WARNING: Unable to save the entry; access denied - more details?

Hello Chris,

In order to replicate the issue, please tell us what type of data source you are using. Could you also send us a sample of the script?

For your information, the -Refresh parameter should only be used if RDM is opened; otherwise, it will try to refresh the UI but not perform anything.

Best regards,

The data source is MSSQL and the data source is setup with a local db user (not domain). I get the same error with RDM being open or not with and without that parameter. Here is the script:

param(
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string]$Vault,
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string]$EntryName,
[string]$EntryGroup,
[string]$UserName,
[Parameter(Mandatory)]
[ValidateNotNullOrEmpty()]
[string]$Password,
[Parameter()]
[string]$DataSource = "Testing"
)

Write-Host "Creating session $EntryName for vault $Vault"

$ds = Get-RDMDataSource -Name $DataSource -ErrorAction Stop

if($ds -ne $null -and $ds.IsConnected -ne $false) {
Set-RDMCurrentDataSource $ds -ErrorAction Stop

$va = Get-RDMVault -Name $Vault -ErrorAction Stop

if($va -ne $null) {
Set-RDMCurrentVault $va -ErrorAction Stop

$g = "Connections\"
if($EntryGroup -ne $null) {
$g += $EntryGroup + "\"
}

$cr = New-RDMSession -Name $EntryName -Type Credential -Group "$g" -ErrorAction Stop

if($cr -ne $null) {
if($UserName -ne $null) {
$cr.Credentials.UserName = $UserName
}

$cr.Credentials.Password = (ConvertTo-SecureString $Password -AsPlainText -Force)

Set-RDMSession $cr -Refresh -ErrorAction Stop

Write-Host "If you see an error above, it was not successful"
Write-Host "Done"

} else {
Write-Host "Unable to create new credential"
}
} else {
Write-Host "Invalid Vault name"
}
} else {
Write-Host "Invalid data source"
}

Hello,

I extracted the New-RDMSession cmdlet section, tried it on my end on a SQL data source, and it gets created correctly:

$cr = New-RDMSession -Name "PS-Cred" -Type Credential -Group "" -ErrorAction Stop
$cr.Credentials.UserName = "a-user"
$cr.Credentials.Password = (ConvertTo-SecureString "a-password" -AsPlainText -Force)
Set-RDMSession $cr -Refresh -ErrorAction Stop

Could you try the above script as a test?



Best regards,

It looks like that and all my scripts are magically working again this morning. Is there any way to get more detailed errors when this pops back up again?

Hello,

Glad to see everything is in working order now. You can add the -Verbose parameter for more details, but the error you encountered usually comes from the data source directly.

If the PowerShell window was opened for a while, it is also possible the date was disconnected. You can try to use the Set-RDMCurrentDataSource cmdlet again.

Best regards,

It has randomly stopped working again with no changes to the script or server. It is run via remote powershell from Ansible, so there is no shell or connection to be left open. This is what I get with -Verbose enabled on every step. There is no indication of any error until it actually saves the entry and that is "access denied".

VERBOSE: [Get-RDMDataSource] Start
VERBOSE: [Get-RDMDataSource] Finish
VERBOSE: [Get-RDMVault] Start
VERBOSE: [Get-RDMVault] Finish
VERBOSE: [Set-RDMCurrentVault] Start
VERBOSE: [Set-RDMCurrentVault] Finish
VERBOSE: [New-RDMSession] Start
VERBOSE: [New-RDMSession] Finish
VERBOSE: [Set-RDMSession] Start
WARNING: Unable to save the entry; access denied
VERBOSE: [Set-RDMSession] Finish

I can manually add the entry with the same vault, name, username, and password on the server as the user running the powershell script with no errors so that tells me it isn't password complexity or something else.

If it was an actual db or user auth issue, I would expect the data source or vault select to throw an error, but that isn't the case.

Is there any way to get more detail of what is going on?

Thanks,

Chris

Hello,

This warning occurs when the user cannot add (or edit). It is not possible for the moment to have more details on the reason of the failure. I will investigate which condition might provoke a problem at a random frequency.

Hello,

So far, I have not been able to reproduce the issue. In the version 2023.2..0.6 of the module, some error messages have been added to better understand why it fails. The FullyQualifiedErrorID and TargetObject fields will help target the origin of the failure.

Hello,

So far, I have not been able to reproduce the issue. In the version 2023.2..0.6 of the module, some error messages have been added to better understand why it fails. The FullyQualifiedErrorID and TargetObject fields will help target the origin of the failure.

Is there an extra flag that is needed? The output looks more or less the same to me.

VERBOSE: [Get-RDMDataSource] Start
VERBOSE: [Get-RDMDataSource] Start
VERBOSE: [Get-RDMDataSource] Finish
VERBOSE: [Get-RDMVault] Start
VERBOSE: [Get-RDMVault] Finish
VERBOSE: [Set-RDMCurrentVault] Start
VERBOSE: [Set-RDMCurrentVault] Finish
VERBOSE: [New-RDMSession] Start
VERBOSE: [New-RDMSession] Finish
VERBOSE: [Set-RDMSession] Start
Set-RDMSession: Z:\SCRIPTS\powershell\Create-RDMCredential.ps1:46
Line |
46 | Set-RDMSession $cr -ErrorAction Stop -Verbose
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Unable to save the entry; access denied

Installed Version:
Binary 2023.2.0.6 Devolutions.PowerShell

Thanks,

Chris

Hello,

You can use the parameter -ErrorVariable 'VariableName' on the problematic line or the global variable $Error to access the error variable. Looking at your script, you will need to change the ErrorAction -Stop of the Set-RDMSession to add a check on the error variable and print the mentioned property (ex: $Error[0].TargetObject).

But if you prefer to not modify your script, I could an additionnal verbose with the target object string directly.

Hello,

You can use the parameter -ErrorVariable 'VariableName' on the problematic line or the global variable $Error to access the error variable. Looking at your script, you will need to change the ErrorAction -Stop of the Set-RDMSession to add a check on the error variable and print the mentioned property (ex: $Error[0].TargetObject).

But if you prefer to not modify your script, I could an additionnal verbose with the target object string directly.

The script is pretty easy to modify. I added `Write-Host $Error[0].TargetObject` right after the `Set-RDMSession` and took out Stop action.

I'm not seeing the "access denied" any more (?), but this is what the output is now. It silently failed to add the entry this time.

VERBOSE: [Get-RDMDataSource] Star
VERBOSE: [Get-RDMDataSource] Start
VERBOSE: [Get-RDMDataSource] Finish
VERBOSE: [Get-RDMVault] Start
VERBOSE: [Get-RDMVault] Finish
VERBOSE: [Set-RDMCurrentVault] Start
VERBOSE: [Set-RDMCurrentVault] Finish
VERBOSE: [New-RDMSession] Start
VERBOSE: [New-RDMSession] Finish
VERBOSE: [Set-RDMSession] Start
VERBOSE: [Set-RDMSession] Finish
{ EntryIsNull: False, IsReady: True, IsOffline: False, IsExternalRepository: False, CanAddInRoot: False, CanAdd: False }

Not sure about the CanAddInRoot as the DataSource default is True, but it's also not adding to the root. It's set to add to a subfolder.

Also not sure why CanAdd is False.

Thanks,

Chris

EDIT: The "access denied" is in StandardError now and I missed it. It's still there.

Hello,

A possibility is that the user is not found and a default security context is used. To verify this, you can go the Options -> Advanced -> Debug level and make sure Debug is checked. With this option, if the user is not found, a warning message will mention that a default security context is used.

Hey Maxime,

Will I see that in the PowerShell output or would it be in one of the logs? If it's in the log, which one?

I'm not seeing any new messages in the PowerShell output/stderr after enabling that debug on the host.

Thanks,

Chris

Hello Chris,

It should been printed in the PowerShell output. For the log file, the default location is the same place as the configuration file. For Windows, its the file named RemoteDesktopManager.debug located at
C:\Users\<USER>\AppData\Local\Devolutions\RemoteDesktopManager\RemoteDesktopManager.debug.

I will continue to investigate the possible causes.

Hello,

I still have not been able to reproduce the error. Before pursuing my testing, I have a few questions

I want to confirm your level rights on your data sources/ vaults. Are you always an administrator or is there another user type used? If another type, can you specify which one (restricted user or user)?

Also, are the data sources and vaults recently created or do you use existing ones?

Regards,

Maxime Bernier

The user is not an administrator. The script user is a basic user (not restricted) and only has global View/Add permissions to the vaults for security purposes and to prevent accidents.

The data source and vaults are always existing before the script is used (essentially a new or existing site). All vaults have the same template applied from the data source settings.

Let me know if there are other ways I can help track this down.

Thanks,

Chris

It looks like I have an instance where it's consistently working in one vault and not in others. The process is the same regardless of the vault being used. All vaults are applied with the same template in the data source.

Are there any logs or debugs I can provide that might help narrow down what is happening?

Thanks,

Chris

Hello Chris,

For the debugs, you can raise the debug level in File -> options/preferences -> advanced. Avoid setting the Documentation flag, but for the others, it should not be a problem. I recommended that at least the Debug, Load connections detailed , and Show silent log flags to be checked. After runnning your script, see in the RemoteDesktopManager.debug file. Let me know if you do not find it.

Also, you can try to add this command before the call to Set-RDMSession:

Update-RDMEntries

This will force a refresh of the cache and resfresh the state. It might help.

Regards,

Maxime

When I was looking at the log, the working vault clearly pulled all groups and other entries in the vault. With the non-working one, it was clearly pulling from some cache or something because it didn't pull any info in the vault at all (and there is a lot).

Adding the Update-RDMEntries seems to have taken care of it with the few tests I have run.

Thanks for all the help! Hopefully this has taken care of it!

Chris

Glad it worked. Let us know know if the problem comes back.

Regards,

Maxime