Devolutions ForumDevolutions Forum

Unable to RDP to AAD joined device using RDM

Unable to RDP to AAD joined device using RDM

avatar
chaoscreater

Hi all,

I have an AAD joined device that I am trying to RDP to. The device is on the LAN, so I am just connecting to it by the internal IP address.

I can use MSTSC to connect to the machine. But I'll need to first edit the Default.RDP file for mstsc to include this:
enablecredsspsupport:i:0

Then, when I RDP, it will not ask me for creds and will take me directly to the Windows logon screen (as if I'm consoled to it). From there, I can type the AAD account and login there.

If I do not use enablecredsspsupport:i:0, MSTSC will not let me login no matter what format I use. I've tried:

.\azuread\test.account@blah.co.nz
test.account@blah.co.nz
testDomain\test.account

None of them worked. I have to change that credsssp support line to get to the Windows logon screen and enter my creds in there.

Anyway, at least it works for mstsc. For RDM, I can't get this working. Looks like in the October release, you guys removed EnableCredsSSP support, as per the changelog:
"Removed the EnableCredSSPSupport option to get rid of the confusion with the NLA option"

How can I get this working in RDM?

I've also tried setting credssp to vulnerable as per guide here:
https://thegeekpage.com/credssp-encryption-oracle-remediation-error/


--------------------------------------------------------------------------------------------------------------------

I'm always using the latest beta RDM x64 version.
Local data source.

All Comments (3)

avatar
Maurice Côté

Hello,

We removed it from the UI, but its still there, hidden by the NLA option. If I disable NLA, then accept the recommendation to switch to"Warn me", then export to RDP, I get

authentication level:i:2
enablecredsspsupport:i:0
negotiate security layer:i:0

Had you played around with NLA in your tests? It seems like the proper combination of settings.


Maurice

avatar
chaoscreater

Hi Maurice,

Yes, I've tried that already. Tried a combination of enabling and disabling NLA and choosing the different warning options.

I think I've figured this out. My default RDP template has the "prompt credentials on connection" setting and so I'll get something like this:

forum image


I was typing in the creds in the screenshot above because that's how I normally do it. But if I just click OK without entering anything, it'll take me to the Windows logon screen and from there, I can type the creds as if I'm consoled to it. This ticket can be closed now.


--------------------------------------------------------------------------------------------------------------------

I'm always using the latest beta RDM x64 version.
Local data source.

avatar
Alexandre Bélisle

Hello,

Thanks a lot for the feedback, we're glad a solution could be found.

Have a great one!

Best regards,

Alex Belisle