Background
In newer versions of Remote Desktop (RDP) that are included with Vista, Win 7, and Win Server 2008, RDP now includes something called NLA. Existing clients under Linux don’t appear to support this type of authentication, except for one, called FreeRDP.
rdesktop/tsclient
rdesktop is a RDP client specifically for Linux. However it doesn’t appear to work with newer versions of Windows RDP server.
For example, when trying to connect using rdesktop I would get the following messages:
1 2 3 4 | % rdesktop -u some.user -p - -d CORP -g 1440x900 -P 192.168.1.105 Autoselected keyboard map en-us Password: ERROR: recv: Connection reset by peer |
Trying the same thing from tsclient, a frontend GUI that uses rdesktop underneath, I get essentially the same problem, except with a more descriptive dialog box.
tsclient main window
tsclient connection properties
tsclient failed connection
Windows XP’s RDP Client
Using the RDP client included with Windows XP had a similar effect.
RDP client error dialog
Here are the particulars for the mstsc.exe executable. NOTE: This is the RDP client under windows.
RDP client file info
RDP client version info
Turns out that with newer versions of RDP (6.0+ and higher) Microsoft added additional security, which is why Windows XP’s client couldn’t connect to the newer editions of Windows. NOTE: Here are some further readings about NLA & RDP clients.
- NLA missing from Remote Desktop Client 6.0 for Windows XP?
- Network Level Authentication
- Description of the Remote Desktop Connection 6.1 client update for Terminal Services
- Download RDP Client 6.0
- Description of the Remote Desktop Connection 7.0 client update for Remote Desktop Services (RDS) for Windows XP SP3, Windows Vista SP1, and Windows Vista SP2
FreeRDP
FreeRDP is a fork of rdesktop. The project around FreeRDP intends to rapidly start moving forward and implement features that rdesktop lacks the most. NOTE: The latest version in the Fedora repos was version 0.8.2.
1 2 3 4 | % yum list available|grep freerdp freerdp-devel.i686 0.8.2-1.fc14 updates freerdp-devel.x86_64 0.8.2-1.fc14 updates freerdp-libs.i686 0.8.2-1.fc14 updates |
This version did not include a functioning NLA capability so I went with the latest version in the git repo as of 2011-03-14 and rolled my own RPMs. Here’s the resulting RPMs, SRPM, and the spec file.
- freerdp-0.8.2.gc0079b5-1.fc14.x86_64.rpm
- freerdp-devel-0.8.2.gc0079b5-1.fc14.x86_64.rpm
- freerdp-libs-0.8.2.gc0079b5-1.fc14.x86_64.rpm
- freerdp-plugins-0.8.2.gc0079b5-1.fc14.x86_64.rpm
Connection Examples
doesn’t work with the password switch (-p)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | % xfreerdp -u some.user -p - 192.168.1.105 xkbLayout: us xkbVariant: detect_keyboard_layout_from_xkb: 409 detect_keyboard_type_from_xkb: evdev+aliases(qwerty) Using keyboard layout 0x409 with xkb name US and xkbfile evdev+aliases(qwerty) Loading keymap evdev xkbfilepath: /usr/share/freerdp/keymaps/evdev Loading keymap aliases(qwerty) xkbfilepath: /usr/share/freerdp/keymaps/aliases freerdp_kbd_init: 409 starting thread 0 to 192.168.1.105:3389 main thread, waiting for all threads to exit freerdp_chanman_pre_connect: keyboard_layout: 409 connecting to 192.168.1.105:3389 TLS encryption with NLA negotiated ssl_verify: error 20 (see 'man 1 verify' for more information) certificate details: Subject: commonName = AlphaServer.corp.somedomain.com Issued by: commonName = AlphaServer.corp.somedomain.com The server could not be authenticated. Connection security may be compromised! TLS connection established SSL_read: Failure in SSL library (protocol error?) Authentication failure, check credentials. If credentials are valid, the NTLMSSP implementation may be to blame. run_xfreerdp: inst->rdp_connect failed main thread, all threads did exit |
works without the password switch (-p)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | [saml@grinchy SPECS]$ xfreerdp -u some.user 192.168.1.105 xkbLayout: us xkbVariant: detect_keyboard_layout_from_xkb: 409 detect_keyboard_type_from_xkb: evdev+aliases(qwerty) Using keyboard layout 0x409 with xkb name US and xkbfile evdev+aliases(qwerty) Loading keymap evdev xkbfilepath: /usr/share/freerdp/keymaps/evdev Loading keymap aliases(qwerty) xkbfilepath: /usr/share/freerdp/keymaps/aliases freerdp_kbd_init: 409 starting thread 0 to 192.168.1.105:3389 main thread, waiting for all threads to exit freerdp_chanman_pre_connect: keyboard_layout: 409 connecting to 192.168.1.105:3389 TLS encryption with NLA negotiated ssl_verify: error 20 (see 'man 1 verify' for more information) certificate details: Subject: commonName = AlphaServer.corp.somedomain.com Issued by: commonName = AlphaServer.corp.somedomain.com The server could not be authenticated. Connection security may be compromised! TLS connection established Please enter NLA login credential. User name:some.user Domain: Password: freerdp_chanman_post_connect: server name [192.168.1.105] chan_man->num_libs [0] Received Set Error Information PDU with reason 0 |
March 14th, 2011, @ 10:31 am |
Tags: 
Category: 
[...] For more info and congrats see Slmingols post [...]