Devolutions ForumDevolutions Forum

MAC OS Internal RDP is not working

Resolved

MAC OS Internal RDP is not working

avatar
mahrens61

I am Using Version 2023.2.8.1 on MAC OS X with M2 CPU. The internal RDP to my Windows machines isn’t working. UserID is an AZURE UserID
ERROR ERRCONNECT_LOGON_FAILURE (0x00000014)
When is use the external option with MS-Remote Desktop everything is working.

All Comments (4)

avatar
Xavier Fortin

Hi,

Could you follow the following instructions to generate session logs: https://docs.devolutions.net/kb/remote-desktop-manager-macos/how-to-articles/rdm-mac-enable-send-rdp-logs/?q=session+logs

After this, could you share the generated session log here so we can look at the issue?

Best regards,

Xavier Fortin

avatar
mahrens61

Attached the sessionlog

67e62bc9-b49e-4a7b-b7ce-b7677722ed73.log

avatar
Xavier Fortin

Hi,

Thanks for the log, we'll investigate and come back as soon as we have more information.

Best regards,

Xavier Fortin

avatar
Richard Markiewicz

Hello

To start with the short answer: currently the only option to make this work is to disable the NLA requirement on your server. Here's a post that describes how to make that change, although there are many guides online. On the RDM side, you can follow up by unchecking "Enable Network Level Authentication (NLA)" in the "Authentication" tab of the RDP connection settings page - this will stop RDM from attempting NLA and make the connection a little quicker (similarly, you will need to ensure that "Enable Transport Layer Security (TLS)" is checked).

If something isn't clear or things still aren't working right after making those changes, please don't hesitate to post back here.

The longer explanation is that in this scenario (AzureAD authentication using NLA), the client uses certificates obtained using Azure AD registration and then authenticates using a security protocol called PKU2U. The protocol is effectively undocumented and uses "black box" components in Windows and Microsoft's first party RDP clients; there is simply zero support for third party vendors in this case. Even on Windows it's extremely tricky to make this work from a third party client, on other platforms it's just not possible.

Moving forward, there has been progress in our RDP component to support Azure Active Directory SSO (for Remote Desktop Services). So in the future we might be able to offer something better here, but it's not at a stage where I can offer a timeframe for delivering that.

I'm sorry I don't have a better solution than disabling NLA. It's unfortunate that the only way to enable this is to downgrade the security of the server, but it's the only option left by Microsoft.

Thanks and kind regards,

Richard Markievicz