Does Microsoft login have to open a browser?

Hello rwn2,

Thank you for contacting the Devolutions support team.

I tried to reproduce this using different data sources and applications.
The behaviour seems different in some of them.

To investigate this behaviour further, could you mention which version you are?
The client and the database.
Also, on which OS.

Best regards,

Hi,

We're all using RDM Enterprise 2024.2.11.0 64-bit on Windows 11 Enterprise 23H2
I can't find a specific database version, but it should be the most recent as we did the upgrade that accompanied version 2024.2.8.0

Our data source is set up as Microsoft Azure SQL with Active Directory Interactive (with MFA support) as our login mode.

Hello Rwn2,

Your Microsoft login behaviour has changed due to updates in the authentication process. The new method involves using a full browser for authentication, which is controlled by Microsoft and is part of their security enhancements. Unfortunately, this behaviour cannot be changed from within RDM as it is dictated by Microsoft's authentication flow.

When it comes to Azure AD joined devices (registered devices). Azure AD may or may not prompt for MFA. This is entirely ! controlled by Azure AD, there is nothing we can do in Remote Desktop Manager to force or bypass the MFA other than the Default or Automatic options mentioned above.


If you have any other questions, feel free to let us know.

Best regards,

I'm not surprised to hear that it's controlled by Microsoft, but I was hoping that Microsoft would have left you guys some options to use the popup style login screen.
From a user standpoint the actual login screen works the exact same way, now it just takes up the whole screen and doesn't close itself post sign in like it used to.

We can't do much about Microsoft's decisions but thank you for looking into it.

Hi,

We're all using RDM Enterprise 2024.2.11.0 64-bit on Windows 11 Enterprise 23H2
I can't find a specific database version, but it should be the most recent as we did the upgrade that accompanied version 2024.2.8.0

Our data source is set up as Microsoft Azure SQL with Active Directory Interactive (with MFA support) as our login mode.

it may be due to some new updates sometimes it happens and get bugs

Hello

Contrary to what my colleague wrote, I do believe this should be possible to change on our side. Are you referring to the Azure login prompt that is for the login to your SQL Azure datasource (database)?

Thanks and kind regards,

Hello again

I'll walk back my previous response slightly, this is possible to fix but it does require a bit more work than I thought.

Microsoft offers (and uses themselves) a shared authentication library for talking to Azure. It has the capability to either show the login prompt embedded in the application or using the system browser. For reasons I'm not too clear on, the default behaviour is different depending on that platform (Windows, macOS, Android, etc) and the .NET version that the application runs on.

On Windows, under .NET Framework, the default is the embedded prompt; but running under .NET Core the default is the system browser. RDM Windows switched from .NET Framework to .NET Core in the last major version (2024.1) and so this would be when the behaviour changed.

For our Azure Bastion integration we had the reverse problem: at the time we ran under .NET Framework, some users were not happy with the embedded prompt and wanted to use the browser. That integration uses an intermediate (also Microsoft provided) library and the required change was simple enough but difficult for us to integrate; when I asked the maintainers they added the option to use the integrated or system browser and we were able to expose it.

Now in this case, again the change in the Microsoft library is quite simple but it will be awkward for us to integrate it. That does remain a possibility, but to start with I'm going to open an issue with them to expose this option up to the consumer (application) level and hopefully that gets some traction. If not, we'll take a look at integrating it directly.

I'm opening a feature request for this and I'll link it back to this ticket. It's something we should be able to address, I can't say how quickly; but I do understand this pain point as I also prefer the embedded login for most scenarios.

Please, let me know if something isn't clear or you have further questions

Kind regards,

Hello again

For visibility, here is the issue I created with the upstream library: https://github.com/dotnet/SqlClient/issues/2611.

Thanks and kind regards,

Hi again,

Thanks for the info, that explains it.
I really appreciate you guys looking into it, and even if it isn't solved right away I now have something to report back to my team when they ask.

Hi Team

Just jumping in to add that we recently upgraded from an older version where just the pop up would appear instead of the full browser window, Besides the slight annoyance factor of that process not being as smooth. This actually causes a problem for us. We have conditional access configured on access to Azure SQL resources and only a specific set of device IDs are allowed to access it.

When the old pop up method was in use that was fine and all staff could login (the device ID was sent during that method). Now that it uses the full browser method - if staff are using firefox or chrome that device ID does not get sent on and in the Azure sign in logs it shows as device unknown, therefore the staff are prevented from accessing the resource (The RDM database) and unable to login. If we set Edge as the default browser - Edge does pass on the device ID and staff can login.

For the moment we have 2 options - turn off the conditional access policy - something we don't really want to do
or
Ask staff to set their default browser to edge - something not all staff want to do for various reasons.

This was working yesterday on the older version of RDM that we were running.

Hello

Thanks for your post. I understand the issue that this is causing.

We retain the option of fixing this on our side, but it makes things very complicated for us: the relevant Microsoft library and it's dependencies are open source, so while we can fix this issue and build from source, it becomes a real integration headache when we see that some of the dependencies that we would have to rebuild, are also core dependencies of other dependencies in RDM (some of which are open source, some of which are not). There's also an ongoing maintenance burden, which is significant. We _have_ done similar things in the past, so I won't rule it out; but first of all I'd like to take another shot at getting Microsoft to fix this on their side.

I've updated the issue I created on GitHub (linked above) and explained the specific business case that you presented. Let's see what they say; they are usually pretty responsive to issues although that doesn't always mean things will get changed.

Thanks for your patience

Kind regards,

Hello

Thanks for your post. I understand the issue that this is causing.

We retain the option of fixing this on our side, but it makes things very complicated for us: the relevant Microsoft library and it's dependencies are open source, so while we can fix this issue and build from source, it becomes a real integration headache when we see that some of the dependencies that we would have to rebuild, are also core dependencies of other dependencies in RDM (some of which are open source, some of which are not). There's also an ongoing maintenance burden, which is significant. We _have_ done similar things in the past, so I won't rule it out; but first of all I'd like to take another shot at getting Microsoft to fix this on their side.

I've updated the issue I created on GitHub (linked above) and explained the specific business case that you presented. Let's see what they say; they are usually pretty responsive to issues although that doesn't always mean things will get changed.

Thanks for your patience

Kind regards,

Thanks Richard, appreciate the response and efforts

Hello again

It occurred to me that there might be a third way here; it's possible to patch the MSAL library at runtime and insert the two extra functional calls needed to make this behaviour optional. I made a quick proof-of-concept this morning and found it to work well.

There's extra work here to integrate that into RDM in a robust fashion; runtime patches of .NET libraries is not something my team has much institutional knowledge about (although there is precedent here because we often use similar techniques with native code inside RDM).

I'm going to sit tight on this for a little bit longer and see if the SqlClient team respond to my extra input on the issue I have open there, although I don't have high confidence about that (in the past, they've not been especially receptive to bug or issue reports from us). If we don't hear something promising back from them, I'll see if I can move forward with my solution for something early in the 2025.1 release cycle.

As always, don't hesitate with further questions or comments

Kind regards,

Hi Richard

Thanks for the update, sounds promising

Hello

I wanted to share some progress here. I've added an experimental option to RDM that should allow the Azure SQL login to use the embedded web view instead of the system browser. Assuming QA finds nothing outrageous, this should be available in the 2025.1.28 release (which will not be for a couple of weeks, I'm afraid).

This is an opt-in and has some caveats.

• This option adds around 5s to the RDM startup time. I know startup time is already a pain point for some users, and if this initial implementation works out, we might be able to optimize further. But for now, that is the cost.
• I haven't evaluated this on ARM64 systems (I expect it to work) or on the Ready2Run builds (I expect it not to work). I doubt either of these situations apply to you.
• This might be inherently unstable: updates to the underlying MSAL library might break this feature unexpectedly on RDM updates; which would require us to adapt the implementation.
• I did test this with other code using the MSAL library and everything seemed to be working fine, but YMMV. I'd encourage you to report any bugs or issues that you find (I don't know what other Azure features you are using in RDM).

To opt-in, once you've updated to 2025.1.28:

• Close RDM
• Locate your .cfg file (for a typical installation that's in %localappdata%/Devolutions/RemoteDesktopManager/RemoteDesktopManager.cfg)
• Before the closing </Option> tag, add the following line

<UseMsalEmbeddedWebView>true</UseMsalEmbeddedWebView>

• Save the file and relaunch RDM

Again, if this pans out and works well we could look at making that a UI level setting. But for now, this is considered experimental and how we move forward depends on if this works in the real world or if there are issues we can't resolve.

Thanks for your patience on this, and please don't hesitate if you have further questions or comments

Kind regards,

Hello

I wanted to share some progress here. I've added an experimental option to RDM that should allow the Azure SQL login to use the embedded web view instead of the system browser. Assuming QA finds nothing outrageous, this should be available in the 2025.1.28 release (which will not be for a couple of weeks, I'm afraid).

This is an opt-in and has some caveats.

• This option adds around 5s to the RDM startup time. I know startup time is already a pain point for some users, and if this initial implementation works out, we might be able to optimize further. But for now, that is the cost.
• I haven't evaluated this on ARM64 systems (I expect it to work) or on the Ready2Run builds (I expect it not to work). I doubt either of these situations apply to you.
• This might be inherently unstable: updates to the underlying MSAL library might break this feature unexpectedly on RDM updates; which would require us to adapt the implementation.
• I did test this with other code using the MSAL library and everything seemed to be working fine, but YMMV. I'd encourage you to report any bugs or issues that you find (I don't know what other Azure features you are using in RDM).

To opt-in, once you've updated to 2025.1.28:

• Close RDM
• Locate your .cfg file (for a typical installation that's in %localappdata%/Devolutions/RemoteDesktopManager/RemoteDesktopManager.cfg)
• Before the closing </Option> tag, add the following line

<UseMsalEmbeddedWebView>true</UseMsalEmbeddedWebView>

• Save the file and relaunch RDM

Again, if this pans out and works well we could look at making that a UI level setting. But for now, this is considered experimental and how we move forward depends on if this works in the real world or if there are issues we can't resolve.

Thanks for your patience on this, and please don't hesitate if you have further questions or comments

Kind regards,

Thank you for taking the time to look into this.

I will be testing this as soon as 2025.1.28 comes out.

Hello

Just checking in if you had chance to try these changes on the latest version of RDM. Please don't hesitate to post back with problems or questions.

Kind regards,

Hello

Just checking in if you had chance to try these changes on the latest version of RDM. Please don't hesitate to post back with problems or questions.

Kind regards,

Hi,

I have set it up with 5 people at my company and confirmed that it worked. Everyone has been instructed to inform me if they noticed even the slightest issue, and so far I haven't heard anything. It has been working flawlessly for me as well, so for now I don't think there are any issues to report.

- River

Hello

That is excellent news, thanks for the feedback.

For now I'm going to mark this thread as "resolved".

Like I wrote, the way this is implemented is inherently fragile and might need adjustments based on future updates to either the Microsoft libraries in question or to RDM itself. I also don't anticipate this being a use case that our QA covers very often. So, if you start to notice issues or problems on a future update to RDM, your feedback will be very important to get things working again.

If this continues to prove stable in the medium to long term, we can consider adding the setting to the UI rather than needing to edit the cfg file by hand.

Don't hesitate with other questions or comments.

Kind regards,

Hi Team

I had missed these above updates we will make plans to update and report back, just asking - there is no way to push this change out to all staff from within RDM ? Rather than editing the cfg file?

Hi Sam

It's not possible to push the change, unless you did it out-of-band (perhaps remotely executing a PowerShell script on the staff machines to close RDM and modify the .cfg).

That said, this was a no-UI option because I considered it experimental, but so far things have been pretty successful. I can go ahead and make a ticket to add this to the settings UI? Then it can be as easy as telling staff "open file > settings, go here, check this box, save and restart". What do you think?

Let me know if something's not clear

Kind regards,

Hi Sam

It's not possible to push the change, unless you did it out-of-band (perhaps remotely executing a PowerShell script on the staff machines to close RDM and modify the .cfg).

That said, this was a no-UI option because I considered it experimental, but so far things have been pretty successful. I can go ahead and make a ticket to add this to the settings UI? Then it can be as easy as telling staff "open file > settings, go here, check this box, save and restart". What do you think?

Let me know if something's not clear

Kind regards,

Hi Richard,

I can't speak for Sam, but at my company we would love a UI option.
It's still running perfectly fine for the people it has been enabled for via the cfg file, so I would feel comfortable with letting all users have the option to easily enable this on their own.

- River

Hi

I've submitted a change to the RDM team that should add this. Assuming everything is good with my changes, that would be released in the first 2025.2 version (scheduled for June 2nd).

The setting is in File > Settings > Advanced > General > "Use MSAL embedded web view". Since it's somewhat buried, I'll add some screenshots:



Since the last few week I've found a more official way to achieve this functionality, but it involves quite a lot of work on our side. So we'll stick with what we have for now, but I'll rely on you to report any issues you have in future releases that will help us prioritize further investment here.

And as always, don't hesitate to post back with further questions or issues.

Kind regards,

Hi

I've submitted a change to the RDM team that should add this. Assuming everything is good with my changes, that would be released in the first 2025.2 version (scheduled for June 2nd).

The setting is in File > Settings > Advanced > General > "Use MSAL embedded web view". Since it's somewhat buried, I'll add some screenshots:



Since the last few week I've found a more official way to achieve this functionality, but it involves quite a lot of work on our side. So we'll stick with what we have for now, but I'll rely on you to report any issues you have in future releases that will help us prioritize further investment here.

And as always, don't hesitate to post back with further questions or issues.

Kind regards,

@Richard Markiewicz
Hi Richard,

Thank you for the guide. A couple of people at my company have now enabled it through the UI and it works as expected. It also registers correctly as already set for those of us who enabled it directly in the config. I have sent the guide to all RDM users at my company and will of course let you know if we encounter any issues in the future.

- River

Hello

Excellent! Thank you for the follow up.

Kind regards,

Apologies for lack of response here, but just confirming we have also upgraded and set this option and it works as expected.