domain on commandline of wfreerdp does not work?

[jol64]

I am using command line like the following:

wfreerdp.exe /v:tom.my.dom "/t:joachim8-sandisk-ultra-ii-240gb-cc-e8-a3-86.20180728-020534-725-success.vhdx" /u:Joachim /p:** /vmconnect:78ACA787-66CF-434C-A3E5-09A629682CE8 /audio-mode:0 2>>"wfreerdp 20180728 181854.tracefile"

this works as expected.

Now if I add /d:my or change /u to /u:joachim@my.dom or /u:my\joachim, then none of these work. In all variants, the tracefile shows:

[18:34:46:931] [8156:00000150] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_PASSWORD_CERTAINLY_EXPIRED [0x0002000F] [18:34:46:931] [8156:00000150] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Actually you may wonder why I try to pass domains in case it works without. The reason is that not all users are in the domain (joachim is, as are client and server windows systems). I also tried with a local user (i.e. /u:tom\serveradmin or /d:tom), but with /d:tom I get

[18:47:24:975] [5308:0000291c] [ERROR][com.freerdp.client.windows] - Failed to check FreeRDP file descriptor

with /u:tom\serveradmin wfreerdp just hangs.

Am I using these options wrong? Are they not supported on windows? Or is there a bug?

[akallabeth]

Is the machine domain joined? We do not implement kerberos support (only rudimentary support for non windows os is existing) that might explain the issue. Try to force different authentication modes, that might resolve your issue.

[jol64]

client and server system are domain members, but I can also test with none-domain members. But my current undestanding is that if you do not use Kerberos (or CredSSP) than that should not be relevant.
Which authentication mode or more precise: which command line option(s) do you suggest?

[jol64]

I just checked: it does not matter whether the client system is joined to the domain or not.

[montvid]

Hi, the /d: option does not work on windows but the /u: option to join as a domain user works. But I need the /d: option to specify the domain before the user enters his username so as to not enter the domain name all the time. What to do?

[montvid]

Just wanted to say that /d: works on thincast remote desktop client commandline. Any fix on wfreerdp incoming?

[akallabeth]

@montvid any more information? wfreerdp.exe (current nightly) does connect with wfreerdp.exe /v:host /u:user /d:domain /p:password

the initial issue was our lacking kerberos support which should work with current state

[montvid]

@akallabeth yes, this works. But I want to only specify the /d:domain and leave other things for the user to input in a wfreerdp windows dialog window. Thincast client pops up a window with "domain" already written so the user writes just his username and password.

[montvid]

The problem is when I set the /d:domain it does not work on it's own - i need to set /u: and /p: to get /d: to work. But I think I need to open another issue as you say this one is off topic, sorry. Btw Thincast uses freerdp so maybe freerdp has this feature somewhere?

[akallabeth]

@montvid yes, please create a new issue for this, here it is off topic.