Connect from Android client to AzureAD joined desktop with Network Level Security activated

Hello,

Thank you for contacting us on that matter!

Do you receive any error messages? If so, could you please provide us with a screenshot of it?

Also, which version of RDM Android and what type of Data Source you are currently using?

Best regards,

Hi

just a generic one (and it is not visible in the screenshot): "Verbindung zu Host 192.168.... konnte nicht hergestellt werden" (Connection to host ... could not be established)
I'm using the version 2022.3.5.0 and I configured the connection completely within the app (in German it says "konfiguriert" what means "configured").

BR Michael

Hi,

Are you able to connect with Microsoft's Android RD Client?

Best Regards,

no, because the MS Android client does not support Network level security

Hello

I feel like this is a scenario we should support, and I'd like to investigate but I'll need some further details.

When you say "Network Level Security" - are you talking about Network Level Authentication (NLA)? Network Level Security isn't a term I'm familiar with so I want to check.



When you connect using a desktop client, it uses NLA? Meaning - you enter your username and password into the RDP client and connect, and the server is "logged in" automatically? Or, when you connect, you are connected to the WinLogon screen and must enter your credentials into the remote server to login?

Finally, what format do you use for the username? e.g. AzureAD\user@domain.com

Please let me know if something isn't clear,

Thanks and kind regards

Hi

first of all - thank you for taking time to help me with this!
and yes, sorry.. wrong name - I meant Network Level Authentication. And yes, the flag is active and I do not need to login on the target server (I fill the login data on the client when using the Desktop client).

I tried AzureAD\user@domain.com and also filling AzureAD in the Domain field and also without Domain.

BR Michael

Hi Michael

Thanks for the follow up. On desktop, you use "AzureAD\user@domain.com"?

Thanks and kind regards,

Hello Michael

Unfortunately, it's not currently possible. When connecting to an AzureAD joined server using NLA, RDP uses a special authentication mode called PKU2U to authenticate your identity. This is, as far as I know, Windows only and the documentation itself supports that: "Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported."

The only workaround currently is to disable the requirement for NLA on the server. RDM Android will try the connection both with and without NLA and should be able to connect OK - you'll be able to connect faster if you explicitly disable NLA also in the RDP session connection settings.

To add some positive information; we have a working project currently to implement our own version of Microsoft's Security Support Providers. We already added support for Kerberos and PKU2U is something we aim to support in the future. However, I don't currently have a timeframe for when that might be available.

Please let me know if something is not clear or you have further questions

Thanks and kind regards,

Hi

thanks a lot for the explanation! thats unfortunate from MS side - but at least I can stop trying for now ;)

thanks again & have a nice day
Michael