New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes for kerberos authentication: #6661
Conversation
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Thanks for working on this!
I am pretty sure it is not desired to request TGT if none was found. So it is right to fallback to NTLM. This is how Kerberos applications work. It is up to the user to obtain the ticket itself or use some daemon for it. If you have some doubts about it, @abbra could possibly give you a more sophisticated explanation... |
Please do not fallback to NTLM by default or at least make it configurable. In FIPS mode you cannot use RC4 cipher so it will fail anyway. |
My point was to just draw the attention that it is not desired to call You are right that Kerberos and NTLM are probably handled together as NLA, so it would be nice to add some specific options for this. FreeRDP should currently automatically disable NLA security on FIPS. So maybe this logic needs to be updated to disable only NTLM, not Kerberos. |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
* Negotiate: Do a proper check if a realm is set up and ready, otherwise fall back to NTLM * Removed GSS related error checks in freerdp, moved entirely to WinPR
@freerdp-bot test |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
@bmiklautz can you install |
@freerdp-bot test |
Refer to this link for build results (access rights to CI server needed): |
@freerdp-bot test |
1 similar comment
@freerdp-bot test |
Refer to this link for build results (access rights to CI server needed): |
#ifdef UNICODE | ||
ConvertToUnicode(CP_UTF8, 0, principal, -1, &nla->ServicePrincipalName, 0); | ||
#else | ||
nla->ServicePrincipalName = _strdup(principal); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing checks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good for me (would need a rebase though).
I'm very uncomfortable with the Negotiate package which is badly named. We would expect it to do the full (and complicated) SPnego stuff as its windows counterpart, and instead of that it's just an implementation switcher between NTLM and Kerberos.
The SPNEGO implementations in MIT and Heimdal have had many years of testing (and indeed both now support NegoEx), so perhaps using them would be a good idea? You could handle NTLM either explicitly, which should work for most cases, or by using a NTLM GSS mechanism (of which there are a few, e.g. see here). |
I agree with Luke. We have quite good SPNEGO implementations in MIT Kerberos 5 and Heimdal and with gss-ntlmssp we can cover the remaining part of NTLMSSP support. What's more important, both MIT and Heimdal versions also do support MS-NEGOEX infrastructure, making it possible to use other authentication mechanisms supported by Windows and, in future, by Linux environments. |
Side note: yes MIT Kerberos 5 and heimdal have everything to do SPNego client-side, but as they don't implement the user2user microsoft kerberos extension, on the server-side it's impossible to accept I'd like to describe what's the behaviour of
note: So in theory SPNego allows to negotiate things, but in practise this capability is not used, SPNego is used just because it allows the exchange of MICs in the user2user workflow. So we have a subject with kerberos, I'm really wondering how we can deal with the 2 use cases where:
|
Just briefly as I'm at dinner: modern Kerberos implementations implement Re: using off-the-shelf SPNEGO, would it help if we implemented the MS user2user Kerberos mechanism? I haven't read the RDP protocol spec enough to know exactly why user2user is used. |
Not saying you need to replace your SPNEGO implementation of course, but there are a lot of subtleties in the protocol, particularly when it comes to generating/verifying mechListMIC, not to mention supporting other mechanisms inside NegoEx. I was still fixing bugs in Heimdal's mechListMIC implementation as recently as last year. |
Also, any intention to support Remote Credential Guard? |
@lhoward interesting. we´d need to check that. As for remote credential guard, I´ve also did not have time for this yet. |
@lhoward I gave a look at remote credential guards some time ago, and there's really a lot to implement as MS-RDPEAR has quite a lot of messages. |
@akallabeth is there anything that is not fixed in #7934 in this PR ? |
guess not, closing. |
otherwise fall back to NTLM
to WinPR
TODO: