Hi, I have started working on a PoC to support Kerberos authentication for FreeRDP clients.
The modifications to the current NLA code are minimal. However, I have a couple of questions regarding how the Negotiate SSP and NLA are currently implemented within FreeRDP. First, the glue for trying Kerberos first and falling back to NTLM on failure seems to be absent from the Negotiate SSPI. For now, the NTLM provider is hardwired within the Negotiate provider. Do you think of a practical way to implement the fallback mechanism ? Second, the NLA code seems to make certain assumptions regarding the workflow of the NLA exchange such as requiring negoToken in the request when it can be optional, assuming a 3-way handshake (NTLM) when Kerberos is only two exchanges is another example. The GSSAPI code was ported from the rdesktop project that has support for Kerberos client authentication. The PoC has been tested with MIT Kerberos only and assumes that the client has already acquired Kerberos credentials (issuing a "kinit <username>@realm" command). You can checkout and test the code at [1]. Feedback appreciated. Cheers, Thomas Calderon [1] : https://github.com/tc-anssi/FreeRDP/tree/ssp-kerberos ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ FreeRDP-devel mailing list FreeRDP-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel
