nfedera
commented
1 year ago Does this work with FreeRDP or the free Thincast RDP Client (snap | flatpak ) ?
Closed snowie2000 closed 1 year ago
nfedera
commented
1 year ago Does this work with FreeRDP or the free Thincast RDP Client (snap | flatpak ) ?
bolkedebruin
commented
1 year ago @snowie2000 yes that's correct, you might be better off with the windows store version, one of the 3rd party clients or the mac version. The client included with windows has some bugs as you have noticed.
@nfedera yes it works with FreeRDP and Thincast (afaik).
snowie2000
commented
1 year ago @bolkedebruin Thincast also authenticates in NTLM.
bolkedebruin
commented
1 year ago @snowie2000 @nfedera I've implemented a KDC proxy which allows you to authenticate against Kerberos (MIT/FreeIPA/AD). You need to understand what you are doing though. Currently it is also mutually exclusive with Basic Auth and OpenID due to limitations in the underlying libraries.
To enable set authentication to kerberos and add a kerberos section with keytab as a minimum parameter. If you dont have a system wide krb5.conf make sure to put it somewhere and set krb5conf to the path.
The keytab should contain the "HTTP/fully.qualified.domain@REALM.TLD" as that is hardcoded in the clients. For now the KDC should be reachable by a TCP and password changes are not supported yet.
The client will use Kerberos over NTLM.
snowie2000
commented
1 year ago That sounds great!
SkyBeam
commented
1 year ago I am trying to get this running but all I get is
2022/12/30 15:56:27 Identity SessionId: 3cb2c75f-bb60-4de3-83fc-5901a6a6a460, UserName: : Authenticated: false
2022/12/30 15:56:27 10.0.1.23:57899 - SPNEGO error in unmarshaling SPNEGO token: not a valid SPNEGO token: asn1: structure error: explicitly tagged member didn't matchNot sure if it is somehow related to keytab but I have added SPN "HTTP/host.ad.domain.local@AD.DOMAIN.LOCAL" and exported the keytab and referenced it in the configuration file - my krb5.conf also containing the required lines:
[libdefaults]
default_realm = AD.DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
AD.DOMAIN.LOCAL = {
default_domain = ad.domain.local
kdc = server.ad.domain.local
# master_kdc = server.ad.domain.local
admin_server = server.ad.domain.local
}
frostashe
commented
1 year ago I am trying to get this running but all I get is
2022/12/30 15:56:27 Identity SessionId: 3cb2c75f-bb60-4de3-83fc-5901a6a6a460, UserName: : Authenticated: false 2022/12/30 15:56:27 10.0.1.23:57899 - SPNEGO error in unmarshaling SPNEGO token: not a valid SPNEGO token: asn1: structure error: explicitly tagged member didn't matchNot sure if it is somehow related to keytab but I have added SPN "HTTP/host.ad.domain.local@AD.DOMAIN.LOCAL" and exported the keytab and referenced it in the configuration file - my krb5.conf also containing the required lines:
[libdefaults] default_realm = AD.DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [realms] AD.DOMAIN.LOCAL = { default_domain = ad.domain.local kdc = server.ad.domain.local # master_kdc = server.ad.domain.local admin_server = server.ad.domain.local }
same here
bolkedebruin
commented
1 year ago Both are most likely due to issues with the keytab. I have only tested this against MIT Kerberos. Please try kinit commands to see where the issue lies. Futher debugging I need ot refer you to the underlying libraries (MIT, gokrb5) as they can be nasty and are not core to this project.
SkyBeam
commented
1 year ago I am using heimdal on this system currently. So I might try mit-krb5. However the keytab and also kinit are working just fine.
When rdpgw is running in local auth mode, I was supposed to enter PAM credentials to authenticate myself but turns out mstsc in Windows doesn't support basic auth anymore. Even if I set
gatewaycredentialssourceto 3 in my rdp file, it still sent credentials in NTLM.Attached is a packet dump of handshake in cleartext. rdp.zip