Devolutions ForumDevolutions Forum

can't connect to RDM datasource using PowerShell Module to Repository in Azure MSSQL

can't connect to RDM datasource using PowerShell Module to Repository in Azure MSSQL

avatar
(user deleted)
Disabled

Hi All :)

I recently updated to RDM Version 2021.2.16.0 64-BIT.
In the Documentation is stated, that from Version 2021.2.8.0 on the RermoteDesktopManager Module from the Powershell Gallery must be imported.

That I did with the most current version at this Point (2021.2.0.24). Sad enough I can't connect to my Datasource in Azure anymore.
The UI works fine, so i don't think it's an issue with the connectabillity itself, more a issue with the MFA required by the Azure Database.

I have two RDMDataSources configured locally:

ID                                   IsConnected IsOffline Name                         Type
--                                   ----------- --------- ----                         ----
7bc6a7e8-7928-4b6a-92c2-defc6592a922       False     False Lokale Datenquelle         SQLite
90794294-ebed-4e5b-a194-e1cb1fe21ff6       False     False azure-database             SQLServer

If I try to connect to the SQLite datasource it works just fine:

$rdmDataSource = Get-RDMDataSource -Name "Lokale Datenquelle"
Set-RDMCurrentDataSource -DataSource $rdmDataSource
Update-RDMUI
Get-RDMCurrentDataSource |ft


ID                                   IsConnected IsOffline Name                 Type
--                                   ----------- --------- ----                 ----
7bc6a7e8-7928-4b6a-92c2-defc6592a922        True     False Lokale Datenquelle SQLite

If I try the same commands with the other datasource:

$rdmDataSource = Get-RDMDataSource -Name "azure-database"
Set-RDMCurrentDataSource -DataSource $rdmDataSource
Update-RDMUI
Get-RDMCurrentDataSource |ft

I get the following output:

ID                                   IsConnected IsOffline Name                         Type
--                                   ----------- --------- ----                         ----
90794294-ebed-4e5b-a194-e1cb1fe21ff6       False     False azure-database          SQLServer

I am suspecting, that it may be an issue related to the MFA required by that datasource.

I would be very happy, if someone can help me find the error, Thanks!

Greetings

All Comments (13)

avatar
Richard Boisvert

Hello,

The engineering team is currently looking into adding MFA support with the new PowerShell module. The only workaround, for now, is to have an older version of RDM (2021.1.44 for example https://rdm.devolutions.net/home/previousversions).

With the Devolutions Server data source, an application key can be configured, but it is not available with a SQL DB.

Best regards,

Richard Boisvert

avatar

is there any roadmap or time planning with that MFA Support?

avatar
Richard Boisvert

Hello Tim,

TOTP is now available with the latest RDM PowerShell module. That being said, if your 2FA is done with Azure AD, the dynamic credentials window is not available. The only workaround would be to configure a user on the database.

Best regards,

Richard Boisvert

avatar

Hi Richard!

I recently Updated my Powershell Module to Version 2021.2.0.36. Currently it is possible to set a current connection like this:

Set-RDMCurrentDataSource -ID "90794294-ebed-4e5b-a345-e0cb1fe21ff6"

The issue is, that this will result in the error message
Cannot open server "example.com" requested by the login. The login failed.

[] Offline gehen [] Abbrechen [?] Help (default is "Offline gehen"): Abbrechen

If I select "Offline gehen" (go offline) the following will result after executing the Get-RDMCurrentDataSource Command:

ID          : 90794294-ebed-4e5b-a345-e0cb1fe21ff6
IsConnected : True
IsOffline   : True
Name        : azuresql-server
Type        : SQLServer


I also tried solving the issue by adding the parameters -Username and -Password, but that made no difference.

Is there any Update on this matter?

Best regards,
Tim Krehan

avatar
Richard Boisvert

Hello Tim,

To connect to the Azure SQL, is it using an interactive window? If so, it is not supported.

The only workaround would be to configure a user on the database.

Best regards,

Richard Boisvert

avatar
ray02

Is there a plan to add this functionality?

Adding a user to the database isn't an option for security reasons.

Cheers
Ray

avatar
Richard Boisvert

Hello Ray,

Not until the .net core library adds support for the interactive window.

Best regards,

Richard Boisvert

avatar
groot

Is there any update on this? We have also moved our DB to Azure SQL, with Azure MFA

All the users are configured as users on the database (but not the server), but we're unable to connect.
forum image

  • edit to say I know you mentioned waiting for .net updates, but other PS modules can use Azure MFA TOTP via text input, is this not something you can look into?


thanks
Aaron

avatar
Richard Boisvert

Hello Aaron,

I am not aware of any progress on this issue, but I will validate with the engineering team.

As for the 2FA, it needs to be the interactive window that is supported by the PowerShell core, not only the 2FA prompt. If you know of a module designed for PowerShell 7 that has the interactive window, please let us know, it will be easier for us to verify how it was done.

Best regards,

Richard Boisvert

avatar
ray02

As far as I understand PowerShell 7 supports interactive windows with no problems.

I use PowerShell 7 to connect to Exchange Online, Azure, AAD, Teams on a daily basis with MFA windows and interactive support. To my knowledge there is nothing stopping the MFA from working.

Failing that there is also the option to use the device login option which allows you to log into your browser and have it send back an approval token. I'm not a developer but it's how Devolutions works for authenticating to the Devolutions login.

Cheers,
Ray

avatar
Jonathan Lafontaine

Hi,

You are right, PS 7 supports interactive windows.
The issue here is that our PowerShell module runs in both PS5.1 (which targets .net 4.6) and PS7 (which targets .net6).
To be able t run on both, we have to target a common ground (.net standard) but that comes with limitation. The azure driver we use cannot do interactive windows and doesn't support azure web auth. So we are stuck with db user login only.

Their are other drivers but the ones that supports those features aren't compatible with Linux or Mac. As our module is cross platform, we cannot use them.

Jonathan Lafontaine

avatar
ray02

Thanks for the detailed explanation. I can certainly understand the complexity in getting that to work.

Our biggest concern is having a non MFA account able to access the database that holds server names, IPs, passwords and other sensitive information. While we can technically create a user on demand and enable/disable the account it does pose a much higher risk to our data than we would like, especially if we have to create multiple accounts or share an account with different team members this becomes more and more of a security risk as it requires manual steps to ensure security is enforced.

I'm sure you'll implement this when it is cross platform native, but if there is any way to get a separate PS7 module that would enhance the security posture of it that would be greatly appreciated!

Cheers,
Ray

avatar
Jonathan Lafontaine

Hi Ray,

Yes, we plan on better supporting PS7 in our next major release.

Jonathan Lafontaine