Login at RDP Cluster with Session Broker

[MartinOehler]

I experience a problem when connecting rdesktop 1.8.3 to a RDP cluster with a session broker (DNS round robin). The parameters used are

rdesktop -d domain cluster-name

The first connection (no session for the connecting user is running on the cluster) is working. After disconnecting the session and reconnecting, the client is entering the session for about a second (we can see the desktop applications) and is then thrown back to the login screen.

The console output is

RDP packet #6, (type a)
[...]
Redirected to user@clusterhost-ip session n.
ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
Connection established using SSL.
[...]
Disconnecting...
Failed to parse crypt info
Received licensing PDU (message type 0x01)
Sending licensing PDU (message type 0x12)
Received licensing PDU (message type 0xff)
RDP packet #7, (type 1)
[...]

When using the Microsoft RDP Client from Windows 8, there is a certificate error displayed after entering the session which can be accepted, then the session is entered. I assume this is the moment where the rdesktop session ends. The same effect happens more clearly when a smartcard login is used. But I couldn't find this inside the rdesktop debug logs.

As a matter of fact. the connection is working only when the DNS round robin returns the server where the session has been created. The "redirected to" output is always leading to a short login and a session disruption (means back to the login screen).

The problem seems to be independent from the pcsc lib when using a smartcard or the underlying Linux System since FreeRDP handles this correctly (with and without smartcard redirection).

Please tell what debug information I can provide if you are interested in fixing this.

[ppoilbarbe]

Confirmed with version from GIT: 1.8.3-17-g2140da0c (cloned on 2016-06-07) and Windows 2012
If I connect to the final RDP server (the one where the redirection points) with its ip address, no problem login is correct. If I connect the DNS name of the Windows Cluster there must be 2 valid identifications (one before and one after redirection).

[trentasis]

I have the same problem with dns round robin cluster with windows 2012 r2, user/password is asked two times...
It is solved this issue? or Are there any workaround?

Thanks

[hean01-cendio]

Still no avail workaround, I need to find a timeslot to dig deeper into this problem. Until the, could someone build rdesktop from latest source which include a better debug logging, reproduce the problem and post the logfile here ?

To enable debug logging, run rdesktop like:

RDESKTOP_DEBUG=All rdesktop <server>

[ppoilbarbe]

Maybe I know from where it can come from.
If the account/password is given on the command line there is no problem (except that it is viewable with ps). When not, the front-end node of the cluster asks for a user/password and then sends the session to the actual node which will serve the session. This node asks again for a username/password. As it is not stored by rdesktop it must be entered again.
For example remmina asks for user/name password in its own dialog box, stores these informations internally (even only in ram) and then gives them to both windows nodes, so no need to enter identification twice.

[trentasis]

Hi,

I have tried with debug for example:

RDESKTOP_DEBUG=All rdesktop server -k es -a 16 -u '' -d domain -r scard
warning: unable to open /etc/gssapi_mech.conf: errno 2 (No such file or directory)
WARNING: CredSSP: System doesn't have support for desired authentication mechanism.
Connection established using SSL.
WARNING: Bogus smart card control code 0x00fd0028
Redirected to user@192.168.168.168 session 1838054125.
WARNING: CredSSP: System doesn't have support for desired authentication mechanism.
Connection established using SSL.
WARNING: Bogus smart card control code 0x00fd0028

I hope that this can help

[Bottson]

Hello,
i have the same problem. Anyone got a workaround here?

Thank you

[ppoilbarbe]

As setting username/domain/password on command line works, I am writing a wrapper which, if the '-p auto' option is on the command line replaces it with '-p' and the actual password got from the .netrc file.
rdesktop rewrites the password with as many 'x' as needed to mask it all in order to not leave the password visible when showing it with ps or another tool.
Putting it in .netrc avoids having it in many scripts which may be readable.
The password is still visible for a very short time (until rdesktop rewrites it) or if .netrc is not protected enough.

[trentasis]

hi @ppoilbarbe

Great job, IT could be a great solution!

[Bottson]

Hello ppoilbarbe,

sorry i didnt understand your post very well. So you are writing a something like a patch?
I would like to stay at rdesktop for our users (we use our Raspberrys as ThinClients).
But if I am not able to solve the problem with the double login i have to change to another package - like freerdp or something other.
Do you have any suggestions how we can solve this problem?

Thank you and best regards.

[ppoilbarbe]

Not a patch just a script which calls rdesktop with the -p option. The password is stored in $HOME/.netrc file in order to not have it in scripts.
This workaround is finished and tested (linux, not macOS nor Windows, I do not have these systems) but I think not very clean (I am not very used to python).
The netrc syntax have been extended to have the ability to use more than one user for one host. I can send it here but I am not sure it is the right place.
EDIT: I have added another possibility to not store the password in .netrc but ask it once with the ssh-askpass command which can store it in wallets if you want to.

[hean01-cendio]

@ppoilbarbe post your script at https://gist.github.com/ and link it here on this issue

Still there is a bug were a authentication should be seamless through redirection. I haven't had the time to look into this yet but I believe there is a magic cookie that is received from the first connection to a server, that isused for authentication against the server the client is redirected to.

[ppoilbarbe]

Here it is: https://gist.github.com/ppoilbarbe/e0c8931d5cfab091f9fa7185b6535cdf

[Bottson]

Hello, thank you for your script.
I am sorry, but I'm not very familiar with raspberrys.
May I ask for a guide how to implement this script?

Thank you so much

[ppoilbarbe]

Just copy it at the place you want. do chmod +x /place/where/it/is/rdesktop and insert the directory at the beginning of the PATH variable: export PATH="/place/where/it/is:$PATH". Now when you type rdesktop you launch this script, e.g.: rdesktop -u myself -d my_domain_or_workgroup -p sshask myrdpserver, where -p sshask, as is, instructs the script to take the password from the command ssh-askpass, while -p auto takes the informations from netrc file, anything else acts as 'normal' rdesktop.

[ppoilbarbe]

@hean01-cendio it should be nice if this kind of cookie exists...

[Bottson]

Hello ppoilbarbe,

i really want to thank you for your help. I was now able to configure it now with your wrapper.
Unfortunately i was not really able to make it that way, that the the user can enter his pw in the RDP connection. So i will have wait until it is working with this kind of cookie.

Thank you really and best regards.

[trentasis]

hi @hean01-cendio

It will be great to solve this issue, do you have any schedule?

thanks

[hean01-cendio]

@trentasis I will take a look into this next week

[Bottson]

Hello,

i saw something interesting right now on an old raspberry we have here.
I tried to connect to our TS with an old Raspberry and everything was fine.
No double login!
The only thing is that i had to disable the mouse shadow. Otherwise the mouse wasnt visible.

I checked which rdesktop version is running: 1.7.1. Unfortunately I dont know which OS version is running on this raspberry.

May you advise me how to install an old version like 1.7.1 on my raspberrys. So i would check if it is normal behaviour with 1.7.1 - that the connection works as it should. Maybe this would help you when you take a look in this problem.

Thank you

EDIT for not making a doublepost:
Ok, sorry. It was easier than i thought.
I can confirm with rdesktop 1.7.1. there is no double login when connecting to Terminalserver with a connection broker.

Regards

[Bottson]

Hi @hean01-cendio

did you already got time to look in this problem?
If you need help on testing or something, just write me.

Thank you and best regards.

[hean01-cendio]

@Bottson

did you already got time to look in this problem?

Not really, however I have now a test environment with Ad + 2 x 2012r2 so that is not an hinder to start testing this.

I can confirm with rdesktop 1.7.1. there is no double login when connecting to Terminalserver with a connection broker.

If I recall correct rdesktop 1.7.1 doesn't have support for redirection PDU which means it doesnt know how to disconnect and reconnect to another rds server. Thats probably why you dont get the extra login prompts.

[trentasis]

Any news about this issue? El dijous, 20 d’abril de 2017, Henrik Andersson <notifications@github.com> va escriure:

…

@Bottson <https://github.com/Bottson> did you already got time to look in this problem? Not really, however I have now a test environment with Ad + 2 x 2012r2 so that is not an hinder to start testing this. I can confirm with rdesktop 1.7.1. there is no double login when connecting to Terminalserver with a connection broker. If I recall correct rdesktop 1.7.1 doesn't have support for redirection PDU which means it doesnt know how to disconnect an reconnect to another rds server. Thats probably why you dont get the extra login prompts. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#8 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AM316CkvoEN6QvF-KphT2FW0yN4ewQ3zks5rx1D7gaJpZM4F1xz1> .

[hean01-cendio]

@trentatis, I have looked a bit into the protocol for redirection but unfortunately I haven't had much time to dig deeper.

[hean01-cendio]

I found a bug were the cookie was never used for authentication which brings the two authentication prompts. Fixed in commit b9481bb. I have tested this against 2 x 2012r2 RDS servers.

Everyone with this issue, can you test on your side and report which version of RDS server you use.

[ppoilbarbe]

For me it works.
Server: Windows 2012 R2. mstsc.exe version on server: 6.3.9600.17415 french

[trentasis]

Thanks!!

I have downloaded master versin form zip and ./configure doesn't exist, with 1.8.3 was available, how cna generate this file to compile and test...

[hean01-cendio]

@trentasis you need to run bootstrap script, see README.md file for information

[trentasis]

Hi @hean01-cendio @ppoilbarbe

Sorry @hean01-cendio and thanks for information.
I have tried and two athentication is required, error persist in my environment using rdesktop -r scard server.domain.local

@ppoilbarbe How are you trying and in what client (rdesktop command line parameters) and server are you using?

thanks

[hean01-cendio]

@trentasis

Do you authenticate using smart card ?

What RDS server version are you using ?

Are you running the built binary eg. './rdesktop ...' (Just checking...) ?

[trentasis]

Hi @hean01-cendio

Not, auth is with user/password, but we need /smartcard for other applicacions

we have tried without /smartcard and then seems that two authentication are not required (/rdesktop server, It could be?

[hean01-cendio]

@trentasis

Ok, I could reproduce your problem. The double login only appears when there is no session available and you are redirected to a second server. If you login and create a session on the second screen, then disconnect and reconnect, you are not prompted for another password.

[trentasis]

Correct, Is not always reproduced in some situations. Any scheduled date for this patch?

Thanks!

[ppoilbarbe]

My command line parameters (no smartcard used) are: ./rdesktop -a 24 -r sound:local -r disk:home=$HOME,data=/data/$USER,homeloc=/homelocal/$USER,media=/media -g 1600x950 -k fr -x l -d $DOMAIN -u $USER $SERVER
The command line could be reduced but I wanted to launch rdesktop with the same command as before.
The first screen shows two big squares: one for connecting as adlministrator, one for "other user".
After choosing "other user", my domain/login is proposed and I can enter the password once, not twice as before.
For information, here are the messages printed by rdesktop:

Failed to intialize NLA, do you have correct kerberos tgt initialized ?
Connection established using SSL.
Protocol(error): sec_process_crypt_info(), failed to parse crypt info
Redirected to USER@IP_ADDRESS session 32.
Failed to intialize NLA, do you have correct kerberos tgt initialized ?
Connection established using SSL.
Protocol(error): sec_process_crypt_info(), failed to parse crypt info
Clipboard(error): xclip_handle_SelectionNotify(), unable to find a textual target to satisfy RDP clipboard text request

EDIT: Not so good.... I have also the problem of two password depending on how I quit the session...
Sometimes it works, sometimes not. If I don't close the session (closing only the rdesktop window) it always work. If I close the session via windows menu it may work when reconnecting, but mainly it does not work. Here are the emssages when not working:

Failed to intialize NLA, do you have correct kerberos tgt initialized ?
Connection established using SSL.
Protocol(error): sec_process_crypt_info(), failed to parse crypt info
Redirected to USER@IP_ADDRESS session 1435352940.
Failed to intialize NLA, do you have correct kerberos tgt initialized ?
Connection established using SSL.
Protocol(error): sec_process_crypt_info(), failed to parse crypt info
Clipboard(error): xclip_handle_SelectionNotify(), unable to find a textual target to satisfy RDP clipboard text request

It's the same thing except the session number which is very low (<100) when working and very big when not.

[hean01-cendio]

The main thing here is that i don't think RDP protocol supports what we want to accomplish the way we do it. Microsoft RDP client does always ask for credentials before the actual connection is carried out. eg the same thing as when you enter domain,user,password via commandline in rdesktop. This ways providing the credentials works as expected eg. no double prompts. I don't think we could reach the full way with the current approach without changing behavior of rdesktop.

One solution might be that we make rdesktop always prompt for missing information that is not provided via commandline, such as domain, username and password (just like freerdp does) to make sure that we have credentials available for authentication before connection is carried out.

Any ideas on that ?

[ppoilbarbe]

It's what I have done with my rdesktop wrapper (see previous messages: https://gist.github.com/ppoilbarbe/e0c8931d5cfab091f9fa7185b6535cdf)... No need to enter the password twice, or even once if the password is stored in wallet (just activate wallet once by session). And no need too to click on the "other user" screen.
The only annoyances are that password appears shortly on command line (viewed by ps for example) until rdesktop rewrites it with "X" (we see the length of password by counting the "X" characters) and if a user typing "rdesktop" with "-p sshask" don't launch the wrapper (incomplete PATH) but the original command (which is not renamed) he will not connect since "sshask" will never be the user password.
It is not so complicated and may be done inside rdesktop. The length of the script comes from the fact I have to parse the options in order to (maybe) rewrite them. The netrc part may be thrown away, it was my first idea before asking password with sshask which is more flexible.

[Bottson]

Hi, I also tested your new version 1.8.3post.
As you already know, perhaps authentication is still needed twice.
But thanks for your help anyway :)

[trentasis]

Any new about this issue...
Will be a great to solve this issue!

Thanks

[trentasis]

Hi @ppoilbarbe

I have one question about your python script, I understand that this only works if you are runnign from linux workstation and user/password from you run rdesktop are the same that rdesktop user has?

I have an environment with thinclient where linux boot with generic user, and then a rdesktop commmand is executed and every user (multiple users can user from same thiclient session to open rdesktop sessions) open a rdesktop session, in this environment you script can work?
If it is possible what are the steps, install python and execute waht command?

Thanks!

[hean01-cendio]

Fixing issue #127 will solve this problem.

[hean01-cendio]

Commit 1aaafc8 changes the behavior of rdesktop to always prompt for a password if not provided. This should solve this issue.

[trentasis]

Hi,

Can you give detail how to use and not asking two times password in a cluster with session broker, what options are required?

Thanks

[uglym8]

After you supply a password (-p) it just should simply work.

[trentasis]

Sorry, but in our environment we use rdesktop a thinclient, and we can't pass -p, we only use -u '' without password, because there are multiple users in same client, what can I do in our situation? Thanks 2018-01-09 11:45 GMT+01:00 Alexander Zakharov <notifications@github.com>:

…

After you supply a password (*-p*) it just should simply work. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#8 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AM316DRByMsJfpB7JxKyEPT3HaYNpfJIks5tI0NSgaJpZM4F1xz1> .

[hean01-cendio]

@trentasis use a askpass application to ask for password before connection, somthing like this:

/usr/libexec/openssh/gnome-ssh-askpass "RDP Remote password" | rdesktop -p - -u user -d DOMAIN server

[uglym8]

Right now (while it's not yet clear whether we're going to merge #216 or not) you can provide arbitrary password with -p option.
After TS says that you have incorrect password you (or user) can provide the real password
See #191 (#191 (comment))

[trentasis]

hi @hean01-cendio

I can't use because in our environment we use as a thinclient with multiple users, and now with this cahnge always asp password in cmd prompt, and we don't show prompt tried with -p - -u user -d domain server

also tried same command from command line and then two time is asked password, one from cmd and another from windows gui.

Any suggestion how to recover features used with previous version to use rdesktop without any cmd interaction and also enter to windows 2012r2 wihtout to enter 2 times password....
Please reopen this issue.

It's a problem when there are many users... Any suggestion?

Thanks