can't connect with browser or mstsc (windows)

[jpmorrison]

• first off, can I disable openid? I just want a simple rdpgw I can install standalone on jump box

• docs: key(s) in rdpgw.yaml should be only 32 characters - I got an error about crypto/aes key being 33

• I downloaded rdpgw-1.0-stable and built rdpgw on ubuntu 20.04

• I think I have openid working with Google - looks like Google part works and it redirects me. There's an auth.json with tokens in it. But on https://localhost:9443/connect I get

cannot find session or user

the logs show:

2020/12/10 13:53:51 Starting remote desktop gateway server
2020/12/10 13:53:56 preferred_username not found in context

• I imported my self signed cert into Windows and I can connect to localhost:9443 with mstsc mstsc prompts for RD gateway credentials - I assume I enter the google credentials here? rdpgw logs a runtime error:

 2020/12/10 13:58:54 Client handshakeRequest from 172.24.128.1
2020/12/10 13:58:54 major: 1, minor: 0, version: 0, ext auth: 0
2020/12/10 13:58:54 Tunnel create
2020/12/10 13:58:54 http: panic serving 172.24.128.1:49991: runtime error: invalid memory address or nil pointer dereference
goroutine 11 [running]:
net/http.(*conn).serve.func1(0xc000438960)
        /usr/lib/go-1.13/src/net/http/server.go:1767 +0x139
panic(0xb0e100, 0x1173360)
        /usr/lib/go-1.13/src/runtime/panic.go:679 +0x1b2
github.com/bolkedebruin/rdpgw/security.VerifyPAAToken(0xcdec20, 0xc0001426f0, 0x0, 0x0, 0x3f, 0x0, 0x0)
        /home/jmorrison/rdpgw-1.0-stable/security/jwt.go:39 +0x5d
github.com/bolkedebruin/rdpgw/protocol.(*Server).Process(0xc0001b8660, 0xcdec20, 0xc0001426f0, 0x0, 0x0)
        /home/jmorrison/rdpgw-1.0-stable/protocol/server.go:89 +0xf00
github.com/bolkedebruin/rdpgw/protocol.(*Gateway).handleWebsocketProtocol(0xc00016e058, 0xcdec20, 0xc0001426f0, 0xc0002aa000, 0xc0001ba050)
        /home/jmorrison/rdpgw-1.0-stable/protocol/gateway.go:98 +0x10f
github.com/bolkedebruin/rdpgw/protocol.(*Gateway).HandleGatewayProtocol(0xc00016e058, 0xcdc6e0, 0xc000472700, 0xc0001ca500)
        /home/jmorrison/rdpgw-1.0-stable/protocol/gateway.go:84 +0x7b8
net/http.HandlerFunc.ServeHTTP(0xc0003a8640, 0xcdc6e0, 0xc000472700, 0xc0001ca500)
        /usr/lib/go-1.13/src/net/http/server.go:2007 +0x44
github.com/bolkedebruin/rdpgw/common.EnrichContext.func1(0xcdc6e0, 0xc000472700, 0xc0001ca200)
        /home/jmorrison/rdpgw-1.0-stable/common/remote.go:41 +0x41a
net/http.HandlerFunc.ServeHTTP(0xc000416940, 0xcdc6e0, 0xc000472700, 0xc0001ca200)
        /usr/lib/go-1.13/src/net/http/server.go:2007 +0x44
net/http.(*ServeMux).ServeHTTP(0x1189140, 0xcdc6e0, 0xc000472700, 0xc0001ca200)
        /usr/lib/go-1.13/src/net/http/server.go:2387 +0x1bd
net/http.serverHandler.ServeHTTP(0xc000458000, 0xcdc6e0, 0xc000472700, 0xc0001ca200)
        /usr/lib/go-1.13/src/net/http/server.go:2802 +0xa4
net/http.(*conn).serve(0xc000438960, 0xcdeb60, 0xc0001a0240)
        /usr/lib/go-1.13/src/net/http/server.go:1890 +0x875
created by net/http.(*Server).Serve
        /usr/lib/go-1.13/src/net/http/server.go:2928 +0x384

[jpmorrison]

https://github.com/bolkedebruin/rdpgw/blob/505eafdc1e403cd77a94f3f84c9529f6b61a1f2c/security/jwt.go#L35

mstsc.exe can send an empty token and cause the nil pointer

 func VerifyPAAToken(ctx context.Context, tokenString string) (bool, error) {
        token, err := jwt.ParseSigned(tokenString)

+//     log.Printf("  debug verify PAA token %s err %s",token, err)
+       if err != nil {
+               log.Printf(" tokenString = %s", tokenString )
+               log.Printf(" jwt.ParseSigned() failed due to err=%s", err)
+                return false, err
+       }

[jpmorrison]

I can connect with mstsc if I comment out the error return for invalid PAA cookie (server.go) and client host does not match token host (jwt.go)

I don't need the web tokens/oauth right now so a config option for disabling would be nice. NTLM and/or kerberos could work instead.

[bolkedebruin]

This is fixed in master. This was an issue with MSTSC being a bit more picky than other clients (rightfully so) on the protocol handshake. It happened when a PAA cookie was required but not send as part of the caps.