Could not login to Devolutions Server - MFA not supported
Hi,
after upgrading to the new RDM PowerShell-Module it is not possible to connect to our Devolutions Server anymore, which requires entering a Google Authenticator MFA token.
There is no Pop-Up dialog (or read prompt) for entering the MFA token. Instead the module immediately breaks and shows a lot of errors like this:
Could not login to Devolutions Server. Please contact your administrator. Could not login to Devolutions Server. Please contact your administrator. Unable to connect to the data source. Do you want to go in offline mode? [] Yes [] No [?] Help No NotImplementedException - The method or operation is not implemented. at RemoteDesktopManager.UIService.ShowRDMSLogin(String userName, String password, Boolean canChangeUserName, Boolean offlinePromptMode, Boolean showGoOffli ne, Boolean unlockMode) at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSConnectionDataSource.ShowLogin(String& userName, String& password, Boolean canChandeUserName, String ip, Boolean canGoOffline, Boolean unlockMode) at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSConnectionDataSource.LoginUserNamePasswordStep(Boolean useCredentials, String& userName, Strin g& password, Boolean canChangeUserName, Boolean unlockMode) at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSConnectionDataSource.Login(Boolean useCredentials) at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.get_WebClient() at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.<>c__DisplayClass74_0.<GetCacheValues>b__0() at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.RetryAction[T](ExecuteActionDelegate`1 action, String label) at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.ExecuteAction[T](ExecuteActionDelegate`1 action, ExecuteActionLogMode logMode) at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.ExecuteActionData[T](ExecuteActionDelegate`1 action) at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSWebApiClient.GetCacheValues(String repositoryID) at Devolutions.RemoteDesktopManager.Business.DataSources.RDMSConnectionDataSource.HasSecurityChanged() at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.HasSecurityChanged(BaseConnectionDataSource dataSource) at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.LoadConnections(BaseConnectionDataSource dataSource)
Previously in the old version shipped with RDM 2021.1.41.0 there was a Pop-up dialog for entering the MFA token.
Platform: Windows
RDM version: 2021.2.16
PS Module version: 2021.2.0.20
Powershell Version: 7.1.4 and 5.1 both do throw the same errors.
Please help!
Thanks and best regards,
Alex
All Comments (16)
Hello Alex,
For using the new RDM PowerShell module (or https://github.com/Devolutions/devolutions-server) with a Devolutions Server data source, you should instead use an application key:
https://helpserver.devolutions.net/webinterface_applications.html
Best regards,
Richard Boisvert
Hi Richard,
thx for your help! I didn't even know that a Devolutions-Server PS Module existed, as I used the RDM module for years now!
However using the Application Key with the RDM-Module (Set-CurrentDataSource -ID -Username -Password) worked!
I will now use the Set-RDMPowerShellOverride for using a different profile for my sync script, and I should be good to go!
Thank you so much!
Hello,
My pleasure, let us know if you run into any issues.
Best regards,
Richard Boisvert
Hi again,
sorry, actually I was wrong. I was playing around with Set-RDMCurrentDataSource, and if you execute it multiple times you don't get any error anymore, and I thought it was working.
But Get-RDMCurrentDataSource shows me that I'm still not connected.
I guess then this only works with the Devolutions Server PS Module, am I right?
If so, I have to rewrite my sync script first! :(
Thanks and best regards,
Alex
Hello,
It should work even if you use it multiple times. Make sure the RDM PS module is on the latest version (.22), there have been several releases this week, and then try it again: https://www.powershellgallery.com/packages/RemoteDesktopManager/
Best regards,
Richard Boisvert
Hi Richard,
no it doesn't work.
I've everything on the latest versions:
- Devolutions Server: v 2021.2.8.0
- RDM: 2021.2.16
- PowerShell: 7.1.5
- RemoteDesktopManager PS module: 2021.2.0.22
This is how I tried:
PS C:\RDM> $AppKey = Get-Content .\RDMSync.secrets | ConvertTo-SecureString PS C:\RDM> Set-RDMCurrentDataSource -ID '141d21d7-070a-47b3-8883-17b3a8874f8b' -Username $AppId -Password $AppKey Host Version: 7.1.5 Invalid username or password, please verify your credentials Invalid username or password, please verify your credentials Invalid username or password, please verify your credentials PS C:\RDM> Get-Module RemoteDesktopManager | select Version Version ------- 2021.2.0.22 PS C:\RDM> $AppKey | ConvertFrom-SecureString -AsPlainText # returns the correct password
The contents of $AppId and $AppKey are correct, I double-checked.
Thanks for your help!
BR,
Alex
Hello Alex,
I receive the same error with the latest release of the PS module, I will contact the engineering team so they can have a look since it is a supported way to authenticate to Devolutions Server.
My apologies for the inconvenience.
Best regards,
Richard Boisvert
Hello Alex,
Here is how to connect using the application key and secret to your Devolutions Server data source, I just tested it on my end and it worked fine:
$ds = Get-RDMDataSource -Name "name_of_dvls" Set-RDMDatasourceProperty $ds -Property "ScriptingTenantID" -Value "key" Set-RDMDatasourceProperty $ds -Property "ScriptingApplicationPassword" -Value "secret" Set-RDMDataSource $ds Set-RDMCurrentDataSource $ds
Best regards,
Richard Boisvert
Hi Richard,
no this still does not work, as already the first command fails, because (for whatever reason) Get-RDMDataSource already tries to establish a connection to my default datasource (which is the Devolutions Server) and I get again the prompt:
Unable to connect to the data source. Do you want to go in offline mode? [] Yes [] No [?] Help No
But even if I skip that and execute your commands on my existing datasource it doesn't work and I think the problem is that on the existing datasource the original Username/Password is still configured and even if you override the properties "ScriptingTenantID" and "ScriptingApplicationPassword" the original connection details still take precedence over those or are somehow used in combination with the original Username/Password which ends up in an invalid connection.
Then I tried creating a complete new datasource like this:
$TargetDataSource = New-RDMDataSource -DVLS -Name "rdmsync" -Server "https://myserverurl/" Set-RDMDatasourceProperty $TargetDataSource -Property "ScriptingTenantID" -Value $AppId Set-RDMDatasourceProperty $TargetDataSource -Property "ScriptingApplicationPassword" -Value ([System.Iconvertible]($AppKey | ConvertFrom-SecureString -AsPlainText)) # to store permanently Set-RDMDataSource $TargetDataSource # to connect Set-RDMCurrentDataSource $TargetDataSource
But again (for whatever reason) New-RDMDatasource already tries to establish a connection to my default datasource and I get the prompt.
When I skip that prompt again I am finally connected:
PS C:\git\operations\PSScripts\RDM> Get-RDMCurrentDataSource
ID : e4e20b98-ffa6-4296-9874-986106961732
IsConnected : True
IsOffline : False
Name : rdmsync
Type : RDMS
PS C:\RDM> Get-RDMSession
Get-RDMSession: Connection not found.
PS C:\RDM> Get-RDMVault
Description ID IsAllowedOffline Name
----------- -- ---------------- ----
ffffffff-ffff-ffff-ffff-ffffffffffff True None
PS C:\RDM> Get-RDMCurrentVault
Description ID IsAllowedOffline Name
----------- -- ---------------- ----
ffffffff-ffff-ffff-ffff-ffffffffffff True None
But as you can see, my application user cannot see anything!?!? What am I missing here?
To summarize:
Bug #1) Get-RDMDataSource and even New-RDMDataSource always tries to auto-establish a connection with your default datasource. Especially the latter one makes not much sense, but I can imagine that all CMDlets use the same Init() function which auto-connects.
Bug #2) Your workaround doesn't work with my existing datasource as not only the "ScriptingTenantID" and "ScriptingApplicationPassword" are considered for connecting.
I also tried to workaround Bug #1 by using a copy of RemoteDesktopManager.cfg, placed it in my script dir and use this:
$override = Get-RDMPowerShellOverride $override.OptionFilePath = $RDMSyncTempCfgPath Set-RDMPowerShellOverride
Then I run into problem #3:
Exception occured: Unable to load DLL 'SQLite.Interop.dll' or one of its dependencies: The specified module could not be found. (0x8007007E) DllNotFoundException - Unable to load DLL 'SQLite.Interop.dll' or one of its dependencies: The specified module could not be found. (0x8007007E) at System.Data.SQLite.UnsafeNativeMethods.sqlite3_open_interop(Byte[] utf8Filename, Byte[] vfsName, SQLiteOpenFlagsEnum flags, Int32 extFuncs, IntPtr& db) at System.Data.SQLite.SQLite3.Open(String strFilename, String vfsName, SQLiteConnectionFlags connectionFlags, SQLiteOpenFlagsEnum openFlags, Int32 maxPoolSiz e, Boolean usePool) at System.Data.SQLite.SQLiteConnection.Open() at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.OpenConnection(IDbConnection dbConnection) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetDataSet(String sql, IDbDataParameter[] parameters, Int32 commandTime out) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetData(String sql, IDbDataParameter[] parameters, Int32 commandTimeout ) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetData(String sql, IDbDataParameter[] parameters) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetData(String sql, IDbDataParameter[] parameters, IDbTransaction dbTra nsaction) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetDataSourceSettings(IDbTransaction dbTransaction) at Devolutions.RemoteDesktopManager.Business.DataSources.SQLiteConnectionDataSource.GetDataSourceSettings(IDbTransaction dbTransaction) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetDataSourceSettings() at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.LoadDataSourceSettingsFromDataSource(ConnectionEngine engine) at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.ValidatePolicies(ConnectionEngine engine, Boolean hasChanged) at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.LoadConnectionsFromDataSource(ConnectionEngine engine, Boolean hasChanged) at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.LoadConnections(BaseConnectionDataSource dataSource)
So, it would be great if you could fix Bug #1 and Bug #2, but in the meantime:
- can you please help with problem #3?
- And the most important part: What am I doing wrong, that my application user doesn't have access to the Vaults?
Thanks and best regards,
Alex
Hello Alex,
When you created the application, did you grant it a role so it has proper permissions? You can go back to Administration > Applications, click Edit and verify. In this example, I am granting it admin rights with a group:
In my test, I had made a new data source first. One of the advantages of the new RDM module is that you do need to have RDM installed. Use theI had made a new data source for my test. One of the main advantage of the new RDM module is that you do not need to have RDM installed to use it.
Note to place the -SetDatasource at the end.
$TargetDataSource = New-RDMDataSource -DVLS -Name dvls_script -Server https://dvlsserver -SetDatasource
You should then be able to connect to it without issue. If you use an existing data source, it will try to authenticate using the credentials that are configured when initialized, hence the error.
For the 3rd issue, you should not need to use the override to begin with, but can you try to update to .24 and see if the error still occurs?https://www.powershellgallery.com/packages/RemoteDesktopManager/2021.2.0.24
If so, can you tell us in what environment you are using the PowerShell? ISE, 5.1 or 7.1 Shell, VS Code?
Best regards,
Richard Boisvert
Hi Richard,
my fault! The roles were correct, but just on the other application user! I created multiple credentials for testing and forgot to set the role/vault also on the last application credential I was testing with, sorry! :(
I also updated to the latest script version 2021.2.0.24.
Here's the status:
Bug #1) still present, so I need the override, if I want to run the script also on my local PC where I have RDM installed. Will there be a fix?
Bug #2) still present, as you said, my existing datasource has other credentials, so it cannot work with the existing datasource, I have to create a new one, but I'm fine with that, if this won't get fixed. I'm not sure anymore if we can call it a bug, it's just that the normal credentials take precedence over the application properties :/
Problem #3) still present, but I found the issue. I can reproduce it very easily with the following script:
PS C:\> # Open a new Powershell 7.1.5 session in Terminal PS C:\> Import-Module RemoteDesktopManager PS C:\> # Comment Get-RDMPowerShellOverride out and it works, leave it uncommented and it breaks! PS C:\> $override = Get-RDMPowerShellOverride PS C:\> $TargetDataSource = New-RDMDataSource -DVLS -Name "new-con" -Server "https://dps.server/" -SetDatasource DllNotFoundException - Unable to load DLL 'SQLite.Interop.dll' or one of its dependencies: The specified module could not be found. (0x8007007E) at System.Data.SQLite.UnsafeNativeMethods.sqlite3_open_interop(Byte[] utf8Filename, Byte[] vfsName, SQLiteOpenFlagsEnum flags, Int32 extFuncs, IntPtr& db) at System.Data.SQLite.SQLite3.Open(String strFilename, String vfsName, SQLiteConnectionFlags connectionFlags, SQLiteOpenFlagsEnum openFlags, Int32 maxPoolSize, Boolean usePool) at System.Data.SQLite.SQLiteConnection.Open() at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.OpenConnection(IDbConnection dbConnection) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetDataSet(String sql, IDbDataParameter[] parameters, Int32 commandTimeout) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetData(String sql, IDbDataParameter[] parameters, Int32 commandTimeout) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetData(String sql, IDbDataParameter[] parameters) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetData(String sql, IDbDataParameter[] parameters, IDbTransaction dbTransaction) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetDataSourceSettings(IDbTransaction dbTransaction) at Devolutions.RemoteDesktopManager.Business.DataSources.SQLiteConnectionDataSource.GetDataSourceSettings(IDbTransaction dbTransaction) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetDataSourceSettings() at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.LoadDataSourceSettingsFromDataSource(ConnectionEngine engine) at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.ValidatePolicies(ConnectionEngine engine, Boolean hasChanged) at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.LoadConnectionsFromDataSource(ConnectionEngine engine, Boolean hasChanged) at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.LoadConnections(BaseConnectionDataSource dataSource) DllNotFoundException - Unable to load DLL 'SQLite.Interop.dll' or one of its dependencies: The specified module could not be found. (0x8007007E) at System.Data.SQLite.UnsafeNativeMethods.sqlite3_open_interop(Byte[] utf8Filename, Byte[] vfsName, SQLiteOpenFlagsEnum flags, Int32 extFuncs, IntPtr& db) at System.Data.SQLite.SQLite3.Open(String strFilename, String vfsName, SQLiteConnectionFlags connectionFlags, SQLiteOpenFlagsEnum openFlags, Int32 maxPoolSize, Boolean usePool) at System.Data.SQLite.SQLiteConnection.Open() at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.OpenConnection(IDbConnection dbConnection) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetDataSet(String sql, IDbDataParameter[] parameters, Int32 commandTimeout) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetData(String sql, IDbDataParameter[] parameters, Int32 commandTimeout) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetData(String sql, IDbDataParameter[] parameters) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetData(String sql, IDbDataParameter[] parameters, IDbTransaction dbTransaction) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetDataSourceSettings(IDbTransaction dbTransaction) at Devolutions.RemoteDesktopManager.Business.DataSources.SQLiteConnectionDataSource.GetDataSourceSettings(IDbTransaction dbTransaction) at Devolutions.RemoteDesktopManager.Business.DataSources.DatabaseConnectionDataSource.GetDataSourceSettings() at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.LoadDataSourceSettingsFromDataSource(ConnectionEngine engine) at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.ValidatePolicies(ConnectionEngine engine, Boolean hasChanged) at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.LoadConnectionsFromDataSource(ConnectionEngine engine, Boolean hasChanged) at Devolutions.RemoteDesktopManager.Managers.ConnectionManager.LoadConnections(BaseConnectionDataSource dataSource)
In my script I call Get-RDMPowerShellOverride to check if the OptionPath is set, because I need the override on my local PC, because of Bug #1
As I'm not using SQLite datasources the New-RDMDataSource session still works, although the SQLite.dll can't be loaded after calling Get-RDMPowerShellOverride.
So I guess there is a bug in Get-RDMPowerShellOverride, right?
Current situation:
- With the override and the correct roles/vault set again (*sigh*) my script works now!
But I guess at least:
- Bug #1 should be fixed for New-RDMDatasource
- Bug #3 should be fixed so that Get-RDMPowerShellOverride doesn't break loading the SQLite.dll
Do you agree?
Thanks and best regards,
Alex
Hello Alex,
Glad to hear your script is working again with the override and the application key with the correct rights!
I will verify with the engineer for the override and the new data source issue and get back to you.
Best regards,
Richard Boisvert
Hi Alex,
Richard reached out to me regarding your issues.
I'm the lead dev on the PowerShell project and I hope I can help.
Bug #1 and #1 are kinda linked.
Basically, you shouldn't have to use overrides. You should be able to use your default cfg with your already configured data source. Your data source can have its normal credentials (with 2FA) that are not supported in PowerShell and PowerShell credentials (ScriptingTenantID and ScriptingApplicationPassword) along side each other.
Loading the module and having it fails to connect to your server should not prevent your from editing the data source. You can then save your appID and password using the script Richard mentioned
$ds = Get-RDMDataSource -Name "name_of_dvls" Set-RDMDatasourceProperty $ds -Property "ScriptingTenantID" -Value "key" Set-RDMDatasourceProperty $ds -Property "ScriptingApplicationPassword" -Value "secret" Set-RDMDataSource $ds
At this point, you should be able to restart your PowerShell instance and have it connect with no errors.
If this is not the case, that's the issue I will need to figure out and fix.
Let me know how it goes.
Regards
Jonathan Lafontaine
Hi Jonathan,
I can confirm that this finally now works for me too!
We tried this already previously but had issues, as you can see from my 5th post. I don't know why it didn't work back then, probably because I was missing the roles or I used one of your older PSModules.
However with version 2021.2.0.24,Powershell 7.1.5 and the correct application user it now also works with my existing DPS datasource! :D
Thank you so much Richard and Jonathon for your help!
You are doing a really great job in giving so much support here in this forum!
I really appreciate it!
Thanks and best regards,
Alex
Hello Alex,
Glad it finally works, thank you for confirming!
Best regards,
Richard Boisvert
Glad to know everything is finally working for you.
If you face other issues, don't hesitate to report them and I'll do my best to fix them quickly.
Jonathan Lafontaine