Remote Credential Guard causing CREDSSP error when Connecting via SSH tunnel or Devolutions Gateway

Hello,
Our RDP expert is currently on vacation. This is a very tricky question and will let Marc André answer that when he gets back.

Regards

Hi,

I am surprised to learn that RCG works at all through an SSH tunnel, or any kind of network tunnel. RCG from our experience is very flaky, and is only known to work semi-reliably from machines joined to the same domain, when on the same network. Even then, we've encountered unexplainable issues with customers where certain combinations of users and servers would work when some other wouldn't.

One theory I may have is that in some cases, it's possible that other connections made to servers on the same domain would cache information on the client that would then get reused for the RCG connection, but there is no way to tell if that's the case.

Does it work reliably without the SSH tunnel?

Best regards,

When I connect to machines on the same Domain it works. But if I try to connect on a different domain I get the CREDSSP error when it is enabled. I work with many different clients and if this feature has to be used on machines in the same domain then it will be one we disable by default when we roll this out to the whole company.

I hear you, and I wish RCG was designed in a way to makes sense, but unfortunately we only managed to make it work between machines joined to the *same* domain, with Kerberos enabled (so this means having a line-of-sight with the KDC, and using the FQDN of the target server).

We're the only ones that support supplied/explicit credentials with RCG, not even Microsoft does it with mstsc. The UI blocks it such that with RCG enabled you can only use the current user for the target server. The code is there internally, and that's what we've enabled, but as you can imagine, it's not very well tested because of the UI block.

You can find more information here about RCG integration in RDM: https://blog.devolutions.net/2021/05/protecting-rdp-passwords-from-mimikatz-using-remote-credential-guard/

However, since that blog article came out, we did assist a few customers with RCG, and we've encountered many issues even in cases where we believe it should have worked. Since this is all within the Microsoft code, we can't really tell why it fails. So, RCG "works", but it's a disappointing feature.

The only alternative I could recommend would be to perform a password reset after every RDP connection to avoid the server-side password leak problem. There's no reason why the passwords linger into memory on the RDP server, but there's not much we can do about it, unfortunately, since it's in the Microsoft RDP server code.

Here's a comparison of Devolutions Server PAM with Remote Credential Guard that shows how to achieve similar results, but using password resets:

https://blog.devolutions.net/2022/02/new-use-case-how-organizations-can-secure-rdp-credentials-by-replacing-remote-credential-guard-with-devolutions-server-pam/

Best regards,