how to use freerdp-server? it seems that some file is missing

[macarthor]

Hi,

I've been testing xfreerdp-server recently. it ever fail to connect. the detailed information is as follows:

root@ubtvm:~# /home/freerdp/usr/bin/xfreerdp-server
Listening on 0.0.0.0 port 3389.
bind: Address already in use
We've got a client 10.190.50.53
Client Security: NLA:1 TLS:1 RDP:0
Server Security: NLA:1 TLS:1 RDP:1
Negotiated Security: NLA:1 TLS:0 RDP:0
private key file: /root/.freerdp/server/server.key
SSL_CTX_use_RSAPrivateKey_file failed
Failed to check freerdp file descriptor
Client 10.190.50.53 disconnected.

I traced the code, error is at libfreerdp\crypto\tls.c:

printf("private key file: %s\n", privatekey_file);
if (SSL_CTX_use_RSAPrivateKey_file(tls->ctx, privatekey_file, SSL_FILETYPE_PEM) <= 0)
{
printf("SSL_CTX_use_RSAPrivateKey_file failed\n");
return FALSE;
}

the argument "privatekey_file" is /root/.freerdp/server/server.key, but this file does not exist.

i wonder if i should use some command to generate this file before starting xfreerdp-server?

[macarthor]

after i copied server.cert/server.key from xfreerdp source tree to ~/.freerdp/server, some other errors occurs:

We've got a client 10.190.50.53
Client Security: NLA:1 TLS:1 RDP:0
Server Security: NLA:1 TLS:1 RDP:1
Negotiated Security: NLA:1 TLS:0 RDP:0
private key file: /root/.freerdp/server/server.key
TLS connection accepted
Could not open SAM file!
Could not open SAM file!
Message Integrity Check (MIC) verification failed!
Expected MIC:
0000 67 d9 37 cb ce ff c5 c7 69 83 b1 a2 aa 76 fc 8f g.7.....i....v..
Actual MIC:
0000 dc d8 e2 03 78 d1 ce 4c 16 ee 00 76 f8 e7 90 8e ....x..L...v....
AcceptSecurityContext status: 0x8009030F
client authentication failure
Failed to check freerdp file descriptor
Client 10.190.50.53 disconnected.

any ideas?

[awakecoding]

@macarthor yes... it means we've really got to document this, and unfortunately the steps can hardly be automated. Use the winpr-hash tool to generate a password hash and save it as /etc/winpr/SAM

[macarthor]

@awakecoding what's the password? rdp login user's password?

[macarthor]

@awakecoding aha, it's quite easy!

for those who wanna use freerdp server, follow the following steps:

linux xfreerdp-server (I've tested successfully):

1. build with -DWITH_SERVER=ON option
2. copy server/X11/server.crt and server.key to ~/.freerdp/server/
3. use windows freerdp binary wfreerdp-hash.exe to generate a file with the exact file name "SAM", and copy it to linux /etc/winpr/SAM:
   wfreerdp-hash.exe -d xxx -u xxx -p xxx
   where domain/user/password is the credential of the linux user who starting xfreerdp-server
4. start xfreerdp-server binary
5. use a rdp client to connect to it. REMEMBER, make sure remotefx option is enabled at client, or connection fails!

windows wfreerdp-server.exe (i've not tested):

1. build with cmake GUI with WITH_SERVER to be ON.
2. generate SAM file and copy it to C:. this is a absolute path in freerdp code. hoping making it an option.
3. open registry editor, goto HKLM\Software\FreeRDP\Server (create it if there's no such path), creating two string key, CertificateFile and PrivateKeyFile, and pointing them to server.crt and server.key respectively.
   4.5. same as linux.

[macarthor]

@awakecoding i've connected through win7 sp1 rdp 8 client to ubuntu 12.04 xfreerdp-server GIT 20130305. the ubuntu desktop shows, but it seems the screen does not respond to both mouse or keyboard...

[macarthor]

wfreerdp.exe GIT 20130305 has no luck either as the client...

[jpippy]

I am using Windows. Since the the winpr-hash tool only outputs a string, I am geussing I have to paste this into a file. Do I just have to paste it into a file with the filetype .SAM? Does the name have to be the username? then move the file to C:? I have no idea how the Security accounts manager works and I have been having this same issue.

[jpippy]

I created the SAM file and added the keys although I am having an issue generating my own Certificate and key to use. Here is the format I am using: winpr-makecert -r -pe -n "CN=server" -b 03/08/2013 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 and the tool is just outputing each argument. Could you give me some help generating them?

[macarthor]

@jpippy i'm using the server.crt/.key files in freerdp source tree, not created by typing winpr-makecert. it works.

yes, winpr-hash.exe just posts a string, paste it to file "SAM". Note, "SAM" is the exact file name, but not the suffix.

would u plz paste a description about the arguments of winpr-makecert? i've no idea about this tool. many thanks!

[awakecoding]

@jpippy see my reply on issue #1063 winpr-makecert is just a stub, if you want makecert you need to get the original tool. Also take a look at the FreeRDP Configuration Manual for certificate generation: https://github.com/awakecoding/FreeRDP-Manuals

[Arkantos7]

@awakecoding I am facing the same problem as @macarthor :
"i've connected through win7 sp1 rdp 8 client to ubuntu 12.04 xfreerdp-server GIT 20130305. the ubuntu desktop shows, but it seems the screen does not respond to both mouse or keyboard..."
I am using the updated master. Could you suggest a fix or where I can start to debug?
Thanks

[Oshirowanen]

@macarthor I am on Linux. Where do I get wfreerdp-hash.exe from?

[bmiklautz]

@Oshirowanen I don't know about wfreerdp-hash (not sure this actually exists) but you can find winpr-hash.exe in FreeRDP/winpr/tools/hash

[Oshirowanen]

@bmiklautz That's confusing. According to this post: #1060 (comment), @macarthor says to run the following wfreerdp-hash.exe -d xxx -u xxx -p xxx to create a SAM file. I have clearly misunderstood something.

[Arkantos7]

I also do not know the existence of wfreerdp-hash.exe or its use. However, if you wish to generate the hash to copy in the SAM file then this works:
FreeRDP/winpr/tools/hash -d -u -p

All these are credentials of the server on which your freerdp-server is running.

On 02-Jul-2014, at 7:19 AM, "Oshirowanen" notifications@github.com wrote:

@bmiklautz That's confusing. According to this post: #1060 (comment), @macarthor says to run the following wfreerdp-hash.exe -d xxx -u xxx -p xxx to create a SAM file. I have clearly misunderstood something.

—
Reply to this email directly or view it on GitHub.

[Oshirowanen]

@Arkantos7 I don't have a freerdp server, only the freerdp client. Is it possible to get a SAM file from a Microsoft RDP server and copy it down to the client machine?

[bmiklautz]

@Arkantos7 I'm fairly sure wfreerdp-hash.exe was a typo and it's winpr-hash.

@macarthor hints?

[Oshirowanen]

@Arkantos7 If it was a type, that's fair enough. In that case, if I don't have a freerdp server, and only a microsoft rdp server, how do a generate a SAM file to use on a client machine?

[Arkantos7]

All the steps and discussions mentioned above were to get xfreerdp-server setup and running. Why do you need the hash from a Microsoft RDP server? When you say Microsoft RDP, im assuming you mean the default Microsoft RDP service- mstsc.
Im sure it generates a hash on server side to authenticate the credentials the client uses to connect. However, I havent tried the Microsoft side of things and do not know if its possible. Microsoft does not release its mstsc source code.

On 02-Jul-2014, at 7:32 AM, "Oshirowanen" notifications@github.com wrote:

@Arkantos7 I don't have a freerdp server, only the freerdp client. Is it possible to get a SAM file from a Microsoft RDP server and copy it down to the client machine?

—
Reply to this email directly or view it on GitHub.

[Oshirowanen]

@Arkantos7 When I try to connect to a microsoft rdp tsg server, using a linux client computer with freerdp, I get a message saying that the sam file is missing. This only happens if I am outside the LAN. If I am inside the LAN, it works fine. However, using a windows 7 computer inside or outside the lan, I can connect to the microsoft rdp tsg server without any issues. I only get a sam issue when the client is Linux + outside the lan. A linux client using freerdp which is running within the lan connects without any issue to the microsoft rdp tsg server.

Which is why I thought that I may need to generate a SAM file and copy it to the client machine. I was clearly wrong.

[Arkantos7]

Okay. That issue is unrelated to the one mentioned in this thread. This thread is about freerdp-server. Anyways, let me check on that and get back to you.

On 02-Jul-2014, at 7:39 AM, "Oshirowanen" notifications@github.com wrote:

@Arkantos7 When I try to connect to a microsoft rdp server which uses tsg using a client computer with freerdp, I get a message saying that the sam file is missing.

—
Reply to this email directly or view it on GitHub.

[Oshirowanen]

@Arkantos7 I didn't realize this issue is unrelated. Thanks for pointing that out. As it's unrelated, would it make more sense to post a reply here #1936 if you figure out why I am getting that issue?

[kamalsomu]

@macarthor Hi. I followed all the steps you have mentioned for setting up xfreerdp-server in linux. However at last I am unable to start the server by using the command xfreerdp-server . I am getting command not found. can you figure out what i am missing?

[macarthor]

@believeyourself what's the full path of you xfreerdp-server binary? is it marked with executable? it seems you are a newbie of linux :)

try:

1. sudo chmod +x /full/path/to/xfreerdp-server, and
2. sudo vim /etc/ld.conf.d/freerdp.conf, and add /full/path/to/xfreerdp-server/lib/i386-xxx, and
3. sudo ldconfig, and
4. /full/path/to/xfreerdp-server , and
5. done

[mailinglists35]

is there any way to authenticate using standard linux users, not via external SAM file?

[nekohayo]

With the 2.0 release, assuming freeRDP provides a RDP server for Linux for Xorg and/or Wayland, it would be really nice to document this. There's a "freerdp-server" 2.0.0 package available in Fedora, and it provides no binary nor systemd service/unit, and I couldn't find any documentation on how to make that work.

I tried xrdp/xorgxrdp also (which I understand is a separate project, but I'm just mentioning it here) and had zero luck there too.

I'm hoping in the future I can use FreeRDP for my "remote desktop into a Fedora or Centos Linux workstation with something that isn't VNC or X2go" needs. I don't know what the status of readiness of the code/implementation is for freerdp-server, but if it's already supposed to work, the lack of documentation (looked at every wiki, README, and websites I could find) is very confusing to say the least :)

[akallabeth]

@nekohayo the binaries in freerdp are mostly samples (shadow and proxy are complete)
A Rdp server on linux that uses freerdp is ogon (ogon-project here on github)

[akallabeth]

Oh, and your problem is you need to create a certificate for the server ;)

[inukaze]

Hi there i am using Slackware64 14.2 i had download the files from https://slackbuilds.org/repository/14.2/network/freerdp/?search=freerdp

i had edit the freerdp.slackbuild file the follow section :

#ORIGINAL :

mkdir -p build
cd build
  cmake \
    -DCMAKE_C_FLAGS:STRING="$SLKCFLAGS $(pkg-config --cflags gstreamer-base-1.0)" \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DWITH_CUPS=ON \
    -DWITH_FFMPEG=$WITH_FFMPEG \
    -DWITH_LIBSYSTEMD=OFF \
    -DWITH_WAYLAND=OFF \
    -DWITH_PULSE=ON \
    -DCMAKE_BUILD_TYPE=Release ..
  make VERBOSE=1
  make install DESTDIR=$PKG
cd ..

#Edited by myself :

mkdir -p build
cd build
  cmake \
    -DCMAKE_C_FLAGS:STRING="$SLKCFLAGS $(pkg-config --cflags gstreamer-base-1.0)" \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DWITH_CUPS=ON \
    -DWITH_SERVER=ON \
    -DWITH_SAMPLE=ON \
    -DWITH_FFMPEG=$WITH_FFMPEG \
    -DWITH_LIBSYSTEMD=OFF \
    -DWITH_WAYLAND=OFF \
    -DWITH_PULSE=OFF \
    -DCMAKE_BUILD_TYPE=Release ..
  make VERBOSE=1
  make install DESTDIR=$PKG
cd ..

Notes :
1 - I had upgrade the ffmpg manually and i had that dependecy solved

2 - I don't use : Avahi, PulseAudio neither SystemD because i just don't like because come very Slowpoke my system.

3 - A lot of sites says things like :

copy server/X11/server.crt and server.key to ~/.config/freerdp/server/


Issue #600 - server certificates - this requires server.crt and server.key to be in ~/.freerdp/server

 cd ./server/X11/
 mkdir -p ~/.freerdp/server
 cp server.* ~/.freerdp/server
./xfreerdp-server

And well i had a dunnos, at the point 3
A) what is the full path of that file?
because on the source code that files are not included, neither had a explaniation how i can make it.

B) how the user can make own and valid key file and certified file for use the server ?

C) why that lot of copy relative path with server.{crt,key} can't don't exist in the source code of git, the Slackbuild Source ? i really need generate that file because when i try to connect for my own freerdp-server i notice in the terminal the follow :

[00:32:01:073] [13928:13929] [INFO][com.freerdp.primitives] - primitives autodetect, using generic
[00:32:01:205] [13928:13929] [ERROR][com.freerdp.core] - unable to open RSA key file server.key: No such file or directory.
[00:32:01:205] [13928:13929] [ERROR][com.freerdp.core.peer] - invalid RDP key file server.key
[00:32:01:205] [13928:13929] [INFO][com.freerdp.server.sample] - We've got a client 192.168.1.27
[00:32:01:205] [13928:13929] [INFO][com.freerdp.core.connection] - Client Security: NLA:1 TLS:1 RDP:0
[00:32:01:205] [13928:13929] [INFO][com.freerdp.core.connection] - Server Security: NLA:0 TLS:1 RDP:1
[00:32:01:205] [13928:13929] [INFO][com.freerdp.core.connection] - Negotiated Security: NLA:0 TLS:1 RDP:0
[00:32:01:206] [13928:13929] [ERROR][com.freerdp.crypto] - BIO_new_file failed for private key server.key

[inukaze]

Well i try the follow :

mkdir -p ~/.config/freerdp/server

ssh-keygen -f ~/.config/freerdp/server/server.key -t rsa -b 4096

ssh-keygen -s ~/.config/freerdp/server/server.key -I "$USER"@"$HOSTNAME" ~/.config/freerdp/server/server.key.pub ; cp ~/.config/freerdp/server/server.key.pub ~/.config/freerdp/server/server.key-cert.pub server.crt

After i try to connect from another machine from Remmina i got the follow message :

"Error connecting to RDP server «IP». TLS connection failed. Check that client and server support a common TLS version."

On the terminal output the follow i notice

[01:13:49:578] [14440:14482] [INFO][com.freerdp.server.sample] - We've got a client 192.168.1.17
[01:13:49:578] [14440:14482] [INFO][com.freerdp.core.connection] - Client Security: NLA:1 TLS:1 RDP:0
[01:13:49:578] [14440:14482] [INFO][com.freerdp.core.connection] - Server Security: NLA:0 TLS:1 RDP:1
[01:13:49:578] [14440:14482] [INFO][com.freerdp.core.connection] - Negotiated Security: NLA:0 TLS:1 RDP:0
[01:13:49:579] [14440:14482] [ERROR][com.freerdp.crypto] - invalid certificate

Well i suppose i need another way from make the configuration with TLS the server/client needs for make the connection works fine.

By the moment i don't have ideas for solve it.

[inukaze]

Someday the browsers can edit on this site (really i don't know why never works try to edit)

Well my last try was :

mkdir -p ~/.config/freerdp/server
cd ~/.config/freerdp/server
ssh-keygen -f ~/.config/freerdp/server/server.key -t rsa -b 4096
openssl genrsa -des3 -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout private.pem -out server.crt

and the terminal output :

02:26:26:260] [16130:16130] [INFO][com.freerdp.core.listener] - Listening on 0.0.0.0:3389
[02:26:26:260] [16130:16130] [INFO][com.freerdp.core.listener] - Listening on socket /tmp/tfreerdp-server.3389.
[02:26:30:278] [16130:16136] [INFO][com.freerdp.primitives] - primitives autodetect, using optimized
[02:26:30:328] [16130:16136] [INFO][com.freerdp.server.sample] - We've got a client 192.168.1.17
[02:26:30:328] [16130:16136] [INFO][com.freerdp.core.connection] - Client Security: NLA:1 TLS:1 RDP:0
[02:26:30:328] [16130:16136] [INFO][com.freerdp.core.connection] - Server Security: NLA:0 TLS:1 RDP:1
[02:26:30:328] [16130:16136] [INFO][com.freerdp.core.connection] - Negotiated Security: NLA:0 TLS:1 RDP:0

Well this looks like is most near the server expect, but i don't understand why "TLS" and i don't idea how make keys + cert with rsa & tls using (open)ssl3

[akallabeth]

@inukaze what are you trying to do? the sample server expects these files in the current work directory (the one you start from) but it will just show you a window with a fancy mouse cursor.

[inukaze]

@akallabeth : i just trying to start a freerdp server, but does not exist any sample configuration file or the key file the server expect, because of that i try to generate one compatible with the freerdp server to start it.

[akallabeth]

@inukaze you know what a ssl key and certificate is? winpr-makecert is wrapping that to some extent, but normal openssl stuff works too

[inukaze]

@akallabeth : yes i know, well the openssl looks like compatible, but if i try to connect, i just got and error says TLS is not compatible.

[akallabeth]

@inukaze ok, rereading the thread, I think I get we´re talking about different things.
The TLS in Client Security: NLA:1 TLS:1 RDP:0 is for RDP authentication modes:

1. NLA means you send the credentials before connection
2. TLS means you establish a SSL/TLS connection anonymously and you are presented with a login screen in the RDP connection
3. RDP is the same as TLS just without the encryption (very very old stuff)

[inukaze]

@akallabeth : Thank you very much for the information and specifications