Keeper Security - DUO Push not coming back

Hello,

Thank you for reporting the issue.

As a test, could you try to type push as the code to see if it prompts you for a push on your mobile device? Are all users experiencing the same issue?

Could you also provide us with your version of RDM, as well as the data source?

Best regards,

Hello Richard

When I enter "push", it's not accepted and I get the screen to select push or SMS again.

Also I already did get an inital push when I clicked on "Duo push" which I confirmed in the first place, but it just stays at "waiting for confirmation". It does work when selecting duo SMS.

Yes same problem for everybody. Data source MS SQL. Version: 2022.3.29.0

I also see on the DUO Logs that it gave back the granted reply to RDM, but instead of accepting it, it seems to wait for a manual passcode entry instead. Like it would not know, that a push is enough. I also see that when I entered "push" it did another check with DUO which was denied, because "push" was not a valid code.

Thanks for your help.
Patrick

Hello,

Quickly looking at the Keeper API, no recent changes were made for the Duo Push functionality, and the feature was introduced in the 2021.1.20 version of RDM and no changes were done, from what I could see, since then, for the Duo push.

Was this working correctly on a previous version of RDM, or were you just now trying to configure it?

The Duo logs seems to indicate the issue is with RDM, however. I will ask our QA team to try to replicate the issue.

Best regards,

Hi Richard

We are just setting up Keeperpass as a replacement for Lastpass. So I can't tell you if it was working before.
Here is a screenshot of my setup, if there is anything special to do. But as it is working via DUO SMS, it seems the connection works between them. Only not the push one.
I also saw that one can setup, that a push or SMS works indefinitly, that could mean that other customers did this once, and never after that, and that's why they dont have a problem now, but a new installation has. I wonder what the QA team will see, when they set it up as a new duo account for testing.



Best regards.
Patrick

Hello Patrick,

Small update, our QA team is working on replicating the issue, we will report back their findings.

Best regards,

Hi Richard

Could they reproduce it? We really want to make the change asap.

Kind regards
Patrick

Hello Patrick,

Thank you for your swift reply!

Our Engineering Department has been able to reproduce this issue. We will be in touch as soon as we have an update.

Best regards,

Hello James

Any news?

Best regards
Patrick

Hello Patrick,

I have contacted our Engineering Department and they informed me that they are still working on it.
We will be in touch as soon as I have more information to provide.

Best regards,

Hello James

So this integration is broken for almost 3 months now and still it is not fixed. When will this be corrected?

Best regards
Patrick

Hello Patrick,

The engineer in charge of the Keeper integration was able to reproduce your issue once, but by reopening RDM it worked normally. He is still looking at the issue, but he does not have any leads yet.

Best regards,

Hi Patrick,

Would you mind alt tabbing to confirm that no other RDM window is opened after approving the DUO push ?

You might be receiving a device approval prompt, but it pops up behind the opened windows.

We can't reproduce internally, but this is one recurring issue that we've seen in the past, so it's worth a shot.

Thanks

Hi Jonathan

Just tested it again. I get the push on my phone, confirm it, but the windows in RDM does not change. It just stays with waiting for confirmation code. I tabbed and no other window does open.



On the DUO side I see that the confirmation was accepted.
Also when I do it via SMS it works, so it seems that the Push connection between RDM and DUO for Keeper is broken.

Cheers
Patrick

Alright thanks for confirming. We'll keep looking into it and come back to you as soon as we can figure out what's causing this.

Regards

Hi Patrick,

We've recently released the 2023.1.6.0 beta, which Keeper tells us may contain a fix for this Duo issue.

Would you mind giving it a try and come back to us with the results?

It can be downloaded here (just need to scroll down a little) : https://devolutions.net/remote-desktop-manager/home/downloadenterprise

PS : Since this is a beta, we recommend some precautions in case something goes wrong. You can find more info here : https://forum.devolutions.net/topics/38980/remote-desktop-manager-20231--beta

Thanks!

Hi All,

Just wondering what the current status is on this issue? We're running into exactly the same issue as described by the OP on version 2023.2.27.0. Having checked with both Keeper & DUO support without any resolution, I thought I'd ask here as well.

Kind Regards,

Hi Shane,

Since we released a version that contained a potential fix and we never got a reply from the original poster, we assumed this might be resolved.

Before the DUO prompt, did RDM ask for a device approval? If not, could you delete the <KeeperJsonConfiguration> line from your RemoteDesktopManager.ext and try again?

Just want to be sure that the approval goes through first, otherwise that might explain why you never get an answer.

Regards

Hi Jonathan,

Thanks for your reply and the tip.

To answer your question, no device approval prompts are produced. Also after removing the <KeeperJsonConfiguration> line from RemoteDesktopManager.ext and restarting RDM, the behaviour remains as follows:

The first pop-up window from SSO Connect (Keeper) briefly shows up and dissappears again. This is expected and also happens with a regular login to the Keeper Vault via web browser.


The next pop-up is from RDM presenting the button to send the DUO push.


When pressed, the confirmation request arrives as expected on the associated smartphone and a new RDM pop-up is presented, stating that it's waiting for confirmation.

This window also has a field for the confirmation code. When the DUO request is confirmed on the smartphone, the window just remains indefinately. The only way to dismiss it, is to either enter the confirmation code displayed on the DUO app (after pressing Refresh Passcode), which opens the Keeper Vault entries correctly, or cancel the request altogether.

DUO support also confirmed to us, that the confirmation from the app is seen and returned, yet the waiting dialogue never clears.

Kind regards,

Thanks for the detailed info. The fact that you aren't receiving a Device Approval is concerning to me, unless you're using the Automator to do it for you?

In any case, would you mind trying the official Keeper CLI tool here https://github.com/Keeper-Security/Commander/releases/tag/v16.9.17 ?

This would confirm at the very least whether or not the issue is RDM side.

Thanks

Hi Jonathan,

Sorry for the late reply, got a bit side-tracked. I checked with my colleagues that administer our Keeper/DUO accounts and we do have Automator implemented. However, we usually only get the device approval process once per device. Since the device I'm using was already approved, it's not expected to get another approval request when accessing the Keeper Vault via RDM.

I also followed your advice and tried Keeper Commander. Here I was able to successfully authenticate and connect (no additional device approval required either), however there is a slight difference in that it generally doesn't send a DUO push, it's only possible to complete the MFA step by entering the passcode displayed in the DUO app. What is interesting though, is that if we set the option to only prompt for MFA every 12 hours in Commander, this is honhoured when using RDM to access the vault, even though the closest option offered in RDM is 30 days. The main problem still remains however, that the push confirmation is not actioned, but at least we only have to enter the code once daily after this option is set. If you have anything else I could try, please let me know.


We also tried another angle by adding DUO directly to the Datasource as MFA provider, this works perfectly including actioning the push verfication. So the issue seems to be solely with the Keeper/DUO combination, DUO alone works just fine in RDM.

I was also wondering if there is some possibility to use RDM through Keeper Secrets manager instead? Since this makes use of a long-lived token type authentication, might it be a simpler option to implement a consistent team experience since all team members need access to the same secrets anyway?

Kind Regards,

Hi Shane,

Since Commander isn't giving you the option to use DUO push, I'm starting to think something in your setup is preventing its use, and it should be disabled in RDM too. It would also explain why the push approval isn't coming back. I can't quite find the reason for this yet, but I'll keep digging.

As for Keeper Secrets Manager, we looked into this a few months back, and I remember it not quite filling our needs. We were told it would require more setup time on our users' end, and that if what we wanted was to simply display and use all records, the current .NET SDK was better suited.

Regards

Hi Jonathan,

It's been ages since we last looked at this, but thought I'd post a small update.

We've received the feedback from Keeper support, that DUO Push is currently not implemented in Keeper Commander, so I guess that was a bit of a red herring. They will look into adding it in future though.

Since last time, we have been using the DUO Code along with a 12 hour prompt duration, which works well enough, albeit not perfect. If the RDM implementation through the .NET SDK principally supports DUO Push, are there any other steps we could take to try or help get this working?

Kind regards,