Hello, I am writing to you regarding kerberos support in FreeRDP. Some initial kerberos implementation was proposed by Thomas Calderon on this list before some time [1]. There is already fork of this on Marc-Andre's git [2]. What is status about this? Are there any timelines regarding this?
There is intention to improve enterprise features for Fedora 24 [3]. It includes also desire for kerberos support in FreeRDP among others (i.e. user authentication using kerberos ticket). I should be one of the people involved in this. I tried the mentioned kerberos branch. I configured Active Directory domain with Microsoft Windows Server 2008. However I am unable to connect using FreeRDP, though kinit works properly, see: $ klist Ticket cache: KEYRING:persistent:1778400500:krb_ccache_5o3sgFJ Default principal: administra...@example.lan Valid starting Expires Service principal 11/12/2015 12:50:53 11/12/2015 22:50:53 krbtgt/example....@example.lan renew until 11/19/2015 12:50:53 $ ./client/X11/xfreerdp /u:Administrator /d:EXAMPLE /v:192.168.100.140 Password: [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - VERSION ={ [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - ProductMajorVersion: 6 [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - ProductMinorVersion: 1 [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - ProductBuild: 7601 [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - Reserved: 0x000000 [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - NTLMRevisionCurrent: 0x0F [13:45:19:502] [16371:16372] [ERROR][com.freerdp.core] - freerdp_set_last_error 0x2000D [13:45:19:503] [16371:16372] [ERROR][com.freerdp.client.x11] - Authentication only, exit status 1 If I check out commit bf46ff0 (Initial client kerberos support), I see following failure: $ ./client/X11/xfreerdp /u:Administrator /d:EXAMPLE /v:192.168.100.140 Password: [13:48:05:532] [18255:18256] [ERROR][com.winpr.sspi.Kerberos] - Kerberos: Initialize failed, do you have correct kerberos tgt initialized ? [13:48:05:532] [18255:18256] [ERROR][com.winpr.sspi.Kerberos] - Kerberos: gss_init_sec_context failed with 1 [13:48:05:532] [18255:18256] [ERROR][com.freerdp.core] - freerdp_set_last_error 0x20009 [13:48:05:532] [18255:18256] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure [13:48:05:533] [18255:18256] [ERROR][com.freerdp.client.x11] - Authentication only, exit status 1 Am I doing anything wrong? Is any special client/server configuration needed? Though it doesn't work for me, I am worried about password is still requested. Is it possible to make user authentication only using kerberos (i.e. without user password)? It seems rdesktop supports only server authentication and there are also some comments about that it isn't possible at all [4, 5]. I am quite lost in RDP documentation, could you pointed me on relevant documents please? Thanks for any feedback... Ondrej [1] http://sourceforge.net/p/freerdp/mailman/freerdp-devel/thread/CA%2B1ewKYaHSv0XqyEXeWGgUDom-1mO0aPMBL9tk2Munpf6XFxkw%40mail.gmail.com/ [2] https://github.com/awakecoding/FreeRDP/tree/kerberos [3] https://lists.fedoraproject.org/pipermail/desktop/2015-October/012985.html [4] https://social.msdn.microsoft.com/Forums/en-US/da074f0f-0887-4151-88ea-19a671ed91d9 [5] http://sourceforge.net/p/rdesktop/mailman/message/32380286/ ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 _______________________________________________ FreeRDP-devel mailing list FreeRDP-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel