BREAKING CHANGE Initial OAuth support. Windows authentication is no longer supported with 2FA

Hello,

The change was a repercussion of transforming the DVLS server into a true Identity provider (IdP), it was not optimal to have the identification/authentication layer spread over both the client and the server. Therefore, we had to strip everything from RDM in that area.

As for Windows Auth, the identification/authentication can be viewed as delegated to IIS, hence our resistance to intervene in the process. That being said, we could imagine revisiting this and evaluating if we can prompt for a 2FA code from the server side and go from there.

The Authentication purists will surely find that approach to be a stretch of the best practices, and we need to get buy-in from our security team, have them hack away at the eventual prototype to see if it holds, etc.

We'll post back with news early next week.

Best Regards,

Thank you for the quick feedback.
Especially the 2FA in combination with Windows Authentication had a high level of protection. With the pure Windows Authentication without 2FA I take out a layer of protection.

If you deactivate Windows Authentication, you get to the DPS site via a redirect. The old variant was very comfortable.

Hello,

Comfortable indeed, but not as secure. We changed it because we need to elevate our security in par with the bad guys capabilities.

Thanks

I definitely see both sides here. From our pen-tests, we know that an attacker gaining/stealing user identity in Windows Active Directory is trivial (kerberoasting, pass the hash, etc). For that reason, we were really happy for the "belts and suspenders" option of an additional MFA layer. I also see Devolutions' desire to move this back onto the client via something like OAuth with SAML for identification/authorization.

We started doing publishing management applications via Microsoft RDS to ensure everyone was using the latest tools and to minimize configuration drift. This also allowed us to implement MFA at the RDS Gateway. With the latest RDM/DPS change, we are going to block access to DPS except from published apps to ensure MFA requirements are still met. If you are interested in how we did it, let me know and I can write up a blog and post it to the forum.

I would be happy about a blog entry

Hello,

Good news, with the release of Devolutions Server 2022.1.10 and RDM 2022.1.20 (or more recent), 2FA is now available again with Windows Authentication.

Let us know if you run into any issues.

Best regards,

Great work, Richard. We have confirmed the MFA is back using the slick browser pop-up. Two observations:

1. On our VDI, it is using IE as the default pop-up (we have not investigated what their default browser is, yet). Is it possible to force the pop-up to use a modern browser like Edge Chromium?
2. The MFA prompt only seems to happen once a week or so. We are not sure if that is a token timeout or if it is from our VDI lifecycle (they get patched/cycled weekly). Can you provide additional insight as to MFA token timeout and if the token is expected to remain active even after logoff?

We are very happy to see MFA is back, thank you!

Hello Richard,
I use DS 2022.1.10 and RDM 2022.1.20.
In the older versions the 2FA was requested in the RDM application.
Now there is a redirect to the web frontend. I liked the old way better.

But yes, 2FA with Windows authentication works

Hello,

@MarcST1984 - because of OAuth, it is no longer possible to pass the credentials or 2FA from RDM to the server, it needs to be done via the browser, this cannot be modified.

@paul07 -

1. The browser being launched is the default for the OS. If you change it to Edge or Chrome, it will default to it.
2. The refresh token is set in the Devolutions Server, under Administration > Server Settings > Advanced - Refresh token lifetime. Please note that if you change the value, you need to go to the console and press the Stop Server button, and then start it again, which will make the server unavailable for a few moments.

Best regards,

Hello Richard,
we use the 2FA with radius (Forti Authenticator). Our Radius system supports push functionality. Can you implement push mode ( RADIUS Access-Challenge) in your Radius request ?

Best Regards

Marc Stawitzki

Hello Marc,

Could you post your request in the Feature Request forum instead? The developers will be able to reply to you directly.

https://forum.devolutions.net/forums/34/devolutions-server--feature-request

Best regards,