keeper-sdk-dotnet icon indicating copy to clipboard operation
keeper-sdk-dotnet copied to clipboard
verified publisher icon Keeper-Security

Connect-Keeper throwing errors

Open ajdraper1 opened this issue 8 months ago • 3 comments

I have noticed that some our automated scripts have been failing due to several different errors, all related to Connect-Keeper

Error 1: Master Password If there are too many successive API calls, it prompts the user for a master password. This prevents the script from running any further until the master password is manually added. By creating an endless loop that connect and disconnects to Keeper I am able to consistently reproduce this error.

Error 2: Non-Interactive Session Detected The only error message returned is Non-interactive session detected. In our logging I confirmed that this stemmed from Connect-Keeper. I have been unable to consistently reproduce this error.

Error 3: Refresh Keeper Session The full error message is: Exception calling "GetResult" with "0" argument(s): "Your Keeper session needs to be refreshed. Please logout and login again.". This also comes from Connect-Keeper. I am also unable to manually reproduce this error.

All of these errors are coming from Connect-Keeper.

ajdraper1 avatar Jun 25 '25 19:06 ajdraper1

It would be helpful if you share the environment PowerCommander is running. It is look like your environment is Azure workbook and the Keeper account uses persistent login.

  1. If there are too many successive API calls The Keeper backend prevents endpoint abuse by a single client. If the backend detects too many call it starts throttling requests. In case of persistent login the backend may forcefully cancel persistent login session and require the client to re-login. We will try to duplicate this behavior or we can check the backend logs for your account. If you are OK to share your account email and approximate error time please send this information to [email protected] email
  2. Once the persistent session is cancelled at the backend the PowerCommander switches to interactive login mode.If interactive session is not detected then this message is returned.
  3. This error happens when Keeper client is connected. If it happens in Connect-Keeper then it is running post-login tasks Again it might happen when the backend forcefully closes a login session if it detects Keeper API is abused. Generally this error happens when persistent login session is expired due to inactivity. The default inactivity period is 1 hours

Please check documentation on Persistent Login Sessions here

sk-keeper avatar Jun 25 '25 20:06 sk-keeper

  1. I created this issue by the request of Keeper support in case CS0158507. In that case they explained that the threshold is 200 successive API calls without a 10 second break. Meaning if you make 1 call every 9 seconds 200 times it will start throttling. I enabled logging for every call we do with Keeper and when I go into the log I can see there are no streaks of consecutive calls at the time of the master password prompt; there are several breaks of 10+ seconds. The case I mentioned has more information and examples
  2. Can you please explain what exactly this means?
  3. What kind of post-login tasks are you referring to? Or are you referring to consecutive calls to Connect-Keeper?

I also want to clarify that I am using the PowerCommander module for PowerShell. We are not using the Commander CLI tool in our production environment. I did however follow the steps in this documentation I got from support and tested it locally, but that also did not work.

ajdraper1 avatar Jun 25 '25 21:06 ajdraper1

  1. Do you use "Persistent Login Session" in your setup? If you do then you can setup your Powershell script to connect to Keeper in unattended mode (no user interaction is expected) This mode is used in automations. The backend may expire a persistent session for multiple reason (2fa expiration, inactivity, ...) PowerCommander requires "persistent session" to be re-created by requesting master password. If Powershell environment does not support Read-Host command then Non-interactive session detected error is returned.

  2. Connect-Keeper consists of authentication at Keeper and loading account information/vault. I'm referring to the latter. "Your Keeper session needs to be refreshed. Please logout and login again." is not expected to be thrown in Connect-Keeper unless your account is expired or blocked.

PowerShell supports this-device command as well https://github.com/Keeper-Security/keeper-sdk-dotnet/blob/b215cdb31cae8ce7723aa238c40bb0164ab48b3c/PowerCommander/README.md?plain=1#L36

sk-keeper avatar Jun 26 '25 15:06 sk-keeper