MFA Settings gone after Update to 2024.1.32.0

Hy Daniel,

Were these recent MFA configurations? Done online or offline?

The reason I ask is we just fixed an issue where changes made to My Account Settings while offline were never synched back to the server when the user returned online. Could this be your case?

What version were you on before the upgrade to 2024.1.32.0?

Best regards,

Hello Stéfane,

my colleagues (just a test-group of 5-6 people) did the configuration about 2 month ago, in online-mode.
I also could saw the activated MFA under "administration -> user".
After MFA has gone, it also showed up for me under "administration -> user".

Version prior to the update was: 2024.1.17-.19.


Best regards,
Daniel

Hi Daniel,

We have been investigating. The current understanding is that the only possible way for this to happen is that the user settings were reset by RDM. For this to happen, RDM must have not load the user settings correctly causing RDM to create a new (empty, no MFA for example) user settings. Chances are you lost more than the Data source MFA but also every other credential configured via the My account settings screen.

Anything else you can recall about the upgrade? Did you get error messages? Odd behavior?

QA is still trying to reproduce the issue so that we can better understand what is going on.

Are you using any other My account settings (other than Data source MFA)?

Best regards,

Hello Stéfane,

another Idea ... as we are not local admins with our main domain-accounts on our computers, we must install the update with another account.
We also may not install the software on most computers with "run as administrator", because of microsoft security functions.

The installation procedure is, to "shift right click -> run as other user" and then with a local admin account.
"Run as administrator" is blocked. It only works with the method above.
Maybe that's the issue? We must install software like this because of security reasons/policies.

It would be great, if these MFA settings would be stored into the database. Everything that is stored locally could get complicated.


"Are you using any other My account settings (other than Data source MFA)?"
-> I don't think so - let's say - I'm relatively sure, none of my colleagues does.


Best regards,
Daniel

Daniel,

The Data source MFA settings are stored in the database, it's been like this since v2022.3 (Dec. 2022).

Our assumption is the user doesn't load properly and it causes RDM to overwrite the field that saves the My Account Settings value.

If you agree I can send you (via private message) a few SQL scripts that would pull user history from your database that might help us identify the issue. A remote debug session might also be useful.

Best regards,

Daniel,

I've put in a fail-safe into RDM where if ever for any reason the My Account Settings has not been loaded RDM will refetch the settings from the data source. This should protect against any possible lost of data.

This should be available in the next release v2024.2.12 (look for this in the release notes: Fixed issue where My Account Settings were lost).

Best regards,

Hello Stéfane,

"The Data source MFA settings are stored in the database, it's been like this since v2022.3 (Dec. 2022)."
--> Thank you for clarification. I mixed it up with the setting under "File -> Settings -> Security" (application mfa).

" I can send you (via private message) a few SQL scripts that would pull user history from your database that might help us identify the issue. A remote debug session might also be useful."
--> Please send me the script. I will provide you the information, if possible.
--> If a debug-session is necessary, just drop me a line.


Thanks for the update, best regards
Daniel

Hello,

after the latest RDM Update, MFA disappeared again - today another colleague told me.
What to do next?


Best regards,
Daniel

Daniel,

We would need to investigate. Would you be possible to have a remote session? I could send you a scheduling URL. I'm only available Tuesday/Wednesday/Friday this week and then on vacation for 2 weeks.

Best regards,

Hello Stéfane,

no hurries. I also have a full callendar this week.
I will post again in this thread in 2 weeks. We can have a remote session after your vacation.


Best regards,
Daniel

Hello Stéfane,

do you have time on 21.10.2024?
Maybe we may clear up the concept in the meantime/before.

What we would like to achieve is:

• RDM-Admins may activate MFA for different users
  • Next login to RDM: User must configure MFA
  • Status is visible for the RDM-Admins
• Optional: User may activate MFA/2FA on his own
  • Status is visible for the RDM-Admins
• RDM-Admins may deactivate MFA for certain users
• When starting RDM, the user must authenticate with MFA and is then able to connect to the SQL-DB
  • This should also work, if the user is in offline-mode (optional)

I'm unsure, if all goals could be fullfilled.

At the moment, we activated MFA at application-level and it get's broken on a regular basis and the user is then able to open RDM without MFA and
has full access to the database.

As far as I know, when enabling MFA on datasource level, it is activated for the datasource, so all users?
I still have trouble, understanding the concept.


Best regards,
Daniel

Hi Daniel,

Yes, I'm available please schedule via this URL https://calendly.com/d/cpmn-9nw-nwk/30min

As for your question:

RDM-Admins may activate MFA for different users

Currently not possible to active at it per user. You may on the other hand force MFA on all users. Administration > System settings > Security settings > Force data source multi-factor configuration. To enable this setting make sure the current user has MFA configured. On next login, all users will be required to configure there MFA.

Status is visible for the RDM-Admins

Yes, via the user User management form you get to see who has an MFA configured. (see screen shot)

RDM-Admins may deactivate MFA for certain users

Yes, admin users can delete the MFA configuration, forcing the user to create a new configuration on their next login. This is useful when users lose access to their MFA app or recovery codes.

When starting RDM, the user must authenticate with MFA and is then able to connect to the SQL-DB
- This should also work, if the user is in offline-mode (optional)

Yes when configured. For offline you configure it here: Administration > System settings > Cache/Offline > Prompt for MFA before going offline.

At the moment, we activated MFA at application-level and it get's broken on a regular basis and the user is then able to open RDM without MFA and
has full access to the database.

As far as I know, when enabling MFA on datasource level, it is activated for the datasource, so all users?
I still have trouble, understanding the concept.

You have been having issues where the recovery codes were lost if I'm not mistaken. We will have a look at this during our call/session.

Best regards & talk to you soon,

Hello Stéfane,

RDM-Admins may activate MFA for different users
Currently not possible to active at it per user. You may on the other hand force MFA on all users. Administration > System settings > Security settings > Force data source multi-factor configuration. To enable this setting make sure the current user has MFA configured. On next login, all users will be required to configure there MFA.

If I would force MFA on all users and an/the admin-account get's rid of his TOTP is there a posibility, to access the database again?
Usualy this should not happen, but we want to be safe, that in any circumstances, we may access the database.
For that reason, we would have created an account without MFA and would have stored the credentials somewhere else/a safe.

RDM-Admins may deactivate MFA for certain users
Yes, admin users can delete the MFA configuration, forcing the user to create a new configuration on their next login. This is useful when users lose access to their MFA app or recovery codes.

This means, that if the datasource MFA was first activated, an admin could revert the setting for certain users back - right?
If this would be possible without forcing all users from the start, I would feel more safe. See my first point.

When starting RDM, the user must authenticate with MFA and is then able to connect to the SQL-DB
- This should also work, if the user is in offline-mode (optional)
Yes when configured. For offline you configure it here: Administration > System settings > Cache/Offline > Prompt for MFA before going offline.

I know about this setting, but it's confusing for me. Why isn't this possible at the screen, where the datasource could be set to use MFA?
Does the "offline MFA" setting rely on the previous setting "database MFA" and how to compare it to the "MFA by user set (application level)".
As these settings are in different places, I don't see the dependencies (better for my understanding).

You have been having issues where the recovery codes were lost if I'm not mistaken. We will have a look at this during our call/session.

The MFA itself has "gone". Users did activate MFA on themselves and after some time, they could start RDM without MFA prompt.


I will schedule a seesion. Best regards,
Daniel

Daniel,

I sent you a new link to schedule the meeting. We will discuses and answer any/all of your questions then. In the meantime. A few answers.

If I would force MFA on all users and an/the admin-account get's rid of his TOTP is there a possibility, to access the database again?
Usually this should not happen, but we want to be safe, that in any circumstances, we may access the database.
For that reason, we would have created an account without MFA and would have stored the credentials somewhere else/a safe.

Yes, the option requires you to configure and then supply the MFA to connect. Therefore, in the case where the admin removes his or any other users MFA configuration, the user will be required to re-configure the MFA prior to connecting to the data source. Given this, it's recommended that you validate any "remove my MFA settings" requests as doing so is somewhat risky.

This means, that if the datasource MFA was first activated, an admin could revert the setting for certain users back - right?

An admin can clear the MFA settings of any user, correct,

If this would be possible without forcing all users from the start, I would feel more safe. See my first point.

No, once the settings is configured all users must configure/use MFA.

I know about this setting, but it's confusing for me. Why isn't this possible at the screen, where the datasource could be set to use MFA?

Good question. We could maybe have the setting in both locations... we would need to analyze.

Does the "offline MFA" setting rely on the previous setting "database MFA" and how to compare it to the "MFA by user set (application level)".
As these settings are in different places, I don't see the dependencies (better for my understanding).

In all honesty, I'm not 100% sure on this one, I will have to validate.

The MFA itself has "gone". Users did activate MFA on themselves and after some time, they could start RDM without MFA prompt.

This is what we will need to figure out during our remote session. If I'm not mistaken, we adding logging on your database to identify possible causes for this behavior.

Best regards,

Hello Stéfane,

thanks for the link (PM).

If I would force MFA on all users and an/the admin-account get's rid of his TOTP is there a possibility, to access the database again?
Usually this should not happen, but we want to be safe, that in any circumstances, we may access the database.
For that reason, we would have created an account without MFA and would have stored the credentials somewhere else/a safe.

Yes, the option requires you to configure and then supply the MFA to connect. Therefore, in the case where the admin removes his or any other users MFA configuration, the user will be required to re-configure the MFA prior to connecting to the data source. Given this, it's recommended that you validate any "remove my MFA settings" requests as doing so is somewhat risky.

So, to be sure, if you configure database MFA and then store the "secret key" someehere else (on paper/digital/other location/etc.) and in the case,
the/all admins lose their ability to connect to RDM (TOTP Authenticator-App), you may recreate it with the secret key? That would be my best practice (if it works).
I think i'll have to test this in our lab, to feel safe ;-)

Well, and I have a feature request:

• Ability, to let the admin(s) configure active MFA for certain users (mandatory) instead of doing it the other way (if this is possible to implement.

Best regards,
Daniel