PS Auth Changes?
We currently use ansible to remotely execute powershell scripts that use the Devolutions.PowerShell module to automate various credentials and whatnot.
When running 2024.1.3, everything works as expected. However, when I update to 2024.3.4, I'm getting "second hop" errors from PowerShell unless I'm physically logged into the server. Our policy does require that a domain user log into the RDM application, but the ps module has never required this.
I dug through all the module changelogs, but don't see anything about this. Is there some new authentication process between powershell and the RDM application that needs to be done? Not sure what else I could be missing.
Thanks,
Chris
All Comments (8)
Hello Chris,
I don’t recall any recent changes to the authentication process. To help troubleshoot the issue, I’ll try to reproduce the error.
To proceed, could you please provide the following details?
- What type of data source are you using (e.g., Devolutions Server), and what is its version?
- Are you using an application to connect?
Best regards,
Maxime
Hello Chris,
I don’t recall any recent changes to the authentication process. To help troubleshoot the issue, I’ll try to reproduce the error.
To proceed, could you please provide the following details?
- What type of data source are you using (e.g., Devolutions Server), and what is its version?
- Are you using an application to connect?
Best regards,
Maxime
Hey,
The data source we're using is MS-SQL. The user to log into the powershell server is a domain user, but the RDM/db user is local. This avoids that specific "second hop" problem.
Technically the application we're using to connect is Ansible with powershell remoting, but I feel any remote powershell would produce the same result.
Thanks,
Chris
Hello,
I just noticed this and might be able to help. Can you walk me through the environment for this and the commands you're trying? Do you have the Devolutions.PowerShell module installed on a Windows server with Ansible and then having Ansible run playbooks using the module against remote Windows machines? If so, are you using a local RDM instance and connecting to a remote PowerShell session on the Ansible server (with another instance of RDM installed) and invoking playbooks that way?
Hello,
I just noticed this and might be able to help. Can you walk me through the environment for this and the commands you're trying? Do you have the Devolutions.PowerShell module installed on a Windows server with Ansible and then having Ansible run playbooks using the module against remote Windows machines? If so, are you using a local RDM instance and connecting to a remote PowerShell session on the Ansible server (with another instance of RDM installed) and invoking playbooks that way?
Hey,
What you outlined is mostly correct. The Ansible server is on a separate Ubuntu machine which ps remotes to a Windows server to execute the RDM commands. From there the server executes the powershell scripts using the Devolutions.PowerShell module with parameters passed in from the Ansible playbooks.
As noted above, this method works fine with module version 2024.1.3 . Something between that and current it now throws extra auth errors. I've tested this multiple times by upgrading/downgrading the module on the server.
Thinking about it, I could try interim versions to see if I can narrow where it breaks.
Hello,
I just noticed this and might be able to help. Can you walk me through the environment for this and the commands you're trying? Do you have the Devolutions.PowerShell module installed on a Windows server with Ansible and then having Ansible run playbooks using the module against remote Windows machines? If so, are you using a local RDM instance and connecting to a remote PowerShell session on the Ansible server (with another instance of RDM installed) and invoking playbooks that way?
Hey,
What you outlined is mostly correct. The Ansible server is on a separate Ubuntu machine which ps remotes to a Windows server to execute the RDM commands. From there the server executes the powershell scripts using the Devolutions.PowerShell module with parameters passed in from the Ansible playbooks.
As noted above, this method works fine with module version 2024.1.3 . Something between that and current it now throws extra auth errors. I've tested this multiple times by upgrading/downgrading the module on the server.
Thinking about it, I could try interim versions to see if I can narrow where it breaks.
Got it. So you have a local RDM instance connecting to the Ubuntu server running Ansible via a remote PowerShell session? How is Ansible authenticating to the remote Windows servers?
Hello Chris,
I don’t recall any recent changes to the authentication process. To help troubleshoot the issue, I’ll try to reproduce the error.
To proceed, could you please provide the following details?
- What type of data source are you using (e.g., Devolutions Server), and what is its version?
- Are you using an application to connect?
Best regards,
Maxime
Hey,
So it looks like it's something between 2024.2.7 and 2024.3.9 that the break is happening. I'll try to step through each version tomorrow and see if I can find the exact breaking point.
Thanks,
Chris
Hello,
I just noticed this and might be able to help. Can you walk me through the environment for this and the commands you're trying? Do you have the Devolutions.PowerShell module installed on a Windows server with Ansible and then having Ansible run playbooks using the module against remote Windows machines? If so, are you using a local RDM instance and connecting to a remote PowerShell session on the Ansible server (with another instance of RDM installed) and invoking playbooks that way?
Hey,
What you outlined is mostly correct. The Ansible server is on a separate Ubuntu machine which ps remotes to a Windows server to execute the RDM commands. From there the server executes the powershell scripts using the Devolutions.PowerShell module with parameters passed in from the Ansible playbooks.
As noted above, this method works fine with module version 2024.1.3 . Something between that and current it now throws extra auth errors. I've tested this multiple times by upgrading/downgrading the module on the server.
Thinking about it, I could try interim versions to see if I can narrow where it breaks.
Got it. So you have a local RDM instance connecting to the Ubuntu server running Ansible via a remote PowerShell session? How is Ansible authenticating to the remote Windows servers?
There isn't an instance of RDM involved. It's simply ansible -> calling remote powershell -> powershell/RDM module in Windows.
It's using a domain user to connect to the server and the server has a local user to connect to the db to avoid that specific "double hop" issue.
I'm guessing something in 2024.3.x is getting caught by the domain prompt required for RDM, but I don't know why that would be or if there is a new setting or method.
We'll see once the devs have a chance to look and I can get a specific version of breaking.
Hello Chris,
I don’t recall any recent changes to the authentication process. To help troubleshoot the issue, I’ll try to reproduce the error.
To proceed, could you please provide the following details?
- What type of data source are you using (e.g., Devolutions Server), and what is its version?
- Are you using an application to connect?
Best regards,
Maxime
It looks like as soon as I update the module to 2024.3.2, I start getting problems. Version 2024.2.7 is fine.
I'm assuming either the PAM rewrite changed some requirement or maybe " Add a login prompt when going offline on a DVLS data source" added some extra check or something and is requiring a user session for all data source types.
If there's any other info I can help with, let me know!
Thanks,
Chris