Hey Thomas, thanks for your answer.
----- Original Message ----- > Hello Ondrej, > > I am glad you are looking into this, Kerberos support has its place in > FreeRDP. > > First, I would recommend trying the most up-to-date code [1] for this > feature (Marc-Andre's branch lacks a couple of commits). > This should prove more reliable than the one you tried. I haven't known about this most up-to-date code. I hope I will find some time to test it. > If you are able to get Kerberos tickets from you machine then you should be > good to go (I see you have a TGT, so that should be enough), nothing else > is needed. > > Now regarding the user password, you might be in for a shock, RDP sessions > using Kerberos (even in MS implementation) will forward the user password > (or PIN when using smartcard). > It is just the way it works, as the password/PIN will then be used to open > an interactive session for the user. > So you are going to say, "what's the point of Kerberos then?", well it is > still useful to authenticate the RDP session and to wrap the user password. That is what I was afraid :-( > Now, with the latest code, keep in mind that there is a NTLM fallback, so > when the session will be open, make sure you used Kerberos (or disable NTLM > on the Windows server). > > The code was stable and more advanced than a PoC, so if you are stuck > somewhere, something else is in the way. Don't you have some info about merging the code? Have you already made pull request? Regards Ondrej > Let me know if you are making progress. > > Cheers, > > Thomas > > [1] https://github.com/tc-anssi/FreeRDP/tree/kerberos > > On Thu, Nov 26, 2015 at 3:16 PM, Ondrej Holy <oh...@redhat.com> wrote: > > > Hello, > > > > I am writing to you regarding kerberos support in FreeRDP. Some initial > > kerberos implementation was proposed by Thomas Calderon on this list before > > some time [1]. There is already fork of this on Marc-Andre's git [2]. What > > is status about this? Are there any timelines regarding this? > > > > There is intention to improve enterprise features for Fedora 24 [3]. It > > includes also desire for kerberos support in FreeRDP among others (i.e. > > user authentication using kerberos ticket). I should be one of the people > > involved in this. > > > > I tried the mentioned kerberos branch. I configured Active Directory > > domain with Microsoft Windows Server 2008. However I am unable to connect > > using FreeRDP, though kinit works properly, see: > > > > $ klist > > Ticket cache: KEYRING:persistent:1778400500:krb_ccache_5o3sgFJ > > Default principal: administra...@example.lan > > > > Valid starting Expires Service principal > > 11/12/2015 12:50:53 11/12/2015 22:50:53 krbtgt/example....@example.lan > > renew until 11/19/2015 12:50:53 > > > > $ ./client/X11/xfreerdp /u:Administrator /d:EXAMPLE /v:192.168.100.140 > > Password: > > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - VERSION ={ > > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - > > ProductMajorVersion: 6 > > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - > > ProductMinorVersion: 1 > > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - > > ProductBuild: 7601 > > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - Reserved: > > 0x000000 > > [13:45:19:489] [16371:16372] [INFO][com.winpr.sspi.NTLM] - > > NTLMRevisionCurrent: 0x0F > > [13:45:19:502] [16371:16372] [ERROR][com.freerdp.core] - > > freerdp_set_last_error 0x2000D > > [13:45:19:503] [16371:16372] [ERROR][com.freerdp.client.x11] - > > Authentication only, exit status 1 > > > > > > If I check out commit bf46ff0 (Initial client kerberos support), I see > > following failure: > > > > $ ./client/X11/xfreerdp /u:Administrator /d:EXAMPLE /v:192.168.100.140 > > Password: > > [13:48:05:532] [18255:18256] [ERROR][com.winpr.sspi.Kerberos] - Kerberos: > > Initialize failed, do you have correct kerberos tgt initialized ? > > [13:48:05:532] [18255:18256] [ERROR][com.winpr.sspi.Kerberos] - Kerberos: > > gss_init_sec_context failed with 1 > > [13:48:05:532] [18255:18256] [ERROR][com.freerdp.core] - > > freerdp_set_last_error 0x20009 > > [13:48:05:532] [18255:18256] [ERROR][com.freerdp.core.connection] - Error: > > protocol security negotiation or connection failure > > [13:48:05:533] [18255:18256] [ERROR][com.freerdp.client.x11] - > > Authentication only, exit status 1 > > > > > > Am I doing anything wrong? Is any special client/server configuration > > needed? > > > > Though it doesn't work for me, I am worried about password is still > > requested. Is it possible to make user authentication only using kerberos > > (i.e. without user password)? It seems rdesktop supports only server > > authentication and there are also some comments about that it isn't > > possible at all [4, 5]. I am quite lost in RDP documentation, could you > > pointed me on relevant documents please? > > > > Thanks for any feedback... > > > > Ondrej > > > > [1] > > http://sourceforge.net/p/freerdp/mailman/freerdp-devel/thread/CA%2B1ewKYaHSv0XqyEXeWGgUDom-1mO0aPMBL9tk2Munpf6XFxkw%40mail.gmail.com/ > > [2] https://github.com/awakecoding/FreeRDP/tree/kerberos > > [3] > > https://lists.fedoraproject.org/pipermail/desktop/2015-October/012985.html > > [4] > > https://social.msdn.microsoft.com/Forums/en-US/da074f0f-0887-4151-88ea-19a671ed91d9 > > [5] http://sourceforge.net/p/rdesktop/mailman/message/32380286/ > > > ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 _______________________________________________ FreeRDP-devel mailing list FreeRDP-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel