New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TS Gateway Support #386

Closed
nosovk opened this Issue Feb 1, 2012 · 128 comments

Comments

Projects
None yet
@nosovk

nosovk commented Feb 1, 2012

@wantmoore

This comment has been minimized.

Show comment
Hide comment
@wantmoore

wantmoore Feb 6, 2012

+1 Would LOVE to see this.

wantmoore commented Feb 6, 2012

+1 Would LOVE to see this.

@tgulacsi

This comment has been minimized.

Show comment
Hide comment
@tgulacsi

tgulacsi commented Feb 19, 2012

+1

@meosborne

This comment has been minimized.

Show comment
Hide comment
@meosborne

meosborne Feb 20, 2012

Contributor

+1

Contributor

meosborne commented Feb 20, 2012

+1

@richud

This comment has been minimized.

Show comment
Hide comment
@richud

richud Mar 20, 2012

this is the most vital thing to do as nothing else supports it and all companies are starting to use it !

richud commented Mar 20, 2012

this is the most vital thing to do as nothing else supports it and all companies are starting to use it !

@adek

This comment has been minimized.

Show comment
Hide comment
@adek

adek commented Mar 28, 2012

+1

@dupondje

This comment has been minimized.

Show comment
Hide comment
@dupondje

dupondje Apr 5, 2012

Contributor

This would indeed be cool !

Contributor

dupondje commented Apr 5, 2012

This would indeed be cool !

@tedkuban

This comment has been minimized.

Show comment
Hide comment
@tedkuban

tedkuban commented Apr 17, 2012

+1

@skazochnik97

This comment has been minimized.

Show comment
Hide comment
@skazochnik97

skazochnik97 commented Apr 18, 2012

+1

@Daniel15

This comment has been minimized.

Show comment
Hide comment
@Daniel15

Daniel15 Apr 20, 2012

+1, this would be very nice to see :)

Daniel15 commented Apr 20, 2012

+1, this would be very nice to see :)

@dupondje

This comment has been minimized.

Show comment
Hide comment
@dupondje

dupondje Apr 20, 2012

Contributor

FYI, awakecoding is working on this :)

Contributor

dupondje commented Apr 20, 2012

FYI, awakecoding is working on this :)

@Daniel15

This comment has been minimized.

Show comment
Hide comment
@Daniel15

Daniel15 Apr 21, 2012

Nice to hear. Thanks so much, @awakecoding! Terminal Services Gateway is really nice, and being able to connect from Linux would be amazing :)

Daniel15 commented Apr 21, 2012

Nice to hear. Thanks so much, @awakecoding! Terminal Services Gateway is really nice, and being able to connect from Linux would be amazing :)

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Apr 21, 2012

Member

I'm working on it, it's definitely a really hard one, but progress is being made.

Member

awakecoding commented Apr 21, 2012

I'm working on it, it's definitely a really hard one, but progress is being made.

@Daniel15

This comment has been minimized.

Show comment
Hide comment
@Daniel15

Daniel15 Apr 22, 2012

Is it the regular RDP protocol tunneled over HTTPS or is there more to it?

Daniel15 commented Apr 22, 2012

Is it the regular RDP protocol tunneled over HTTPS or is there more to it?

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Apr 24, 2012

Member

@Daniel15 unfortunately, it much more than just regular RDP tunneled over HTTPS. It uses two HTTPS connections, one for sending, one for receiving, NTLM over HTTP authentication is performed on both of them. This is followed by a second authentication phase using "RTS" messages modified from messages defined in C706. Following this is a sequence of messages for the creation of the tunnel and channels using MSRPC, which really isn't portable and far from trivial.

Nevertheless, I'm getting closer to getting something to work. I'll tell you when it's ready to test

Member

awakecoding commented Apr 24, 2012

@Daniel15 unfortunately, it much more than just regular RDP tunneled over HTTPS. It uses two HTTPS connections, one for sending, one for receiving, NTLM over HTTP authentication is performed on both of them. This is followed by a second authentication phase using "RTS" messages modified from messages defined in C706. Following this is a sequence of messages for the creation of the tunnel and channels using MSRPC, which really isn't portable and far from trivial.

Nevertheless, I'm getting closer to getting something to work. I'll tell you when it's ready to test

@Daniel15

This comment has been minimized.

Show comment
Hide comment
@Daniel15

Daniel15 Apr 24, 2012

@awakecoding Interesting. Glad you're getting close to having something that works. I'm more than happy to beta-test once you've finished a basic version :)

I did find another Linux application that implements the TS Gateway functionality - iTap RDP (http://itap-mobile.com/desktop/rdp). Unfortunately it's a proprietary application and not a free one. Still, it may help if you need to sniff the protocol some more while on a Linux box. It seems to connect faster than Microsoft's Windows 7 RDP client for some reason.

Daniel15 commented Apr 24, 2012

@awakecoding Interesting. Glad you're getting close to having something that works. I'm more than happy to beta-test once you've finished a basic version :)

I did find another Linux application that implements the TS Gateway functionality - iTap RDP (http://itap-mobile.com/desktop/rdp). Unfortunately it's a proprietary application and not a free one. Still, it may help if you need to sniff the protocol some more while on a Linux box. It seems to connect faster than Microsoft's Windows 7 RDP client for some reason.

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Apr 24, 2012

Member

@Daniel15 I think I know why third-party implementations are faster: the protocol specification defines a proxy detection phase with a timeout, I'm pretty sure only the Microsoft implementation does the proxy detection, which would explain the difference. This means mstsc.exe would spend some initial amount of time waiting, and timeout if no proxy is detected, to proceed normally.

Actually, I spoke with some of the iTap developers two weeks ago. I am well aware of the interest in TS Gateway, many are very proud to have their implementation in their commercial software, but we're catching up to them and we'll soon come up with our own open source implementation :)

Member

awakecoding commented Apr 24, 2012

@Daniel15 I think I know why third-party implementations are faster: the protocol specification defines a proxy detection phase with a timeout, I'm pretty sure only the Microsoft implementation does the proxy detection, which would explain the difference. This means mstsc.exe would spend some initial amount of time waiting, and timeout if no proxy is detected, to proceed normally.

Actually, I spoke with some of the iTap developers two weeks ago. I am well aware of the interest in TS Gateway, many are very proud to have their implementation in their commercial software, but we're catching up to them and we'll soon come up with our own open source implementation :)

@taspeotis

This comment has been minimized.

Show comment
Hide comment
@taspeotis

taspeotis Apr 26, 2012

I can imagine reading through the TS Gateway spec is going to be a small project in itself, never mind implementing it!

+1 for this, hoping to use FreeRDP on Mac to connect via TS Gateway one day.

taspeotis commented Apr 26, 2012

I can imagine reading through the TS Gateway spec is going to be a small project in itself, never mind implementing it!

+1 for this, hoping to use FreeRDP on Mac to connect via TS Gateway one day.

@stkol76

This comment has been minimized.

Show comment
Hide comment
@stkol76

stkol76 Apr 27, 2012

This is brilliant news.. I am working on a project that is stuck because of the missing TS Gateway feature of FreeRDP..

@awakecoding, do you have an approximately ETA on your work? :-) .. Really looking forward to this!!!

+1 for this!!!!

stkol76 commented Apr 27, 2012

This is brilliant news.. I am working on a project that is stuck because of the missing TS Gateway feature of FreeRDP..

@awakecoding, do you have an approximately ETA on your work? :-) .. Really looking forward to this!!!

+1 for this!!!!

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Apr 29, 2012

Member

I don't have an ETA on this, I'm basically stuck on the part which involves a proper MSRPC implementation. In certain cases I can get past the connection sequence, but it crashes not long after due to improper buffer management. If you want to help, you can give it a shot, if you're lucky you'll get past the connection sequence and you can help with the buffer management. In the meantime, I'll be working on the MSRPC implementation, so that it works properly in all cases. Currently, we're sending a bunch of blobs in which we're extracting and inserting data at specific offsets, which really isn't a good solution.

Member

awakecoding commented Apr 29, 2012

I don't have an ETA on this, I'm basically stuck on the part which involves a proper MSRPC implementation. In certain cases I can get past the connection sequence, but it crashes not long after due to improper buffer management. If you want to help, you can give it a shot, if you're lucky you'll get past the connection sequence and you can help with the buffer management. In the meantime, I'll be working on the MSRPC implementation, so that it works properly in all cases. Currently, we're sending a bunch of blobs in which we're extracting and inserting data at specific offsets, which really isn't a good solution.

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Apr 29, 2012

Member

In case you guys aren't aware, MSRPC interopability is a huge problem... it's non-trivial and non-portable. Samba has its own wire-compatible implementation, wine has a reimplementation of the original MSRPC engine, but none of those implementations is usable to us, either because of the licensing or because we can't afford to add such dependencies. I'm working on an implementation of a sufficient subset of the original MSRPC engine that would make use of code generated with Microsoft's MIDL compiler. The MSRPC engine is contained within rpcrt4.dll.

Member

awakecoding commented Apr 29, 2012

In case you guys aren't aware, MSRPC interopability is a huge problem... it's non-trivial and non-portable. Samba has its own wire-compatible implementation, wine has a reimplementation of the original MSRPC engine, but none of those implementations is usable to us, either because of the licensing or because we can't afford to add such dependencies. I'm working on an implementation of a sufficient subset of the original MSRPC engine that would make use of code generated with Microsoft's MIDL compiler. The MSRPC engine is contained within rpcrt4.dll.

@taspeotis

This comment has been minimized.

Show comment
Hide comment
@taspeotis

taspeotis Apr 29, 2012

We're talking about http://pubs.opengroup.org/onlinepubs/009629399/ ? I couldn't find a Microsoft specific version.

Thanks for your time so far.

taspeotis commented Apr 29, 2012

We're talking about http://pubs.opengroup.org/onlinepubs/009629399/ ? I couldn't find a Microsoft specific version.

Thanks for your time so far.

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Apr 29, 2012

Member

@taspeotis: MSRPC is a modified version of "standard" RPC defined in C706. It adds support for all the Windows data types along with many other non-standard features. MS-RPCH and MS-RPCE define those extensions, the rest is defined in C706. The link you gave is for C706, which is the basis for MSRPC, but not MSRPC.

Member

awakecoding commented Apr 29, 2012

@taspeotis: MSRPC is a modified version of "standard" RPC defined in C706. It adds support for all the Windows data types along with many other non-standard features. MS-RPCH and MS-RPCE define those extensions, the rest is defined in C706. The link you gave is for C706, which is the basis for MSRPC, but not MSRPC.

@bluepeach

This comment has been minimized.

Show comment
Hide comment
@bluepeach

bluepeach May 3, 2012

I might be able to help. I have a MSRPC implementation. It's part of our own product. Depends how much you need of it. MSRPC involves named pipes, DCE, etc. That pretty much means you need a full CIFS implementation, which seems hard to believe. Is this MSRPC over something other then CIFS? If so, I could probably get you the code. If it's over CIFS, that would involve too much of our product to share.

bluepeach commented May 3, 2012

I might be able to help. I have a MSRPC implementation. It's part of our own product. Depends how much you need of it. MSRPC involves named pipes, DCE, etc. That pretty much means you need a full CIFS implementation, which seems hard to believe. Is this MSRPC over something other then CIFS? If so, I could probably get you the code. If it's over CIFS, that would involve too much of our product to share.

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding May 3, 2012

Member

@bluepeach we're lucky, TSG does not require a full CIFS implementation. It's RPC over HTTP, I have already completed NTLM over HTTP authentication and the connection sequence which precedes the MSRPC calls. I'm currently implementing a replacement for the original MSRPC engine contained in rpcrt4.dll, and using code generated with the Microsoft MIDL compiler. The generated code uses format strings which are then passed to generic functions in the engine. The engine then analyzes the format string and does 4 steps: sizing, marshalling, unmarshalling, and freeing. I'm currently going over the sizing phase, and spending a lot of time reading the docs on MSDN and looking at rpcrt4.dll in IDA Pro.

If you have source code to contribute, I would definitely take it! If I can't use it as-is, I could still adapt the code to our needs knowing that it's been contributed to us under the Apache license. Please go forward with this, it would be very helpful :D

Member

awakecoding commented May 3, 2012

@bluepeach we're lucky, TSG does not require a full CIFS implementation. It's RPC over HTTP, I have already completed NTLM over HTTP authentication and the connection sequence which precedes the MSRPC calls. I'm currently implementing a replacement for the original MSRPC engine contained in rpcrt4.dll, and using code generated with the Microsoft MIDL compiler. The generated code uses format strings which are then passed to generic functions in the engine. The engine then analyzes the format string and does 4 steps: sizing, marshalling, unmarshalling, and freeing. I'm currently going over the sizing phase, and spending a lot of time reading the docs on MSDN and looking at rpcrt4.dll in IDA Pro.

If you have source code to contribute, I would definitely take it! If I can't use it as-is, I could still adapt the code to our needs knowing that it's been contributed to us under the Apache license. Please go forward with this, it would be very helpful :D

@bluepeach

This comment has been minimized.

Show comment
Hide comment
@bluepeach

bluepeach May 3, 2012

It sounds like you're following a more robust direction then I would have been able to provide.  Our code does not work off of idl files but rather has a set of APIs that allow dynamic argument building and inclusion into a message.  Along the lines of PushUID, PushInt, PushVString, etc. I like the approach you are using better, but we didn't want to implement something quite so general purpose.

If you run into any issues, I can try to help,  And I'd be more then happy to beta your solution if you need any test help.

We currently use iTap, but to be honest, I don't think it's a very stable solution.  It crashes on us fairly often (once an hour), echos characters (like get's stuck echoing the last character typed 20 or more times) in RDP sessions (very very annoying), and hangs often so we have to force kill it.  

Let me know if there's anyway I can help.

Rich
 
Richard Schmitt
CTO
857-205-9315
www.bluepeach.com


From: Marc-André Moreau reply@reply.github.com
To: bluepeach rschmitt@bluepeach.com
Sent: Thursday, May 3, 2012 10:41 AM
Subject: Re: [FreeRDP] TS Gateway Support (#386)

@bluepeach we're lucky, TSG does not require a full CIFS implementation. It's RPC over HTTP, I have already completed NTLM over HTTP authentication and the connection sequence which precedes the MSRPC calls. I'm currently implementing a replacement for the original MSRPC engine contained in rpcrt4.dll, and using code generated with the Microsoft MIDL compiler. The generated code uses format strings which are then passed to generic functions in the engine. The engine then analyzes the format string and does 4 steps: sizing, marshalling, unmarshalling, and freeing. I'm currently going over the sizing phase, and spending a lot of time reading the docs on MSDN and looking at rpcrt4.dll in IDA Pro.

If you have source code to contribute, I would definitely take it! If I can't use it as-is, I could still adapt the code to our needs knowing that it's been contributed to us under the Apache license. Please go forward with this, it would be very helpful :D


Reply to this email directly or view it on GitHub:
#386 (comment)

bluepeach commented May 3, 2012

It sounds like you're following a more robust direction then I would have been able to provide.  Our code does not work off of idl files but rather has a set of APIs that allow dynamic argument building and inclusion into a message.  Along the lines of PushUID, PushInt, PushVString, etc. I like the approach you are using better, but we didn't want to implement something quite so general purpose.

If you run into any issues, I can try to help,  And I'd be more then happy to beta your solution if you need any test help.

We currently use iTap, but to be honest, I don't think it's a very stable solution.  It crashes on us fairly often (once an hour), echos characters (like get's stuck echoing the last character typed 20 or more times) in RDP sessions (very very annoying), and hangs often so we have to force kill it.  

Let me know if there's anyway I can help.

Rich
 
Richard Schmitt
CTO
857-205-9315
www.bluepeach.com


From: Marc-André Moreau reply@reply.github.com
To: bluepeach rschmitt@bluepeach.com
Sent: Thursday, May 3, 2012 10:41 AM
Subject: Re: [FreeRDP] TS Gateway Support (#386)

@bluepeach we're lucky, TSG does not require a full CIFS implementation. It's RPC over HTTP, I have already completed NTLM over HTTP authentication and the connection sequence which precedes the MSRPC calls. I'm currently implementing a replacement for the original MSRPC engine contained in rpcrt4.dll, and using code generated with the Microsoft MIDL compiler. The generated code uses format strings which are then passed to generic functions in the engine. The engine then analyzes the format string and does 4 steps: sizing, marshalling, unmarshalling, and freeing. I'm currently going over the sizing phase, and spending a lot of time reading the docs on MSDN and looking at rpcrt4.dll in IDA Pro.

If you have source code to contribute, I would definitely take it! If I can't use it as-is, I could still adapt the code to our needs knowing that it's been contributed to us under the Apache license. Please go forward with this, it would be very helpful :D


Reply to this email directly or view it on GitHub:
#386 (comment)

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding May 3, 2012

Member

@bluepeach I'm looking at your website right now, it looks like the current code I'm working on might be very interesting to you. Would you like to collaborate on a generic and reusable solution like what I'm currently doing? I'm thinking of making a spin-off project at one point since it has high value. If your solution is not generic enough, I could still make use of it as a reference implementation in which I'd be allowed to copy parts of the code, if you allow me to do so. You could send me a private copy instead of sending it to everyone, and I'd take inspiration from it. What do you think?

Member

awakecoding commented May 3, 2012

@bluepeach I'm looking at your website right now, it looks like the current code I'm working on might be very interesting to you. Would you like to collaborate on a generic and reusable solution like what I'm currently doing? I'm thinking of making a spin-off project at one point since it has high value. If your solution is not generic enough, I could still make use of it as a reference implementation in which I'd be allowed to copy parts of the code, if you allow me to do so. You could send me a private copy instead of sending it to everyone, and I'd take inspiration from it. What do you think?

@richud

This comment has been minimized.

Show comment
Hide comment
@richud

richud Jun 9, 2012

any news ? :)

richud commented Jun 9, 2012

any news ? :)

@Nuanda

This comment has been minimized.

Show comment
Hide comment
@Nuanda

Nuanda commented Jul 3, 2012

+1

@thugcee

This comment has been minimized.

Show comment
Hide comment
@thugcee

thugcee commented Jul 3, 2012

+1

@masepi

This comment has been minimized.

Show comment
Hide comment
@masepi

masepi commented Jul 6, 2012

+1

@richud

This comment has been minimized.

Show comment
Hide comment
@richud

richud Jan 7, 2013

@awake I have tried dword as 0 & 1 and doesn't seem to make any difference, this is strace log so its definitely reading it ok? (it is root ownership w/everyone readable)

uname({sys="Linux", node="8200elite", ...}) = 0
uname({sys="Linux", node="8200elite", ...}) = 0
stat("/home/xxxxxx/.freerdp", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
open("/etc/winpr/HKLM.reg", O_RDONLY) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=102, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa62cdb6000
fstat(5, {st_mode=S_IFREG|0644, st_size=102, ...}) = 0
lseek(5, 0, SEEK_SET) = 0
read(5, "[HKEY_LOCAL_MACHINE\System\Curre"..., 102) = 102
lseek(5, 102, SEEK_SET) = 102
pipe([6, 7]) = 0
pipe([8, 9]) = 0
pipe([10, 11]) = 0
brk(0x22d5000) = 0x22d5000
mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa62cd65000
brk(0x22f6000) = 0x22f6000

either way gives 401 Unauthorized and ends
rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure

richud commented Jan 7, 2013

@awake I have tried dword as 0 & 1 and doesn't seem to make any difference, this is strace log so its definitely reading it ok? (it is root ownership w/everyone readable)

uname({sys="Linux", node="8200elite", ...}) = 0
uname({sys="Linux", node="8200elite", ...}) = 0
stat("/home/xxxxxx/.freerdp", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
open("/etc/winpr/HKLM.reg", O_RDONLY) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=102, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa62cdb6000
fstat(5, {st_mode=S_IFREG|0644, st_size=102, ...}) = 0
lseek(5, 0, SEEK_SET) = 0
read(5, "[HKEY_LOCAL_MACHINE\System\Curre"..., 102) = 102
lseek(5, 102, SEEK_SET) = 102
pipe([6, 7]) = 0
pipe([8, 9]) = 0
pipe([10, 11]) = 0
brk(0x22d5000) = 0x22d5000
mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa62cd65000
brk(0x22f6000) = 0x22f6000

either way gives 401 Unauthorized and ends
rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure

@chrissiefken

This comment has been minimized.

Show comment
Hide comment
@chrissiefken

chrissiefken Jan 10, 2013

+1 and following

chrissiefken commented Jan 10, 2013

+1 and following

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Jan 10, 2013

Member

@richud I have pushed improvements today, but I've got more on my branch.

Using my branch, can you try the following settings?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\WinPR\NTLM]
"SendSingleHostData"=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA]
"SuppressExtendedProtection"=dword:00000000

Member

awakecoding commented Jan 10, 2013

@richud I have pushed improvements today, but I've got more on my branch.

Using my branch, can you try the following settings?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\WinPR\NTLM]
"SendSingleHostData"=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA]
"SuppressExtendedProtection"=dword:00000000

@richud

This comment has been minimized.

Show comment
Hide comment
@richud

richud Jan 10, 2013

@awake, thanks for you continued efforts, afraid still same outcome for me

connected to xxxxxxxx.uk:443
connected to xxxxxxxx:443
rts_connect error! Status Code: 401
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="xxxxxx.uk"
Date: Thu, 10 Jan 2013 08:17:59 GMT
Content-Length: 13

rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure

richud commented Jan 10, 2013

@awake, thanks for you continued efforts, afraid still same outcome for me

connected to xxxxxxxx.uk:443
connected to xxxxxxxx:443
rts_connect error! Status Code: 401
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="xxxxxx.uk"
Date: Thu, 10 Jan 2013 08:17:59 GMT
Content-Length: 13

rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure

@richud

This comment has been minimized.

Show comment
Hide comment
@richud

richud Jan 10, 2013

(incidently my connection to server 2003 only works if they are both set to 0, setting either to 1 stops it working with same error)

richud commented Jan 10, 2013

(incidently my connection to server 2003 only works if they are both set to 0, setting either to 1 stops it working with same error)

@ringods

This comment has been minimized.

Show comment
Hide comment
@ringods

ringods Jan 25, 2013

+1

Albeit I would use FreeRDP as a plugin in Royal TSx.

ringods commented Jan 25, 2013

+1

Albeit I would use FreeRDP as a plugin in Royal TSx.

@kervin

This comment has been minimized.

Show comment
Hide comment
@kervin

kervin commented Jan 29, 2013

+1

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Jan 31, 2013

Member

I found a major bug and fixed it. Base64 encoding was broken, and NTLM authenticate messages of a length matching 4*n+2 would be incorrectly encoded. I worked hard on improving NTLMv2 authentication thinking this was the issue, but the issue was really just how the message was encoded. I have merged the fix on master, please give it a try, I believe it should work out of the box for most people now.

Member

awakecoding commented Jan 31, 2013

I found a major bug and fixed it. Base64 encoding was broken, and NTLM authenticate messages of a length matching 4*n+2 would be incorrectly encoded. I worked hard on improving NTLMv2 authentication thinking this was the issue, but the issue was really just how the message was encoded. I have merged the fix on master, please give it a try, I believe it should work out of the box for most people now.

@richud

This comment has been minimized.

Show comment
Hide comment
@richud

richud Feb 1, 2013

conencting to server 2003 fine :)

server 2008 I now get;

connected to xxxx.xx.xx.ac.uk:443
connected to xxxx.xx.xx.ac.uk:443
Unexpected RTS PDU: Expected CONN/C2
rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure

richud commented Feb 1, 2013

conencting to server 2003 fine :)

server 2008 I now get;

connected to xxxx.xx.xx.ac.uk:443
connected to xxxx.xx.xx.ac.uk:443
Unexpected RTS PDU: Expected CONN/C2
rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure

@philipgoodfellow

This comment has been minimized.

Show comment
Hide comment
@philipgoodfellow

philipgoodfellow Feb 1, 2013

On 31/01/13 23:15, Marc-André Moreau wrote:

I found a major bug and fixed it. Base64 encoding was broken, and NTLM
authenticate messages of a length matching 4*n+2 would be incorrectly
encoded. I worked hard on improving NTLMv2 authentication thinking
this was the issue, but the issue was really just how the message was
encoded. I have merged the fix on master, please give it a try, I
believe it should work out of the box for most people now.


Reply to this email directly or view it on GitHub
#386 (comment).

Win2008 Server:

pgo@pgo-XS35:~/FreeRDP$ xfreerdp /v:* /d:_.local
/u:
__@_***_.local /p:*** /g:www..co.uk
Using new command-line syntax
connected to www.**_****_.co.uk:443
connected to www.**_*****.co.uk:443
rpc_vers: 5
rpc_vers_minor: 0
ptype: PTYPE_RTS (20)
pfc_flags (0x03) = { PFC_FIRST_FRAG PFC_LAST_FRAG }
packed_drep[4]: 10 00 00 00
frag_length: 76
auth_length: 0
call_id: 0
rpc_vers: 5
rpc_vers_minor: 0
ptype: PTYPE_RTS (20)
pfc_flags (0x03) = { PFC_FIRST_FRAG PFC_LAST_FRAG }
packed_drep[4]: 10 00 00 00
frag_length: 104
auth_length: 0
call_id: 0
rts_connect error! Status Code: 401
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="www.sbhsremote.co.uk"
X-Powered-By: ASP.NET
Date: Fri, 01 Feb 2013 19:30:02 GMT
Content-Length: 13

rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure

philipgoodfellow commented Feb 1, 2013

On 31/01/13 23:15, Marc-André Moreau wrote:

I found a major bug and fixed it. Base64 encoding was broken, and NTLM
authenticate messages of a length matching 4*n+2 would be incorrectly
encoded. I worked hard on improving NTLMv2 authentication thinking
this was the issue, but the issue was really just how the message was
encoded. I have merged the fix on master, please give it a try, I
believe it should work out of the box for most people now.


Reply to this email directly or view it on GitHub
#386 (comment).

Win2008 Server:

pgo@pgo-XS35:~/FreeRDP$ xfreerdp /v:* /d:_.local
/u:
__@_***_.local /p:*** /g:www..co.uk
Using new command-line syntax
connected to www.**_****_.co.uk:443
connected to www.**_*****.co.uk:443
rpc_vers: 5
rpc_vers_minor: 0
ptype: PTYPE_RTS (20)
pfc_flags (0x03) = { PFC_FIRST_FRAG PFC_LAST_FRAG }
packed_drep[4]: 10 00 00 00
frag_length: 76
auth_length: 0
call_id: 0
rpc_vers: 5
rpc_vers_minor: 0
ptype: PTYPE_RTS (20)
pfc_flags (0x03) = { PFC_FIRST_FRAG PFC_LAST_FRAG }
packed_drep[4]: 10 00 00 00
frag_length: 104
auth_length: 0
call_id: 0
rts_connect error! Status Code: 401
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="www.sbhsremote.co.uk"
X-Powered-By: ASP.NET
Date: Fri, 01 Feb 2013 19:30:02 GMT
Content-Length: 13

rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure

@tomh5

This comment has been minimized.

Show comment
Hide comment
@tomh5

tomh5 Feb 4, 2013

Hi I've been trying this with the main version and your branch. I get the following :

tom@tom-laptop:~$ xfreerdp /v:* /u:** /p:* /g:*
connected to **:443
connected to *__:443
rts_connect error! Status Code: 401
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="
**"
X-Powered-By: ASP.NET
Date: Mon, 04 Feb 2013 21:59:30 GMT
Content-Length: 13

rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure
WaitForSingleObject: pthread_join failure: 3

Would any extra information help?

tomh5 commented Feb 4, 2013

Hi I've been trying this with the main version and your branch. I get the following :

tom@tom-laptop:~$ xfreerdp /v:* /u:** /p:* /g:*
connected to **:443
connected to *__:443
rts_connect error! Status Code: 401
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="
**"
X-Powered-By: ASP.NET
Date: Mon, 04 Feb 2013 21:59:30 GMT
Content-Length: 13

rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure
WaitForSingleObject: pthread_join failure: 3

Would any extra information help?

@zhugelk

This comment has been minimized.

Show comment
Hide comment
@zhugelk

zhugelk Feb 5, 2013

Our tests have shown good performance using the newly updated files on the master.
It works successfully connecting to Windows2008R2 or Windows2012 set to RDP.

It has been mentioned that Schannel SSPI module should be necessary when accessing NLA
and there was SSPI class inside the code but not seem to be used in anywhere.

It seems to be on implementation at the moment,
would you please let me know how long will it be take for the implementation ?

And is that be possible, please let me know if there's any document that I can refer for
this matter, thank you!!

zhugelk commented Feb 5, 2013

Our tests have shown good performance using the newly updated files on the master.
It works successfully connecting to Windows2008R2 or Windows2012 set to RDP.

It has been mentioned that Schannel SSPI module should be necessary when accessing NLA
and there was SSPI class inside the code but not seem to be used in anywhere.

It seems to be on implementation at the moment,
would you please let me know how long will it be take for the implementation ?

And is that be possible, please let me know if there's any document that I can refer for
this matter, thank you!!

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Feb 5, 2013

Member

@zhugelk thanks for testing. As for the Schannel SSPI module, I've started working on it, but it is not completed and I haven't yet worked on using it for TS Gateway.

I'm currently reviewing the current feature set with HP and fixing bugs as we find them. I just fixed a bug in the licensing code that would break connectivity to a Win7 RDVH machine running on HyperV on Windows Server 2008 R2 through the gateway. Connecting to the same machine directly would cause no problems, but since the problem was that the licensing code assumed keys of 512 bits and the server was using 2048-bit keys, I wouldn't be surprised if this bug was hiding a buffer overflow. This would explain the occasional segmentation faults I've been having in this particular section of code. I didn't have a single crash since fixing the license code, so I guess that was it.

There is also another known issue with gateways sending a system message. The current capabilities advertise support for messaging to avoid getting disconnected from servers allowing only connections from clients advertising support for it. However, the current code is not properly processing the message when it is coming in, and will lead to a fault during the TS Gateway connection sequence. For now, avoid the problem by not setting a system message on the gateway. It'll be fixed later.

Coming back to TLS support, it'll be out when it'll be out. I'll keep this thread updated on my work, so you'll know when it is actually usable.

Member

awakecoding commented Feb 5, 2013

@zhugelk thanks for testing. As for the Schannel SSPI module, I've started working on it, but it is not completed and I haven't yet worked on using it for TS Gateway.

I'm currently reviewing the current feature set with HP and fixing bugs as we find them. I just fixed a bug in the licensing code that would break connectivity to a Win7 RDVH machine running on HyperV on Windows Server 2008 R2 through the gateway. Connecting to the same machine directly would cause no problems, but since the problem was that the licensing code assumed keys of 512 bits and the server was using 2048-bit keys, I wouldn't be surprised if this bug was hiding a buffer overflow. This would explain the occasional segmentation faults I've been having in this particular section of code. I didn't have a single crash since fixing the license code, so I guess that was it.

There is also another known issue with gateways sending a system message. The current capabilities advertise support for messaging to avoid getting disconnected from servers allowing only connections from clients advertising support for it. However, the current code is not properly processing the message when it is coming in, and will lead to a fault during the TS Gateway connection sequence. For now, avoid the problem by not setting a system message on the gateway. It'll be fixed later.

Coming back to TLS support, it'll be out when it'll be out. I'll keep this thread updated on my work, so you'll know when it is actually usable.

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Feb 5, 2013

Member

@philipgoodfellow if I understand correctly, you're the only one with a failure after the latest changes, and it is with Windows Server 2008, not R2? There are many ways to get the parameters wrong, I see you've added .local to your domain parameter. In my test setup, I've created the "awake.local" domain, but the domain used for connection is AWAKE. Maybe try a couple of possible parameters for your setup and see if it changes anything?

Member

awakecoding commented Feb 5, 2013

@philipgoodfellow if I understand correctly, you're the only one with a failure after the latest changes, and it is with Windows Server 2008, not R2? There are many ways to get the parameters wrong, I see you've added .local to your domain parameter. In my test setup, I've created the "awake.local" domain, but the domain used for connection is AWAKE. Maybe try a couple of possible parameters for your setup and see if it changes anything?

@johnrobinson

This comment has been minimized.

Show comment
Hide comment
@johnrobinson

johnrobinson Feb 5, 2013

@philipgoodfellow, @awakecoding, I did notice that the /u:user@domain.local was not being processed correctly when presented to the remote machine. It looked to me like the client was sending "domain.local\user" to the remote desktop, whereas (I think) it should send "domain\user" - in this case the remote desktop is looking for the netbios name of the domain controller, rather than fqdn.

philip, is there any change you can try /u:domain\user, and then user@domain without the .local?

johnrobinson commented Feb 5, 2013

@philipgoodfellow, @awakecoding, I did notice that the /u:user@domain.local was not being processed correctly when presented to the remote machine. It looked to me like the client was sending "domain.local\user" to the remote desktop, whereas (I think) it should send "domain\user" - in this case the remote desktop is looking for the netbios name of the domain controller, rather than fqdn.

philip, is there any change you can try /u:domain\user, and then user@domain without the .local?

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Feb 5, 2013

Member

@johnrobinson I can confirm that FreeRDP will take the domain name as is, so if the FQDN is passed instead of the netbios name it can cause issues. This domain name is used as part of NTLM authentication, which is very sensible to the values used.

Member

awakecoding commented Feb 5, 2013

@johnrobinson I can confirm that FreeRDP will take the domain name as is, so if the FQDN is passed instead of the netbios name it can cause issues. This domain name is used as part of NTLM authentication, which is very sensible to the values used.

@tomh5

This comment has been minimized.

Show comment
Hide comment
@tomh5

tomh5 Feb 5, 2013

@awakecoding , @philipgoodfellow. I did also still have similar connection problems with the latest version but, it is now working. Following your advice I found that /u:user@domain worked but /u:domain\user does not. Thanks for the good work.

tomh5 commented Feb 5, 2013

@awakecoding , @philipgoodfellow. I did also still have similar connection problems with the latest version but, it is now working. Following your advice I found that /u:user@domain worked but /u:domain\user does not. Thanks for the good work.

@johnrobinson

This comment has been minimized.

Show comment
Hide comment
@johnrobinson

johnrobinson Feb 5, 2013

@tomh5, you need to escape the backslash betwee domain and user to prevent it being gobbled up. Try domain\user.

johnrobinson commented Feb 5, 2013

@tomh5, you need to escape the backslash betwee domain and user to prevent it being gobbled up. Try domain\user.

@johnrobinson

This comment has been minimized.

Show comment
Hide comment
@johnrobinson

johnrobinson Feb 5, 2013

Uggh. my backslash got gobbled up :-(. Try domain, backslash, backslash, user.

johnrobinson commented Feb 5, 2013

Uggh. my backslash got gobbled up :-(. Try domain, backslash, backslash, user.

@jaroslawp

This comment has been minimized.

Show comment
Hide comment
@jaroslawp

jaroslawp Feb 6, 2013

Whoa ! Works for me (git master of today) connecting via 2008 gateway to Win 7, from RHEL6.
(performance is slightly affected comparing to direct rdp to that system, but usable and session seems stable)

One small problem: password needs to be specified on command line with /p:PASSWORD, otherwise I get a segfault:

xfreerdp /cert-ignore /u:USERNAME /d:DOMAIN /g:GATEWAY /v:SYSTEM
connected to GATEWAY:443
connected to GATEWAY:443
Could not open SAM file!
Could not open SAM file!
Could not open SAM file!
Could not open SAM file!
rts_connect error! Status Code: 401
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="GATEWAY"
X-Powered-By: ASP.NET
Date: Wed, 06 Feb 2013 09:30:05 GMT
Content-Length: 13

rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure
Segmentation fault (core dumped)

(I guess it should ask me for password on command line , right ?)

Great work ! Thanks !

jaroslawp commented Feb 6, 2013

Whoa ! Works for me (git master of today) connecting via 2008 gateway to Win 7, from RHEL6.
(performance is slightly affected comparing to direct rdp to that system, but usable and session seems stable)

One small problem: password needs to be specified on command line with /p:PASSWORD, otherwise I get a segfault:

xfreerdp /cert-ignore /u:USERNAME /d:DOMAIN /g:GATEWAY /v:SYSTEM
connected to GATEWAY:443
connected to GATEWAY:443
Could not open SAM file!
Could not open SAM file!
Could not open SAM file!
Could not open SAM file!
rts_connect error! Status Code: 401
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="GATEWAY"
X-Powered-By: ASP.NET
Date: Wed, 06 Feb 2013 09:30:05 GMT
Content-Length: 13

rts_connect error!
rpc_connect failed!
Error: protocol security negotiation or connection failure
Segmentation fault (core dumped)

(I guess it should ask me for password on command line , right ?)

Great work ! Thanks !

@petegriggs

This comment has been minimized.

Show comment
Hide comment
@petegriggs

petegriggs Mar 25, 2013

Hello Sorry to be a pain !

I have installed FreeRDP and compiled on Debian Squeeze, it has reached the connection and says TS Gateway Connection Success and hangs there :-(

Any Ideas ?

Many Thanks

Peter

petegriggs commented Mar 25, 2013

Hello Sorry to be a pain !

I have installed FreeRDP and compiled on Debian Squeeze, it has reached the connection and says TS Gateway Connection Success and hangs there :-(

Any Ideas ?

Many Thanks

Peter

@awakecoding

This comment has been minimized.

Show comment
Hide comment
@awakecoding

awakecoding Mar 25, 2013

Member

@petegriggs you need to enable lower security settings on the target server (not the gateway itself) as currently TLS/NLA over TS Gateway still isn't supported.

Member

awakecoding commented Mar 25, 2013

@petegriggs you need to enable lower security settings on the target server (not the gateway itself) as currently TLS/NLA over TS Gateway still isn't supported.

@petegriggs

This comment has been minimized.

Show comment
Hide comment
@petegriggs

petegriggs Mar 25, 2013

Hello,

Does it make any difference that i would be using for Server 2012 VDI ? Looking at the windows log's it connects then disconnect but the client does not show any window.

Many Thanks

Peter

petegriggs commented Mar 25, 2013

Hello,

Does it make any difference that i would be using for Server 2012 VDI ? Looking at the windows log's it connects then disconnect but the client does not show any window.

Many Thanks

Peter

@petegriggs

This comment has been minimized.

Show comment
Hide comment
@petegriggs

petegriggs Mar 26, 2013

Hello Sorry to comment back again.

If i use FreeRDP straight to the vm's behind the gateway it connects ok, if i connect via the gateway / broker it doesn't connect. Any idea's ?

petegriggs commented Mar 26, 2013

Hello Sorry to comment back again.

If i use FreeRDP straight to the vm's behind the gateway it connects ok, if i connect via the gateway / broker it doesn't connect. Any idea's ?

@petegriggs

This comment has been minimized.

Show comment
Hide comment
@petegriggs

petegriggs Apr 8, 2013

Hello, Any idea's as to why i can connect to the VM's behind but not using the broker ?

petegriggs commented Apr 8, 2013

Hello, Any idea's as to why i can connect to the VM's behind but not using the broker ?

@chufall

This comment has been minimized.

Show comment
Hide comment
@chufall

chufall Jun 23, 2013

I have compile the code tag 1.1beta1 on the win7 x64, and try to connnect the windows server 2008 r2 throught gateway, it crashed ,can report:

Debug Assertion Failed!
program: wfreerdp.exe
file f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl
line:30
express:(L"buffer is too small" && 0)

what's the problem?

the command i used is
wfreerdp.exe /u:xxx /p:xxx /cert-ignore /g:xxx /gu:xxx /gp:xxx /gd:xxxx /v:192.168.1.209

chufall commented Jun 23, 2013

I have compile the code tag 1.1beta1 on the win7 x64, and try to connnect the windows server 2008 r2 throught gateway, it crashed ,can report:

Debug Assertion Failed!
program: wfreerdp.exe
file f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl
line:30
express:(L"buffer is too small" && 0)

what's the problem?

the command i used is
wfreerdp.exe /u:xxx /p:xxx /cert-ignore /g:xxx /gu:xxx /gp:xxx /gd:xxxx /v:192.168.1.209

@twildt

This comment has been minimized.

Show comment
Hide comment
@twildt

twildt Jul 17, 2013

I'm experiencing same as jaroslawp. Only thing is it's locking up/freezing. It opens the windows, I see the Win2k8R2 server logging in window, but it freezes and the app kinda locks up. I have to kill the PID.

I am using the same command he is using also.

Ubuntu 12.04
xfreerdp from master today.

twildt commented Jul 17, 2013

I'm experiencing same as jaroslawp. Only thing is it's locking up/freezing. It opens the windows, I see the Win2k8R2 server logging in window, but it freezes and the app kinda locks up. I have to kill the PID.

I am using the same command he is using also.

Ubuntu 12.04
xfreerdp from master today.

@bmiklautz

This comment has been minimized.

Show comment
Hide comment
@bmiklautz

bmiklautz Sep 23, 2013

Member

Basic gateway support is now already in master/stable-1.1.
For specific problems related to gateway please create a new issue for tracking.

Member

bmiklautz commented Sep 23, 2013

Basic gateway support is now already in master/stable-1.1.
For specific problems related to gateway please create a new issue for tracking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment