rdesktop icon indicating copy to clipboard operation
rdesktop copied to clipboard

Published 20 hours ago • verified publisher icon rdesktop

Add support for NTLM authentication using CredSSP [$115]

Open hean01-cendio opened this issue 7 years ago • 23 comments

Today the out-of-the-box experience is not that great when connecting to a RDS service because of that the RDS service is default configured to require NLA (CredSSP). rdesktop only supports CredSSP using Kerberos authentication and will there for, fail to connect to a RDS service which requires NLA and configuration of Kerberos ont the client side is required. Adding NTLM authentication would mean that no special client side configuration is needed with the result of a better out-of-the-box experience.

There is a $15 open bounty on this issue. Add to the bounty at Bountysource.

hean01-cendio avatar Nov 11 '16 08:11 hean01-cendio

Every time I connect to a host rdesktop throws up a message that it's too broken to use CredSSP, and demanding that it be given access to a non-existent domain controller.

How do I make it STFU about that ?

rdebath avatar May 27 '17 20:05 rdebath

KRDC (KDE bundled GUI RDP/VNC client) has working code, that solves this issue.

trishaxuk avatar Sep 21 '17 16:09 trishaxuk

This works for me in rdesktop 1.6 and 1.7; perhaps it could be forward-ported to newer versions: rdesktop patch to add limited RDPv6 + CredSSP

DesktopECHO avatar Oct 27 '17 04:10 DesktopECHO

@DesktopECHO if i recall correctly, the old patches requires parts of samba and was a bit ugly. My intentions were to do a pure NTLM implement. However over time I found this [1] project that I think suits perfectly for rdesktop.

[1] https://github.com/simo5/gss-ntlmssp

hean01-cendio avatar Oct 27 '17 06:10 hean01-cendio

+1 for https://github.com/simo5/gss-ntlmssp as this one was also on my list after checking how to proceed with this ticket sometime in the future.

uglym8 avatar Oct 27 '17 06:10 uglym8

Anybody can give information how to configure credssp with rdestop and linux?

Thanks

trentasis avatar Jan 18 '18 21:01 trentasis

March 13th 2018 Windows updates kill Linux RDP,. Now CredSSP is being enabled in all servers.

https://github.com/FreeRDP/Remmina/issues/1513

mrinterestfull avatar Mar 23 '18 16:03 mrinterestfull

Wiki page added with information about CredSSP

https://github.com/rdesktop/rdesktop/wiki/Network-Level-Authentication-(NLA)

@trentasis @keirun @emk2203 @UnitedMarsupials @lszyba1

hean01-cendio avatar Mar 26 '18 15:03 hean01-cendio

That does not help if there isn't a domain; or even if it's behind a firewall (like they all should be).

rdebath avatar Apr 01 '18 18:04 rdebath

If you didn't want to setup Kerberos. How do you use this? https://github.com/simo5/gss-ntlmssp

The biggest issue is the error message. It should A) state the server required ntlm authentiction and recommend to contact administrator to disable it, and point to this ticket. B) tell you what you need to do if you are not on a domain but rather outside firewall or his VPN.

The way I see it, if administrator will not lower now Windows server default security setting, this package can no longer be used? Unless I'm missing something. Thanks Lucas

mrinterestfull avatar Apr 01 '18 21:04 mrinterestfull

@lszyba1 NTLM is a way of securing username/password authentication much like HTTP 'digest' authentication. It supplies proof to the server that you have the password without telling the server what the password is.

With Kerberos, OTOH, the client logs into the DC providing the proof that it has the password to the DC (without sending the password itself) and gets a "ticket" to prove to the service that the DC knows who it is. The server can then check and use this "ticket" to prove to the client they are the server the client is expecting.

The Kerberos protocol was designed in the '80s and is still secure. Nevertheless, a modern design would use public/private keypairs as that protocol ends up much simpler, easier to understand and generally more robust. IME Windows often has to fall back (usually silently) to using NTLM; with RDP it usually gets you that self-signed certificate warning (unless a validatable certificate has been installed).

If you're connecting to a Workgroup server using NLA it uses CredSSP without using Kerberos.

rdebath avatar Apr 01 '18 23:04 rdebath

Thanks So what we need to do, to get ntlm working, if your home is not authorized to join the domain in order for you to access work servers.

mrinterestfull avatar Apr 02 '18 01:04 mrinterestfull

kinit doesn't require joining the domain.

grawity avatar Apr 02 '18 09:04 grawity

Here is a real-world situation where kinit won't work:

Deploy a Windows VM in Azure, typically it will have one randomized port opened for RDP. These VMs have NLA enabled/enforced. The only way I could get rdesktop to work in this situation was to use the patch I mentioned on Oct 27th.

FYI In January I added a few more dollars for this bug on Bountysource

DesktopECHO avatar Apr 02 '18 14:04 DesktopECHO

@grawity of course it does, the Kerberos service is part of domain controller, to trust the DC the server must be joined to the domain. If there isn't a domain controller there isn't a Kerberos service.

If the server can't join a domain or the client isn't able to find a domain controller the client must use NTLM.

rdebath avatar Apr 02 '18 20:04 rdebath

@DesktopECHO , how do you use the patch mentioned on Oct 27th? Is that something you simply make/install and then rdesktop works with NTLM? Or do I need to recompile rdesktop to use that package? Do I need to install/configure GSSAPI first?

switch72 avatar May 17 '18 15:05 switch72

In the interests of increasing the likelihood that this gets picked-up, may I suggest someone with the appropriate permissions updates the bounty amount in the issue title?

(I don't have much use for this feature any more, but it's still useful for others needing to connect to Azure, and I don't want to see my admittedly small contribution to the bounty go unclaimed.)

DpEpsilon avatar Jan 29 '19 02:01 DpEpsilon

I will work on this. I have previously written exactly this feature in C#, but that was for a former employer and I don't have the code or the rights to it. I am not a C programmer and it will probably be ugly non-idiomatic code, someone else will have to integrate it into the solution.

jeanbern avatar Oct 30 '19 19:10 jeanbern

Hello! Any progress about NTLM support without setting Kerberos? Thanks

MarkLTZ avatar Mar 24 '20 16:03 MarkLTZ

@MarkLTZ Personally I've mostly switched to xfreerdp (Debian/Ubuntu package freerdp2-x11 2.0.0..) It doesn't work very well with Windows XP (or Windows 7 ?) but if most things you're connecting to are Windows2012 or later it works fine, including machines with NLA forced on.

PS: Of course I just tried a Windows XP machine with rdesktop ... it didn't work either ... seems I always use a windows terminal server or VNC to connect to that old build VM.

rdebath avatar Mar 24 '20 17:03 rdebath

@rdebath xfreerdp has many issues with the keyboard layout that rdesktop hasn't.

MarkLTZ avatar Mar 24 '20 17:03 MarkLTZ

Interesting, keyboard is completely trouble free for me (no command line option needed). Locale en_GB.utf8, UK and UKX keyboards on windows. Even the Alt-gr stuff, for dead keys and diacritics, works with UKX. I just installed a US locale too on windows and it works perfectly (including the "incorrect" conversion of " and @ when US is selected)

The only problem I, sometimes, have is that Ctl-Alt-2 is trapped by Xorg. But I don't want to change that.

PS: Rdesktop's keyboard works fine for me too.

rdebath avatar Mar 24 '20 18:03 rdebath

@rdebath the issue for non US keyboard happens because I run xfreerdp on a kiosked system. On rdesktop I don0t have issues except the NTLM support. Workaround to disable it at Windows target side is not acceptable :(

MarkLTZ avatar Mar 24 '20 19:03 MarkLTZ