FreeRDP icon indicating copy to clipboard operation
FreeRDP copied to clipboard

Published 20 hours ago verified publisher icon FreeRDP

Remote desktop gateway smartcard authentication issue

Open ravindram17 opened this issue 8 years ago • 16 comments

I am trying to connect to a workstation using the following commands:

xfreerdp /v:WORKSTATION /u:rmathura /d:DOMAIN.LOCAL /g:gateway.remote.com /smartcard:SCARD

I unfortunately cant connect and get this:

loading channel rdpdr loading channel rdpsnd Warning xf_GetWindowProperty (177): Property 296 does not exist connected to gateway.remote.com:443 connected to gateway.remote.com:443 Could not open SAM file! Could not open SAM file! Could not open SAM file! Could not open SAM file! rts_connect error! Status Code: 401 HTTP/1.1 401 Unauthorized Content-Type: text/plain Server: Microsoft-IIS/7.5 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM WWW-Authenticate: Basic realm="gateway.remote.com" X-Powered-By: ASP.NET Date: Fri, 02 Sep 2016 20:32:02 GMT Content-Length: 13

Seems like the smart card hasn't even come into play yet. Its having difficulty even connecting to the gateway. What am i missing?

ravindram17 avatar Sep 02 '16 20:09 ravindram17

Hello,

are you trying to authenticate against the RDP gateway with smart card? If so, I don't think that's currently possible with FreeRDP. Although, I would very much like this feature as well (and so would some of my colleagues).

j2gi avatar Sep 24 '16 14:09 j2gi

+1

ezr-ondrej avatar Aug 31 '17 16:08 ezr-ondrej

+1 - would be great to be able to connect to my workplace, using rdgateway with smartcards, without having to go to windows...

IetIesAai avatar Sep 02 '17 12:09 IetIesAai

Is there any opportunity to fund the development of this issue?

avkhozov avatar Feb 21 '18 12:02 avkhozov

@avkhozov a test setup would be great ;)

akallabeth avatar Feb 21 '18 14:02 akallabeth

I'm not familiar with the windows world, I think it will not be easy :( But I'll try

avkhozov avatar Feb 21 '18 15:02 avkhozov

There have been some gateway fixes #4539 and #4547 and there is #4548 They may resolve this issue, can you confirm?

akallabeth avatar Apr 13 '18 06:04 akallabeth

I got master branch, then merge https://github.com/FreeRDP/FreeRDP/pull/4547, https://github.com/FreeRDP/FreeRDP/pull/4548 and https://github.com/FreeRDP/FreeRDP/pull/4539 (fixed some merge conflict), compiled xfreerdp and tried to auth via smartcard on gateway, but nothing happens:

./client/X11/xfreerdp /u:USER@DOMAIN /v:SERVER /g:PROXY /w:1920 /h:1024 /smartcard:"Aktiv Co. Rutoken S 00 00"
[09:09:59:794] [14010:14011] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[09:09:59:794] [14010:14011] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[09:09:59:794] [14010:14011] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
GatewayPassword: 
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.rpc] - error! Status Code: 401
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.http] - HTTP/1.1 401 Unauthorized
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.http] - Content-Type: text/plain
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.http] - Server: Microsoft-IIS/7.5
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.http] - WWW-Authenticate: Negotiate
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.http] - WWW-Authenticate: NTLM
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.http] - WWW-Authenticate: Basic
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.http] - X-Powered-By: ASP.NET
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.http] - Date: Tue, 17 Apr 2018 04:10:01 GMT
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.http] - Content-Length: 13
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_AUTHENTICATION_FAILED [0x00020009]
[09:10:01:825] [14010:14011] [ERROR][com.freerdp.core.gateway.tsg] - tsg_check failure

I got the same error even if smartcard is not attached to PC.

avkhozov avatar Apr 17 '18 04:04 avkhozov

I have added /log-level:TRACE. Output:

[09:38:16:425] [14719:14720] [DEBUG][com.freerdp.channels.cliprdr.client] - VirtualChannelEntryEx
[09:38:16:425] [14719:14720] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[09:38:16:426] [14719:14720] [DEBUG][com.freerdp.client.x11] - Searching for XInput pointer device
[09:38:16:426] [14719:14720] [DEBUG][com.freerdp.client.x11] - Pointer device: 10
[09:38:16:427] [14719:14720] [DEBUG][com.freerdp.core.nego] - Enabling security layer negotiation: TRUE
[09:38:16:427] [14719:14720] [DEBUG][com.freerdp.core.nego] - Enabling restricted admin mode: FALSE
[09:38:16:427] [14719:14720] [DEBUG][com.freerdp.core.nego] - Enabling RDP security: TRUE
[09:38:16:427] [14719:14720] [DEBUG][com.freerdp.core.nego] - Enabling TLS security: TRUE
[09:38:16:427] [14719:14720] [DEBUG][com.freerdp.core.nego] - Enabling NLA security: TRUE
[09:38:16:427] [14719:14720] [DEBUG][com.freerdp.core.nego] - Enabling NLA extended security: FALSE
[09:38:16:427] [14719:14720] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_NLA
[09:38:16:427] [14719:14720] [DEBUG][com.freerdp.core.nego] - Attempting NLA security
[09:38:16:428] [14719:14720] [DEBUG][com.freerdp.core] - connecting to peer $IP
[09:38:16:677] [14719:14720] [DEBUG][com.freerdp.core.gateway.rdg] - RDG_OUT_DATA authorization result: 404
[09:38:16:677] [14719:14720] [DEBUG][com.freerdp.core.gateway.rpc] - VIRTUAL_CONNECTION_STATE_INITIAL
[09:38:16:679] [14719:14720] [DEBUG][com.freerdp.core] - connecting to peer $IP
[09:38:16:878] [14719:14720] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_IN_CHANNEL_STATE_CONNECTED
GatewayPassword: 
[09:38:19:796] [14719:14720] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA
[09:38:19:796] [14719:14720] [TRACE][com.freerdp.core.gateway.ntlm] - InitializeSecurityContext status SEC_I_CONTINUE_NEEDED [0x00090312]
[09:38:19:796] [14719:14720] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_IN_CHANNEL_STATE_SECURITY
[09:38:19:798] [14719:14720] [DEBUG][com.freerdp.core] - connecting to peer $IP
[09:38:19:998] [14719:14720] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_OUT_CHANNEL_STATE_CONNECTED
[09:38:19:998] [14719:14720] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA
[09:38:19:998] [14719:14720] [TRACE][com.freerdp.core.gateway.ntlm] - InitializeSecurityContext status SEC_I_CONTINUE_NEEDED [0x00090312]
[09:38:19:999] [14719:14720] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_OUT_CHANNEL_STATE_SECURITY
[09:38:19:999] [14719:14720] [TRACE][com.freerdp.core.gateway.ntlm] - InitializeSecurityContext status SEC_I_COMPLETE_NEEDED [0x00090313]
[09:38:19:999] [14719:14720] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_IN_CHANNEL_STATE_NEGOTIATED
[09:38:19:999] [14719:14720] [DEBUG][com.freerdp.core.gateway.rts] - Sending CONN/B1 RTS PDU
[09:38:19:999] [14719:14720] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_IN_CHANNEL_STATE_OPENED
[09:38:19:046] [14719:14720] [TRACE][com.freerdp.core.gateway.ntlm] - InitializeSecurityContext status SEC_I_COMPLETE_NEEDED [0x00090313]
[09:38:19:046] [14719:14720] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_OUT_CHANNEL_STATE_NEGOTIATED
[09:38:19:046] [14719:14720] [DEBUG][com.freerdp.core.gateway.rts] - Sending CONN/A1 RTS PDU
[09:38:19:046] [14719:14720] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_OUT_CHANNEL_STATE_OPENED
[09:38:19:046] [14719:14720] [DEBUG][com.freerdp.core.gateway.rpc] - VIRTUAL_CONNECTION_STATE_OUT_CHANNEL_WAIT
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.rpc] - error! Status Code: 401
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.http] - HTTP/1.1 401 Unauthorized
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.http] - Content-Type: text/plain
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.http] - Server: Microsoft-IIS/7.5
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.http] - WWW-Authenticate: Negotiate
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.http] - WWW-Authenticate: NTLM
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.http] - WWW-Authenticate: Basic
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.http] - X-Powered-By: ASP.NET
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.http] - Date: Tue, 17 Apr 2018 04:38:20 GMT
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.http] - Content-Length: 13
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_AUTHENTICATION_FAILED [0x00020009]
[09:38:20:102] [14719:14720] [ERROR][com.freerdp.core.gateway.tsg] - tsg_check failure

avkhozov avatar Apr 17 '18 04:04 avkhozov

@avkhozov Did you try with /gt:rdg or /gt:http? Remember that there is sometimes an autodetection issue.

akallabeth avatar Apr 17 '18 09:04 akallabeth

I have tried both options:

/gt:rdg:

./client/X11/xfreerdp /u:$USER /v:$SERVER /g:$GATEWAY /w:1920 /h:1024 /smartcard:"Aktiv Co. Rutoken S 00 00" /gt:rdg /log-level:TRACE
[14:50:33:865] [26962:26963] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[14:50:33:865] [26962:26963] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[14:50:33:865] [26962:26963] [DEBUG][com.freerdp.channels.cliprdr.client] - VirtualChannelEntryEx
[14:50:33:865] [26962:26963] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[14:50:33:866] [26962:26963] [DEBUG][com.freerdp.client.x11] - Searching for XInput pointer device
[14:50:33:866] [26962:26963] [DEBUG][com.freerdp.client.x11] - Pointer device: 10
[14:50:33:867] [26962:26963] [DEBUG][com.freerdp.core.nego] - Enabling security layer negotiation: TRUE
[14:50:33:867] [26962:26963] [DEBUG][com.freerdp.core.nego] - Enabling restricted admin mode: FALSE
[14:50:33:867] [26962:26963] [DEBUG][com.freerdp.core.nego] - Enabling RDP security: TRUE
[14:50:33:867] [26962:26963] [DEBUG][com.freerdp.core.nego] - Enabling TLS security: TRUE
[14:50:33:867] [26962:26963] [DEBUG][com.freerdp.core.nego] - Enabling NLA security: TRUE
[14:50:33:867] [26962:26963] [DEBUG][com.freerdp.core.nego] - Enabling NLA extended security: FALSE
[14:50:33:867] [26962:26963] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_NLA
[14:50:33:867] [26962:26963] [DEBUG][com.freerdp.core.nego] - Attempting NLA security
[14:50:33:975] [26962:26963] [DEBUG][com.freerdp.core] - connecting to peer $IP
GatewayPassword: 
[14:50:37:323] [26962:26963] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA
[14:50:37:323] [26962:26963] [TRACE][com.freerdp.core.gateway.ntlm] - InitializeSecurityContext status SEC_I_CONTINUE_NEEDED [0x00090312]
[14:50:38:372] [26962:26963] [DEBUG][com.freerdp.core.gateway.rdg] - Unexpected NTLM challenge HTTP status: 404
[14:50:38:373] [26962:26963] [DEBUG][com.freerdp.core.gateway.rpc] - VIRTUAL_CONNECTION_STATE_INITIAL
[14:50:38:466] [26962:26963] [DEBUG][com.freerdp.core] - connecting to peer $IP
[14:50:38:666] [26962:26963] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_IN_CHANNEL_STATE_CONNECTED
[14:50:38:667] [26962:26963] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA
[14:50:38:667] [26962:26963] [TRACE][com.freerdp.core.gateway.ntlm] - InitializeSecurityContext status SEC_I_CONTINUE_NEEDED [0x00090312]
[14:50:38:667] [26962:26963] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_IN_CHANNEL_STATE_SECURITY
[14:50:38:710] [26962:26963] [DEBUG][com.freerdp.core] - connecting to peer $IP
[14:50:38:912] [26962:26963] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_OUT_CHANNEL_STATE_CONNECTED
[14:50:38:912] [26962:26963] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA
[14:50:38:912] [26962:26963] [TRACE][com.freerdp.core.gateway.ntlm] - InitializeSecurityContext status SEC_I_CONTINUE_NEEDED [0x00090312]
[14:50:38:912] [26962:26963] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_OUT_CHANNEL_STATE_SECURITY
[14:50:38:913] [26962:26963] [TRACE][com.freerdp.core.gateway.ntlm] - InitializeSecurityContext status SEC_I_COMPLETE_NEEDED [0x00090313]
[14:50:38:913] [26962:26963] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_IN_CHANNEL_STATE_NEGOTIATED
[14:50:38:913] [26962:26963] [DEBUG][com.freerdp.core.gateway.rts] - Sending CONN/B1 RTS PDU
[14:50:38:913] [26962:26963] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_IN_CHANNEL_STATE_OPENED
[14:50:38:961] [26962:26963] [TRACE][com.freerdp.core.gateway.ntlm] - InitializeSecurityContext status SEC_I_COMPLETE_NEEDED [0x00090313]
[14:50:38:961] [26962:26963] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_OUT_CHANNEL_STATE_NEGOTIATED
[14:50:38:961] [26962:26963] [DEBUG][com.freerdp.core.gateway.rts] - Sending CONN/A1 RTS PDU
[14:50:38:961] [26962:26963] [DEBUG][com.freerdp.core.gateway.rpc] - CLIENT_OUT_CHANNEL_STATE_OPENED
[14:50:38:961] [26962:26963] [DEBUG][com.freerdp.core.gateway.rpc] - VIRTUAL_CONNECTION_STATE_OUT_CHANNEL_WAIT
[14:50:38:012] [26962:26963] [ERROR][com.freerdp.core.gateway.rpc] - error! Status Code: 401
[14:50:38:012] [26962:26963] [ERROR][com.freerdp.core.gateway.http] - HTTP/1.1 401 Unauthorized
[14:50:38:012] [26962:26963] [ERROR][com.freerdp.core.gateway.http] - Content-Type: text/plain
[14:50:38:012] [26962:26963] [ERROR][com.freerdp.core.gateway.http] - Server: Microsoft-IIS/7.5
[14:50:38:012] [26962:26963] [ERROR][com.freerdp.core.gateway.http] - WWW-Authenticate: Negotiate
[14:50:38:012] [26962:26963] [ERROR][com.freerdp.core.gateway.http] - WWW-Authenticate: NTLM
[14:50:38:012] [26962:26963] [ERROR][com.freerdp.core.gateway.http] - WWW-Authenticate: Basic
[14:50:38:012] [26962:26963] [ERROR][com.freerdp.core.gateway.http] - X-Powered-By: ASP.NET
[14:50:38:012] [26962:26963] [ERROR][com.freerdp.core.gateway.http] - Date: Tue, 17 Apr 2018 09:50:38 GMT
[14:50:38:012] [26962:26963] [ERROR][com.freerdp.core.gateway.http] - Content-Length: 13
[14:50:38:013] [26962:26963] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_AUTHENTICATION_FAILED [0x00020009]
[14:50:38:013] [26962:26963] [ERROR][com.freerdp.core.gateway.tsg] - tsg_check failure

/gt:http:

./client/X11/xfreerdp /u:$USER /v:$SERVER /g:$GATEWAY /w:1920 /h:1024 /smartcard:"Aktiv Co. Rutoken S 00 00" /gt:http /log-level:TRACE
[14:53:03:921] [27051:27052] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[14:53:03:921] [27051:27052] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[14:53:03:921] [27051:27052] [DEBUG][com.freerdp.channels.cliprdr.client] - VirtualChannelEntryEx
[14:53:03:921] [27051:27052] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[14:53:03:922] [27051:27052] [DEBUG][com.freerdp.client.x11] - Searching for XInput pointer device
[14:53:03:923] [27051:27052] [DEBUG][com.freerdp.client.x11] - Pointer device: 10
[14:53:03:924] [27051:27052] [DEBUG][com.freerdp.core.nego] - Enabling security layer negotiation: TRUE
[14:53:03:924] [27051:27052] [DEBUG][com.freerdp.core.nego] - Enabling restricted admin mode: FALSE
[14:53:03:924] [27051:27052] [DEBUG][com.freerdp.core.nego] - Enabling RDP security: TRUE
[14:53:03:924] [27051:27052] [DEBUG][com.freerdp.core.nego] - Enabling TLS security: TRUE
[14:53:03:924] [27051:27052] [DEBUG][com.freerdp.core.nego] - Enabling NLA security: TRUE
[14:53:03:924] [27051:27052] [DEBUG][com.freerdp.core.nego] - Enabling NLA extended security: FALSE
[14:53:03:924] [27051:27052] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_NLA
[14:53:03:924] [27051:27052] [DEBUG][com.freerdp.core.nego] - Attempting NLA security
[14:53:03:995] [27051:27052] [DEBUG][com.freerdp.core] - connecting to peer $IP
GatewayPassword: 
[14:53:07:523] [27051:27052] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA
[14:53:07:523] [27051:27052] [TRACE][com.freerdp.core.gateway.ntlm] - InitializeSecurityContext status SEC_I_CONTINUE_NEEDED [0x00090312]
[14:53:07:573] [27051:27052] [DEBUG][com.freerdp.core.gateway.rdg] - Unexpected NTLM challenge HTTP status: 404
[14:53:07:573] [27051:27052] [ERROR][com.freerdp.core.nego] - Protocol Security Negotiation Failure
[14:53:07:573] [27051:27052] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_SECURITY_NEGO_CONNECT_FAILED [0x0002000C]
[14:53:07:573] [27051:27052] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure

xfreerdp are always prompted for a password, and smartcard is not used.

avkhozov avatar Apr 17 '18 09:04 avkhozov

@avkhozov Nothing to do with smartcard, this is a gateway authentication issue. Just to be sure, does it work with mstsc or another RDP client to connect? The HTTP status code 404 is what I'm referring to.

akallabeth avatar Apr 17 '18 10:04 akallabeth

Yes, I can connect to this RD via mstsc on windows.

1 2

avkhozov avatar Apr 17 '18 11:04 avkhozov

Wait, you're trying with smartcard authentication? That is not supported by freerdp at all, so that could explain the 404 ;)

akallabeth avatar Apr 17 '18 11:04 akallabeth

When #3946 is finally updated and merged that could get supported.

akallabeth avatar Apr 17 '18 11:04 akallabeth

Hmm, but I was sure that this issue refers to the smartcard logon problems. In any case, thank you! I'll wait https://github.com/FreeRDP/FreeRDP/pull/3946

avkhozov avatar Apr 17 '18 11:04 avkhozov

smartcard logon has been completely reworked and AFAICT works in most situations.

hardening avatar Jun 15 '23 21:06 hardening