Devolutions ForumDevolutions Forum

Heartbeat and Password Rotation Failures on Accounts in Protected Users Group

A fix for this issue has been implemented in version 2025.3.12.0
Implemented

Heartbeat and Password Rotation Failures on Accounts in Protected Users Group

avatar
csudderth

I am now experiencing password rotation and heartbeat failures on accounts in the Protected Users group after upgrading to DVLS version 2025.3.3.0. Once I remove the accounts from the group, everything works as expected. It appears that DVLS is using NTLM authentication instead of Kerberos. I get the following audit log in the domain controller when the user is in the Protected Users group at the time of rotation & heartbeat:

NTLM authentication failed because the account was a member of the Protected User group.

Account Name: [Redated Account Name]
Device Name: [Redacted Domain Controller Name]
Error Code: 0xC000006E

In DVLS, I am getting an LDAP Code 49 failure when attempting the heartbeat or password rotation. Interestingly enough, password rotation & heartbeats work for members of the Protected Users group if the provider is set to use LDAP instead of LDAPS account, which isn't ideal. I am happy to provide more logs if needed, but not really sure where to go from here.

All Comments (3)

avatar
Paul Dumais

Thanks for this report, I know what the issue is, we reduced the number of retries when authenticating the user. When using LDAPS we first try to connect with a SimpleBind and if we get a 49 (bad password) we simply fail, instead of retrying with Kerberos. We did this to reduce the number of retries, we had customers who has low lockout count values (3) which would have accounts get locked out quickly if we retried authentication with too many systems. I have logged a ticket and we will change this logic to fix your issue. I think a workaround for now would be to disable LDAPS, which should fix the issue. Don't worry LDAP connections are still internally encrypted by the SASL protocol when using Kerberos.

Thanks,
Paul

avatar
csudderth

Paul, thank you so much for the explanation and ticket. I really appreciate it!

avatar
Maxim Robert

Hello,

Thank you for being so patient!

I am pleased to inform you that the issue has been resolved in the latest Devolutions server version (2025.3.12.0):
https://docs.devolutions.net/server/getting-started/installation/upgrade-server

We also recommend that you first perform the update in a staging/test environment:
https://docs.devolutions.net/server/kb/how-to-articles/create-server-staging-instance

Please let us know if this works or if you encounter any issues.

Best regards,

Maxim Robert

A fix for this issue has been implemented in version 2025.3.12.0