Forum

Posts by abwalters (abwalters)

abwalters
abwalters
Posts: 43

The confusion was on my part. I didn't really read his post to see that it was a feature request for RDM (not RDMS).

8 yrs Active Directory Groups
abwalters
abwalters
Posts: 43

I have the RDMS instance configured to use SQL authentication, and the RDMS user holds the sysadmin role in SQL, so RDMS should be able to create users without a problem.

8 yrs Active Directory Groups
abwalters
abwalters
Posts: 43

David,

I can confirm that user creation does work now. Any users that are meant to be administrators are created properly (except that setting offline mode doesn't seem to be assignable via roles).

Users that are not a member of an administrator role aren't receiving any permissions, though. I sent you more information via email.

8 yrs Active Directory Groups
abwalters
abwalters
Posts: 43

Okay. I figured you were working on a more permanent fix. I mostly posted that for xrs and any others currently experiencing this particular problem. The workaround will at least allow the intended functionality, though with a bit of manual intervention needed. I actually meant to post it shortly after I sent the information to you via email, but forgot.

8 yrs Active Directory Groups
abwalters
abwalters
Posts: 43

I found a workaround for this particular issue. If you manually create your users (with the integrated security checkbox ticked), like you needed to do prior to AD group integration being implemented, your roles will assign permissions to your users.

8 yrs Active Directory Groups
abwalters
abwalters
Posts: 43

The Powershell extension looks pretty neat, actually. From the documentation, though, it seems like it is meant to be used while the Remote Desktop Manager client is up and running. For our use-case, it would be used on a web server without RDM running, so I'm not sure if it wold really work.

The automated export of the database(s) into an XML file that we could decrypt would definitely do the trick. The only thing we would require in addition to the basic export would be the decryption of passwords (and they could be encrypted with a separate key for security). We've been bitten by the SQL server supporting RDM going down unexpectedly twice now. You don't realize how much you rely on a system until you have to work without it for a little while (hence the reason we want to provide a fail-safe that is always kept in sync with RDM).

8 yrs Shared passphrase security provider decryption
abwalters
abwalters
Posts: 43

Forgot to reply to the Powershell piece. A Powershell extension might provide all the interaction we could need if it can provide decrypted data. Our systems would have to be partially redesigned to use it, though. Most of our systems (outside of AD and Exchange) run on Linux, so we can't use a Powershell extension (or any .NET code, for that matter) directly within our systems. So we would have to write some sort of proxy service on a Windows machine that would take data from the Powershell extension and pass it to our systems via a custom-designed API.

With the advent of Remote Desktop Manager Server, if there were a way to create a special user type that could read the XML data (and the already decryptable session password) in an unencrypted form (or at least encrypted with something reversible by non-Devolution's code), that would also work. It would be even better if RDMS had an API of sorts that could also manipulate data (obviously, if you knew some key specific to that instance), but that may just be me shooting for the moon there.

8 yrs Shared passphrase security provider decryption
abwalters
abwalters
Posts: 43

If you mean the password for the connection (i.e. the RDP user password), that is fine. You already added a method last year sometime to decrypt that. The password decryption is read-only, but it works for our minimum needs (basically a fail-safe backup of the RDM connections).

If you're talking about the pre-shared key, that would also be fine. The PSK being encrypted with Devolutions private key within the database would just be how you stored it for use in RDM. My code would have a copy for itself that would be manually distributed, so as long as the one my code has matches the one RDM uses, everything works fine.

8 yrs Shared passphrase security provider decryption
abwalters
abwalters
Posts: 43

I assigned administrator permissions to each of the various groups I tested with. Specifically, I assigned those permissions under the "Roles" section.

8 yrs Active Directory Groups
abwalters
abwalters
Posts: 43

Yes, it would be nice to be able to decrypt XML data using a pre-shared key.

8 yrs Shared passphrase security provider decryption
abwalters
abwalters
Posts: 43

Here is what I've tried:
- Authenticate with domain user set to domain name
- Authenticate with domain user set to specific domain controller FQDN
- Authenticate with domain user set to local machine
- In data source configuration:
__- Authenticate as domain user without specifying domain (of AD domain)
__- Authenticate as domain user with specifying domain (of AD domain)
__- Authenticate as local user without specifying domain (of local machine name)
__ - Authenticate as local user with specifying domain (of local machine name)
- In Roles configuration:
__ - AD Groups with only users as members
__ - AD Groups with other groups as members
__ - Local groups with only AD users as members
__ - Local groups with only AD groups as members
__ - Local groups with only local users as members
__ - Local groups with only local groups as members

All of the above have been tried with SQL authentication for the database connection and with integrated authentication for the database. They have all also been tried with every combination possible of turning on/off the built-in user auth and local machine user auth in the RDMS instance configuration.

I'm guessing from your initial follow-up question that the group authentication piece is supposed to be working, and that I'm just failing to configure a small piece to make it work. Currently, the authentication does work, in a way. I can connect to the data source with a domain user that I didn't manually add. RDMS then creates a user for that authenticated person. The user that gets created just doesn't have any rights assigned, so I have to manually edit their permissions in order for the user to be useful.
<em>edited by abwalters on 3/21/2012</em>

8 yrs Active Directory Groups
abwalters
abwalters
Posts: 43

Awesome! I was kind of wondering why there was an unlabeled checkbox there. Thought it was probably best not to poke it, though, until I knew what it did.

I'll try it out on a few connections to see how it works. The only additional feature request I would make for that would be the ability to decrypt it (like you have implemented for the password fields already). I haven't checked in the database yet, so it may already be implemented, in which case, you can consider me one very happy man.

8 yrs Telnet after-connect commands
abwalters
abwalters
Posts: 43

I haven't. I wasn't aware anything like that existed, actually. I'll look around the RDM site for documentation on that feature, and give it a try. Thanks.

8 yrs Telnet after-connect commands
abwalters
abwalters
Posts: 43

I just upgraded to RDMS 1.0, actually. When you say that I need to correctly configure the machine name for authentication... Do you mean configure the machine account in the SQL Management Studio? Or do you mean that I need to change the settings for the "Authenticate with domain user" option to use the local machine name instead of my domain name?

8 yrs Active Directory Groups
abwalters
abwalters
Posts: 43

David,

Has there been any progress on allowing for devices to have a secondary "enable" password that can be stored encrypted instead of as a plain-text after login command?

8 yrs Telnet after-connect commands
abwalters
abwalters
Posts: 43

David,

Sorry to resurrect an old feature request, but I wanted to see if you had given any additional thought to implementing this and/or a timeframe on when it might become available. Due to compliance requirements, we will likely either need to enable the encryption of all connections in RDM or use MSSQL encryption to protect the database.

I'd prefer not to have to deal with the hassle of implementing MSSQL database encryption if I don't have to. Though at this particular point in time, it would seem to be my only option, as integration with our other systems would be broken if I turned on RDM's encryption algorithm.

8 yrs Shared passphrase security provider decryption
abwalters
abwalters
Posts: 43

David,

I've been following each of the new beta versions as they have come out, and noticed in the last version that there was a new section added for "Roles", which searches Active Directory for groups. It doesn't look to be working quite yet, though. When I log in with my AD credentials (As an aside, integrated authentication doesn't seem to be available when using Remote Desktop Manager Server data sources. That would be a nice feature to continue to be able to use going forward), it seems to create a user for me in the users section, but it doesn't apply any of the permissions I specified for the role. I'm guessing that not all of the code is in place to make that feature work properly as of yet. If it works the way it looks like it should, this definitely looks like a very nice feature addition to your product.

As you can tell, I'm itching to utilize this feature. I just finished up a quick hack of a PHP script to create users in the SQL database without so much manual intervention. We're up to 20 separate data sources now, and creating new users on each of them can be surprisingly time consuming. I know it would be less work with fewer data sources, but different sets of users need varying degrees of permissions on different sets of machines (and pretty much everyone needs to be able to at least connect to most everything). So the simplest solution at this time is to create data sources for the different sets of machines.

8 yrs Active Directory Groups
abwalters
abwalters
Posts: 43

Is there any documentation on how to utilize AD groups in Remote Desktop Manager Server? Utilizing AD groups is probably the main reason that my organization has been eagerly awaiting RDMS to be released. I tried adding AD groups as users, but when I logged in with my domain user, it didn't give me any of the permissions I set for the groups I added.

8 yrs Active Directory Groups
abwalters
abwalters
Posts: 43

Thank you, David. That file fixed the error. Had to delete the RDMS install and re-build due to a security error (probably from copying the file from the Internet).

8 yrs RDM Server Installation - Missing Azure Assembly
abwalters
abwalters
Posts: 43

I'm very glad to see that Remote Desktop Manager Server Edition has dropped, unfortunately, I ran into an issue installing a trial to give a migration from the Enterprise version a go, along with testing AD group integration. Specifically, the error I an getting is an unhandled exception due to the Microsoft.WindowsAzure.ServiceRuntime assembly being missing. I did some preliminary research, and it seems (from http://social.msdn.microsoft.com/Forums/en/windowsazuredevelopment/thread/d628655f-424e-44f4-b254-03e575f698bf) that either the Azure SDK needs to be installed on the server or the project compiled with copylocal=true set for the needed Azure assemblies.. Complete error below. If you need any further information, please let me know.

Server Error in '/RDMS-Test' Application.
--------------------------------------------------------------------------------

Could not load file or assembly 'Microsoft.WindowsAzure.ServiceRuntime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.WindowsAzure.ServiceRuntime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Assembly Load Trace: The following information can be helpful to determine why the assembly 'Microsoft.WindowsAzure.ServiceRuntime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' could not be loaded.


WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].

Stack Trace:


[FileNotFoundException: Could not load file or assembly 'Microsoft.WindowsAzure.ServiceRuntime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.]
Devolutions.RemoteDesktopManager.Server.Global.Application_Start(Object sender, EventArgs e) in c:\Dev\devolutions\Websites\RemoteDesktopManagerOnline\Server\Global.asax.cs:93

[HttpException (0x80004005): Could not load file or assembly 'Microsoft.WindowsAzure.ServiceRuntime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.]
System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app) +4179473
System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +205
System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +336
System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +350
System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +382

[HttpException (0x80004005): Could not load file or assembly 'Microsoft.WindowsAzure.ServiceRuntime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +11318198
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +88
System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +4348404


--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.5448; ASP.NET Version:2.0.50727.5420

8 yrs RDM Server Installation - Missing Azure Assembly
abwalters
abwalters
Posts: 43

@Zarhan,

I can share the code, just had to clean it up to remove references to our passwords. See below for the reference code. Keep in mind that you can't change the password with this code. This code also does not decrypt the connections, if you have your data source set up to encrypt those. It'll only decrypt the password in the unsafepassword field.

<?php

# Set $crypt to the encrypted password string.
# Set $key to the plaintext pre-shared key for decryption

$key = mb_convert_encoding( $key, 'ASCII' );

$crypt = base64_decode( $crypt );
$md5key = md5($key, true); # Generate a binary MD5 hash of the key
$ckey = $md5key . substr( $md5key, 0, 8 );
$iv = '00000000';
$res = mcrypt_module_open( MCRYPT_TRIPLEDES, '', MCRYPT_MODE_ECB, '' );
mcrypt_generic_init( $res, $ckey, $iv );
$output = mdecrypt_generic( $res, $crypt );
$output = mb_convert_encoding( $output, "UTF-8" );

# Output will be set to the now decrypted password.

?>

8 yrs Password encryption feature request
abwalters
abwalters
Posts: 43

David,

In our environment, non-administrators can't add shared templates. They can create personal templates, but those don't show up for other users to utilize. I'm specifically talking about the shared templates. I just had one of my users test (he is a non-admin, but has the rights to add/edit/delete/import sessions in the data source), but he was unable to create a shared template.

No error message is displayed. The 'Add Shared Template' button is just greyed out. (Second button from the left on the Templates window).
<em>edited by abwalters on 8/8/2011</em>

9 yrs Assignable permission for creating shared template
abwalters
abwalters
Posts: 43

Okay. Unfortunately, I can't call RDM from the command line, since our portal machine runs Linux, so it'll just be read-only for me.

I am glad the feature is there, though, since I can now have a last-resort backup of the passwords.
<em>edited by abwalters on 8/3/2011</em>

9 yrs Password encryption feature request
abwalters
abwalters
Posts: 43

Would it be possible to set it up to allow for the after-connect commands to be treated as password fields? We have a number of network devices that require an enable password to be typed after connection, and would like to be able to have that enable password hidden from the user.

Alternatively, a modified form for Telnet/SSH devices would work that had an input field for "Enable command" and "Enable password" would work. Preferably with the ability to decrypt the enable password as you do the regular password. It would probably be easier to store the decryptable enable password in the XML connection descriptor, though, to prevent the database schema from becoming too complicated.

9 yrs Telnet after-connect commands
abwalters
abwalters
Posts: 43

Would it be possible to implement an assignable permission to allow non-administrators to create shared templates?

9 yrs Assignable permission for creating shared template
abwalters
abwalters
Posts: 43

Ah. That would explain why I can't decrypt it. A new provider that allows for this would be great, as it would allow us to store all data encrypted in the database, but still have our portal able to display it.

9 yrs Shared passphrase security provider decryption
abwalters
abwalters
Posts: 43

Is it possible to decrypt the data from a connection using the 'Shared passphrase' security provider?

I tried the same algorithm used for the 'Allow password for external system' setting, but it didn't work. A link to some example code in the dialog would be a world of help. Since you are allowing the key to be set, I would think that allowing the end-user to decrypt it themselves wouldn't be a problem, since they know the key already.

9 yrs Shared passphrase security provider decryption
abwalters
abwalters
Posts: 43

David,

I was poking around in the latest pre-release version that you had me install to troubleshoot a bug report, and saw that this feature is now present. It took a little work, but I got decryption working under PHP. A few compatibility issues between .NET and PHP's implementations of 3DES around the key size. Nothing a little Google work couldn't fix.

It looks like this access should only be used as read-only, though. Am I correct on that?

9 yrs Password encryption feature request
abwalters
abwalters
Posts: 43

Sorry for the delay. I got a new machine, then was sent out of town on business. The new version worked perfectly.

9 yrs Default Data Source setting ignored
abwalters
abwalters
Posts: 43

We're currently experiencing a minor glitch with RDM. I was using RDM with just two data sources on 6.1.3.0 previously, so I don't think it is an issue with this version, but now that I have my whole company running in RDM, we're up to 17 shared data sources (plus the default local data source). At some point (unfortunately, I don't know exactly when, since all the additional data sources were created during one day), though, the data source I have set as my default stopped being used as my default upon starting RDM. I've tried using a different machine and removing/re-adding all the data sources, but RDM is now always defaulting to the first data source (sorted alphabetically). Is there a workaround available for this? It isn't a critical issue, it is just a minor irritation, since unless you happened to want the first data source as your default, you have to change data sources as soon as you log in each time.

9 yrs Default Data Source setting ignored