#360 credssp + kerberos - cannot connect to misconfigured TSs

open-fixed
5
2014-10-14
2012-11-22
Anonymous
No

Hello Devs !

With current rdesktop SVN trunk I have problems connecting to some (misconfigured) Terminal Servers: these servers advertise CredSSP + Kerberos but do not have proper Kerberos identities (ie: TERMSERV/server.domain@REALM keys have not been created)

rdesktop fails with:

# rdesktop terminal.server.domain
Autoselected keyboard map en-us
ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
ERROR: GSS error [0:13:0]: CredSSP: SPNEGO negotiation failed.
ERROR: - Unspecified GSS failure. Minor code may provide more information

Proposed patch adds an '-Z' command line option permitting disabling CredSSP at run time.

Please consider including this patch in rdesktop.

Best Regards

Jarek

Discussion

  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2012-11-22

    Patch to disable CredSSP on command line.

     
  • Henrik Andersson

    Hi Jarek,

    I wonder if this is the right approach, could you please verify how M$ client behaves when
    connecting to the misconfigured TS servers ?

    Regards,

    Henrik Andersson

     
  • Henrik Andersson

    • assigned_to: nobody --> hean01
     
  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2012-11-22

    Hi,

    The MS Remote Desktop Connection client (Win 7) 'just works' (my guess is it tries CredSSP and then executes a fallback - since server does not enforce it ..
    but no idea how to debug this further .. I'm a Linux guy ;-))

    I've configured a system (Win 7) to enforce it (http://www.elmajdal.net/win7/Enabling_Remote_Desktop_Connection_in_Windows_7.aspx) and then things are different:

    # ./rdesktop rdptest.my.domain
    Autoselected keyboard map en-us
    Segmentation fault (core dumped)

    [ for info, backtrace shows:
    #0 0x0000003a26a75a35 in malloc_consolidate () from /lib64/libc.so.6
    #1 0x0000003a26a78bb5 in _int_malloc () from /lib64/libc.so.6
    #2 0x0000003a26a7ba08 in malloc_check () from /lib64/libc.so.6
    #3 0x00000000004077eb in xmalloc (size=4096) at rdesktop.c:1163
    #4 0x0000000000435498 in cssp_send_tsrequest (token=0x7fffffffd5b0, auth=0x0, pubkey=0x0) at cssp.c:352

    ... that looks like different problem
    ]

    # ./rdesktop -Z rdptest.my.domain
    Autoselected keyboard map en-us
    WARNING: RDP protocol negotiation failed with reason: hybrid authentication (CredSSP) required by server (error 0x5),
    WARNING: retrying without negotiation using plain RDP protocol.
    ERROR: recv: Connection reset by peer

    (rdptest.my.domain has properly configured Kerberos service principal name: TERMSRV/rdptest.my.domain)

    I believe that since CredSSP is/can be optional there should not be a problem disabling it on command line ?

    Or alternatively: if CredSSP does not work, a fallback to 'plain RDP' could be implemented ?

    Regards

    Jarek

     
  • Henrik Andersson

    Thanks Jarek for the input, i believe that the right approach would be to handle the fallbacks
    correctly in rdesktop, with this fallback chain:

    hybrid -> TLS -> Plain RDP

    I'll see if i found a simple approach to this.

    Regards,

    Henrik Andersson

     
  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2012-11-22

    Sure, Thanks !

    (ans since I've got your attention, could you please look at: https://sourceforge.net/tracker/?func=detail&aid=3575645&group_id=24366&atid=381349 ? , thanks in advance ...)

    Jarek

     
    Last edit: Anonymous 2016-10-12
  • Henrik Andersson

    • status: open --> open-fixed
     
  • Henrik Andersson

    The fallback handling is commited in r1683, could you please verify that this solves your issue.

    Regards,

    Henrik Andersson

     
  • Jaroslaw (Jarek) Polok

    Yes, it does work as expected, many thanks !

    (./rdesktop tsserver.without.kerb keys
    Autoselected keyboard map en-us
    ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
    ERROR: GSS error [0:13:0]: CredSSP: SPNEGO negotiation failed.
    ERROR: - Unspecified GSS failure. Minor code may provide more information
    Connection established using SSL.
    )

    Regards

    Jarek

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks