Closed snowie2000 closed 1 year ago
Does this work with FreeRDP or the free Thincast RDP Client (snap | flatpak ) ?
@snowie2000 yes that's correct, you might be better off with the windows store version, one of the 3rd party clients or the mac version. The client included with windows has some bugs as you have noticed.
@nfedera yes it works with FreeRDP and Thincast (afaik).
@bolkedebruin Thincast also authenticates in NTLM.
@snowie2000 @nfedera I've implemented a KDC proxy which allows you to authenticate against Kerberos (MIT/FreeIPA/AD). You need to understand what you are doing though. Currently it is also mutually exclusive with Basic Auth and OpenID due to limitations in the underlying libraries.
To enable set authentication to kerberos
and add a kerberos
section with keytab
as a minimum parameter. If you dont have a system wide krb5.conf
make sure to put it somewhere and set krb5conf
to the path.
The keytab should contain the "HTTP/fully.qualified.domain@REALM.TLD" as that is hardcoded in the clients. For now the KDC should be reachable by a TCP and password changes are not supported yet.
The client will use Kerberos over NTLM.
That sounds great!
I am trying to get this running but all I get is
2022/12/30 15:56:27 Identity SessionId: 3cb2c75f-bb60-4de3-83fc-5901a6a6a460, UserName: : Authenticated: false
2022/12/30 15:56:27 10.0.1.23:57899 - SPNEGO error in unmarshaling SPNEGO token: not a valid SPNEGO token: asn1: structure error: explicitly tagged member didn't match
Not sure if it is somehow related to keytab but I have added SPN "HTTP/host.ad.domain.local@AD.DOMAIN.LOCAL" and exported the keytab and referenced it in the configuration file - my krb5.conf also containing the required lines:
[libdefaults]
default_realm = AD.DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
AD.DOMAIN.LOCAL = {
default_domain = ad.domain.local
kdc = server.ad.domain.local
# master_kdc = server.ad.domain.local
admin_server = server.ad.domain.local
}
I am trying to get this running but all I get is
2022/12/30 15:56:27 Identity SessionId: 3cb2c75f-bb60-4de3-83fc-5901a6a6a460, UserName: : Authenticated: false 2022/12/30 15:56:27 10.0.1.23:57899 - SPNEGO error in unmarshaling SPNEGO token: not a valid SPNEGO token: asn1: structure error: explicitly tagged member didn't match
Not sure if it is somehow related to keytab but I have added SPN "HTTP/host.ad.domain.local@AD.DOMAIN.LOCAL" and exported the keytab and referenced it in the configuration file - my krb5.conf also containing the required lines:
[libdefaults] default_realm = AD.DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [realms] AD.DOMAIN.LOCAL = { default_domain = ad.domain.local kdc = server.ad.domain.local # master_kdc = server.ad.domain.local admin_server = server.ad.domain.local }
same here
Both are most likely due to issues with the keytab. I have only tested this against MIT Kerberos. Please try kinit
commands to see where the issue lies. Futher debugging I need ot refer you to the underlying libraries (MIT, gokrb5) as they can be nasty and are not core to this project.
I am using heimdal on this system currently. So I might try mit-krb5. However the keytab and also kinit are working just fine.
When rdpgw is running in local auth mode, I was supposed to enter PAM credentials to authenticate myself but turns out mstsc in Windows doesn't support basic auth anymore. Even if I set
gatewaycredentialssource
to 3 in my rdp file, it still sent credentials in NTLM.Attached is a packet dump of handshake in cleartext. rdp.zip