How can I check RDP credentials?

[leyloe]

.

[CBenoit]

You could stop after performing the NLA (via CredSSP). It’s inside the connect_finalize function:

https://github.com/Devolutions/IronRDP/blob/9410f5356b25d2eecc2cee1aed0804ecca4cf3f6/crates/ironrdp-async/src/connector.rs#L62-L73

You don’t need to complete the full sequence coming afterwards. You can see how we instrument the connector in the same file.

You’ll still have a few network round-trips before that, including:

• Connection Initiation Exchange
• TLS upgrade
• NLA

Fortunately, when using enhanced RDP security, even the basic settings exchange is performed after authentication, so you should get a massive improvement.

[CBenoit]

Yeah, you could do that.

[CBenoit]

You could probably look more deeply into CredSSP (and our sspi crate), but nothing else I can add without digging further myself at this point.

[thenextman]

FreeRDP has an auth-only command-line switch which does the same thing you are trying to achieve. You might investigate their code base and see what optimizations are made in this case, and if the same can be applied to IronRDP. You could also see how long the authentication takes in that case as a comparison baseline.

[CBenoit]

@fu3x11 Please give us some time before sending a reminder, I didn't get a chance to go through all my notifications, and it was weekend. If you are worried about me not having a notification, don't worry, all people participating to the issue will be notified when a new message is posted unless they decide to manually disable them 🙂

For your question, I depends on what you need. You don't need the network client if you're only going to rely on NTLM. However, NTLM is deprecated by Microsoft and should not be used whenever possible. You may be able to use it safely under specific circumstances, and I'm pretty sure you'll always be able to enable it because Microsoft does not remove features. If you want to support Kerberos, then you need to perform these network requests. You may replace the HTTP client by something more lightweight if you don't want reqwest in your dependency tree, but I'm not sure you can make things much faster with that.

[CBenoit]

You can’t connect to servers where Kerberos is enforced (there is a Windows Group Policy). If you have control over the servers, you may decide to allow NTLM probably forever. Not saying that you should, NTLM is deprecated for security reasons.

[thenextman]

Also, it's not only policy that requires kerberos. For example, if a user is a member of "Protected Users" group in Active Directory and NLA us used, kerberos is required.

[CBenoit]

We can likely add Send bounds at more places to help you with that. I’m guessing you are having trouble with spawning stuff in tokio runtime? Can you send a sample of your code so I can see more clearly what you are trying to achieve? IronRDP crates are currently used at many places, including on server-side by teleport. IIRC, they already suggested adding a few Send bounds at some places so they could spawn more tasks, and I expect things to be mostly straightforward, but maybe we need to add some more? Things may not be so simple because we also need to implement specific traits for non-Send types in the WASM client. In their case, we got around by providing both a Send and a non-Send option (TokioFramed vs LocalTokioFramed).

[CBenoit]

Hello, i am doing fine and all my testing passes,

Glad you could make it.

what could possibly help are examples of async+sync auth checkers meant for returning a result signifying that the server is connectable or not, (headless, in a lightweight manner). which i have done already

but for future reference and ease of use for everyone else, possibly putting send and other examples would make things more swift in applying this library to other projects

Thank you for the feedback. Feel free to send PRs for adding documentation and examples. We are not making any money from IronRDP by releasing its source code with a permissive license. We are actively working on it, but our bandwidth is limited, so any help, including documentation efforts, is welcome.

As for adding Send bounds, as mentioned above:

Things may not be so simple because we also need to implement specific traits for non-Send types in the WASM client. In their case, we got around by providing both a Send and a non-Send option (TokioFramed vs LocalTokioFramed).

Again, please consider opening a PR so we can see what can be done. Our CI will also catch if the WASM client is not compiling anymore.

by chance could this stuff be on crates.io, along with lower level functionality so you don't have to go in and modify the crates?

in my experience i had to download the tokio iron rdp and async iron rdp and edit them to my liking

There is another issue related to this question: https://github.com/Devolutions/IronRDP/issues/498. Crates will be published on crates.io in the future. Ideally, I would like to get that done within a month or two.

I’ll close this issue since the question appears to be answered.