Hello Ondrej, I am glad you are looking into this, Kerberos support has its place in FreeRDP.
First, I would recommend trying the most up-to-date code [1] for this feature (Marc-Andre's branch lacks a couple of commits). This should prove more reliable than the one you tried. If you are able to get Kerberos tickets from you machine then you should be good to go (I see you have a TGT, so that should be enough), nothing else is needed. Now regarding the user password, you might be in for a shock, RDP sessions using Kerberos (even in MS implementation) will forward the user password (or PIN when using smartcard). It is just the way it works, as the password/PIN will then be used to open an interactive session for the user. So you are going to say, "what's the point of Kerberos then?", well it is still useful to authenticate the RDP session and to wrap the user password. Now, with the latest code, keep in mind that there is a NTLM fallback, so when the session will be open, make sure you used Kerberos (or disable NTLM on the Windows server). The code was stable and more advanced than a PoC, so if you are stuck somewhere, something else is in the way. Let me know if you are making progress. Cheers, Thomas [1] https://github.com/tc-anssi/FreeRDP/tree/kerberos On Thu, Nov 26, 2015 at 3:16 PM, Ondrej Holy <oh...@redhat.com> wrote: > Hello, > > I am writing to you regarding kerberos support in FreeRDP. Some initial > kerberos implementation was proposed by Thomas Calderon on this list before > some time [1]. There is already fork of this on Marc-Andre's git [2]. What > is status about this? Are there any timelines regarding this? > > There is intention to improve enterprise features for Fedora 24 [3]. It > includes also desire for kerberos support in FreeRDP among others (i.e. > user authentication using kerberos ticket). I should be one of the people > involved in this. > > I tried the mentioned kerberos branch. I configured Active Directory > domain with Microsoft Windows Server 2008. However I am unable to connect > using FreeRDP, though kinit works properly, see: > > $ klist > Ticket cache: KEYRING:persistent:1778400500:krb_ccache_5o3sgFJ > Default principal: administra...@example.lan > > Valid starting Expires Service principal > 11/12/2015 12:50:53 11/12/2015 22:50:53 krbtgt/example....@example.lan > renew until 11/19/2015 12:50:53 > > $ ./client/X11/xfreerdp /u:Administrator /d:EXAMPLE /v:192.168.100.140 > Password: > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - VERSION ={ > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - > ProductMajorVersion: 6 > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - > ProductMinorVersion: 1 > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - > ProductBuild: 7601 > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - Reserved: > 0x000000 > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - > NTLMRevisionCurrent: 0x0F > [13:45:19:502] [16371:16372] [ERROR][com.freerdp.core] - > freerdp_set_last_error 0x2000D > [13:45:19:503] [16371:16372] [ERROR][com.freerdp.client.x11] - > Authentication only, exit status 1 > > > If I check out commit bf46ff0 (Initial client kerberos support), I see > following failure: > > $ ./client/X11/xfreerdp /u:Administrator /d:EXAMPLE /v:192.168.100.140 > Password: > [13:48:05:532] [18255:18256] [ERROR][com.winpr.sspi.Kerberos] - Kerberos: > Initialize failed, do you have correct kerberos tgt initialized ? > [13:48:05:532] [18255:18256] [ERROR][com.winpr.sspi.Kerberos] - Kerberos: > gss_init_sec_context failed with 1 > [13:48:05:532] [18255:18256] [ERROR][com.freerdp.core] - > freerdp_set_last_error 0x20009 > [13:48:05:532] [18255:18256] [ERROR][com.freerdp.core.connection] - Error: > protocol security negotiation or connection failure > [13:48:05:533] [18255:18256] [ERROR][com.freerdp.client.x11] - > Authentication only, exit status 1 > > > Am I doing anything wrong? Is any special client/server configuration > needed? > > Though it doesn't work for me, I am worried about password is still > requested. Is it possible to make user authentication only using kerberos > (i.e. without user password)? It seems rdesktop supports only server > authentication and there are also some comments about that it isn't > possible at all [4, 5]. I am quite lost in RDP documentation, could you > pointed me on relevant documents please? > > Thanks for any feedback... > > Ondrej > > [1] > http://sourceforge.net/p/freerdp/mailman/freerdp-devel/thread/CA%2B1ewKYaHSv0XqyEXeWGgUDom-1mO0aPMBL9tk2Munpf6XFxkw%40mail.gmail.com/ > [2] https://github.com/awakecoding/FreeRDP/tree/kerberos > [3] > https://lists.fedoraproject.org/pipermail/desktop/2015-October/012985.html > [4] > https://social.msdn.microsoft.com/Forums/en-US/da074f0f-0887-4151-88ea-19a671ed91d9 > [5] http://sourceforge.net/p/rdesktop/mailman/message/32380286/ > ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 _______________________________________________ FreeRDP-devel mailing list FreeRDP-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel
