FreeRDP: UPN login

Hi,
Do you have a real example that you can send in private without the password.

Regards

Hi zomby,

Quick question, were you using UPN credential to connect to a hyper-v instance?

Oh sorry. I forgot to answer.

No, it's not related to Hyper-V, I didn't tried it.

I am logging in to a normal RDP server using NLA, but the username is the UPN. (username@domain.net format ) It is the UserPrincipalName property in AD.
The UPN is different from the samAccountName.

Are you using kerberos?

Yes, I think it's Kerberos using CredSSP. No client certificate is used.

Didn't checked, but I think, the authentication method is the same. The only difference is that instead using NETBIOSDOMAIN\samAccountName, I am using UserPrincipalName ( user@domain.tld ) to log in.

NetBIOS domain and UPN domain can be diffrerent. As far as I see the client just converts user@domain.tld to DOMAIN.TLD\user which is not the same. That is still NetBIOS login, which may or may not work.

HI zomby,

What OS are you launching your connections from?
We have found some issues with RDP8 (which FreeRDP uses) and Server 2012 R2 (and possibly Windows 8.1).

I am tried it from Windows 10 x64 Enterprise 1703

Please note that the NETBIOS login is different in my case.

Example
NETBIOS DOMAIN NAME: DOMAIN
SamAccountName: username
UserPrincipalName: firstname.lastname@differentdomain.tld


I am trying to use firstname.lastname@differentdomain.tld to log in, when it's not working.
DOMAIN\username works.



As far as I see if I enter firstname.lastname@differentdomain.tld (UPN) to log in, FreeRDP tries to use:
DIFFERENTDOMAIN.TLD\firstname.lastname which doesn't work.

Hi zomby,

The next version, that will be released shortly, will have a potential fix for your issue.
In the connection advanced page, not to be confused with the RDP advanced tab, change the Username format to "{User}@{Domain}".

Hi Jonathan,

This seems to solve the issue, but it's not a generic solution.

I have 2 issues:

1. I am store the username and password in Keepass. The username is entered in UPN format, and the NETBIOS domain was filled in. If I just changed the Username format to "{User}@{Domain}", it tried to login with firstname.lastname@NETBIOSDOMAIN.
I had to remove the "DOMAIN" setting from keepass to make it work.

2. This account is used in other places, it would be better if it can work with the default setting, if the username is in UPN format {USERNAME}@{DOMAIN}.{TLD) auto switch to UPN. (maybe doesn't work for others...)
It can be detected by after @ , there is a FQDN not just a NetBIOS domain name without dot.

Hi,

This situation is, indeed, less than optimal.
I'll look into it.

Hi zomby,

I've added a new domain override option to cover your use case.
This will hopefully solve all your issues.

You can edit the Domain Override from the Advanced properties page (same as before).
The new value "Use Domain from UPN". As the name suggest, this will override the default domain with the one contained in the UPN username (if present).

This will be available in the upcoming release.