Hello,
I am writing to you regarding kerberos support in FreeRDP. Some initial
kerberos implementation was proposed by Thomas Calderon on this list before
some time [1]. There is already fork of this on Marc-Andre's git [2]. What is
status about this? Are there any timelines regarding this?
There is intention to improve enterprise features for Fedora 24 [3]. It
includes also desire for kerberos support in FreeRDP among others (i.e. user
authentication using kerberos ticket). I should be one of the people involved
in this.
I tried the mentioned kerberos branch. I configured Active Directory domain
with Microsoft Windows Server 2008. However I am unable to connect using
FreeRDP, though kinit works properly, see:
$ klist
Ticket cache: KEYRING:persistent:1778400500:krb_ccache_5o3sgFJ
Default principal: administra...@example.lan
Valid starting Expires Service principal
11/12/2015 12:50:53 11/12/2015 22:50:53 krbtgt/example....@example.lan
renew until 11/19/2015 12:50:53
$ ./client/X11/xfreerdp /u:Administrator /d:EXAMPLE /v:192.168.100.140
Password:
[13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - VERSION ={
[13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] -
ProductMajorVersion: 6
[13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] -
ProductMinorVersion: 1
[13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - ProductBuild:
7601
[13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - Reserved:
0x000000
[13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] -
NTLMRevisionCurrent: 0x0F
[13:45:19:502] [16371:16372] [ERROR][com.freerdp.core] - freerdp_set_last_error
0x2000D
[13:45:19:503] [16371:16372] [ERROR][com.freerdp.client.x11] - Authentication
only, exit status 1
If I check out commit bf46ff0 (Initial client kerberos support), I see
following failure:
$ ./client/X11/xfreerdp /u:Administrator /d:EXAMPLE /v:192.168.100.140
Password:
[13:48:05:532] [18255:18256] [ERROR][com.winpr.sspi.Kerberos] - Kerberos:
Initialize failed, do you have correct kerberos tgt initialized ?
[13:48:05:532] [18255:18256] [ERROR][com.winpr.sspi.Kerberos] - Kerberos:
gss_init_sec_context failed with 1
[13:48:05:532] [18255:18256] [ERROR][com.freerdp.core] - freerdp_set_last_error
0x20009
[13:48:05:532] [18255:18256] [ERROR][com.freerdp.core.connection] - Error:
protocol security negotiation or connection failure
[13:48:05:533] [18255:18256] [ERROR][com.freerdp.client.x11] - Authentication
only, exit status 1
Am I doing anything wrong? Is any special client/server configuration needed?
Though it doesn't work for me, I am worried about password is still requested.
Is it possible to make user authentication only using kerberos (i.e. without
user password)? It seems rdesktop supports only server authentication and there
are also some comments about that it isn't possible at all [4, 5]. I am quite
lost in RDP documentation, could you pointed me on relevant documents please?
Thanks for any feedback...
Ondrej
[1]
http://sourceforge.net/p/freerdp/mailman/freerdp-devel/thread/CA%2B1ewKYaHSv0XqyEXeWGgUDom-1mO0aPMBL9tk2Munpf6XFxkw%40mail.gmail.com/
[2] https://github.com/awakecoding/FreeRDP/tree/kerberos
[3] https://lists.fedoraproject.org/pipermail/desktop/2015-October/012985.html
[4]
https://social.msdn.microsoft.com/Forums/en-US/da074f0f-0887-4151-88ea-19a671ed91d9
[5] http://sourceforge.net/p/rdesktop/mailman/message/32380286/
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
