.

What else can i try?

Hi,
I'm not sure to understand what you mean when you write "Once the user is assigned RDMS group"?

I mean the users account works well once the user is assinged to the RDMS group manually.

Could you verify the File->My Data Source Information to see if the role are assigned

There are no roles assigned when i go to file > My Data Source.

Just to confirm I have a user (domain\userx) who is part of the group domain\groupx. i have added groupx to the RDMS role and made it administrator via the role checkbox. I have not selected any groups within that role.

I then log on as userx for the first time and an account is created in the RDMS users area. This user has no checkboxes selected at all (except for the enabled checkbox), not in the general area, groups area or the administrator, allow offline mode or allow reveal password.

If I manually check on these boxes, userx will have access to relevant items

This is the normal behavior for the user since it should inherit the access from the role. you will need to send me a print screen of My Data Source Information and also a print screen of the role list.

Hi David,

as Xarcas mentioned it is usually the IT Teams obligation to add/remove Users for a particular objective (like allow/revoke the use of RDM(S)).
So all IT should do is configure a AD-Group "RDM-Users" in the SQL-Server where the permitted users will be put in.
The role for RDM-Users will be preconfigured for general access to RDM whereas the access to specific Connectons or Group of Connections will be reflected in RDM-ConnectionGroup1/2/3 accordingly (maybe named RDM-Customer1 and so on if you like).
So security should be not that big problem. Everything could be accomplished with minimal security impact as long as AD staff and DB staff communication is working.
Just a matter of proper pre-deployment-planning as it should be with every IT project your running in.

I`ve the same Problem as DCEOIT

AD user is automatic created, but the groupmembership not.

Any ideas?

What do you mean by the group membership is not. Do you means that it not added in role or it's not applied to the user?

Looks a bit like http://forum.devolutions.net/topic4913-login-to-rdms-ad-datasource-stopped-working.aspx

Hi,
Make sure to include the domain name in the username. This will be fixed soon but it could be the root of the issue because RDM think that's the SQL Server authentication.

I am using RDM 9.1.2.0 and RDMS 2.2.80. when I configure roles for active directory groups and try and login with someone who is a member of that group I get an error message "Your login is valid but your user does not have any permission for this data source!" when I put the person's name in the explicitly in the users section using the same AD account it works just fine. How do I get the roles to work with AD groups correctly?

As a test I created a role that would take "MYDOMAIN\domain users" and make them an administrator. Unfortunately I still get the same error about not having permission to read the data source at all. The user is differently apart of the group.

Hi,
It's an option in the RDMS Console. Enable the checkbox "Auto create domain users"

Hi,
It's in the RDMS Console in Tools->RDMS Console

What version of RDM do you use?

Yup I just found it thanks for the quick reply.