Devolutions ForumDevolutions Forum

Cannot remote with domain credentials (Kerberos).

Cannot remote with domain credentials (Kerberos).

avatar
kmkldv98

Greetings!

I have an issue with connecting to Windows Servers using my Active Directory domain credentials, I get an error "ERRCONNECT_CONNECT_TRANSPORT_FAILED (0x0000000D)".

The account used for authentication is a member of the "Protected Users" AD group, which allows only Kerberos authentication. Connecting to the same server(s) with the same account works fine when using the Windows App by Microsoft, so is this a RDM configuration issue? I am connecting to the server using its hostname (FQDN), the username is set in UPN format (user@domain.com). Local Network is allowed in the security settings.

My current "Authentication" settings:

Here are the session logs (I did some further obfuscation):
09:20:50:153] [54183:77f9b000] [DEBUG][com.winpr.timezone] - [winpr_get_timezone_from_link]: tzid: Europe/**
[09:20:50:153] [54183:77f9b000] [DEBUG][com.winpr.timezone] - [winpr_get_timezone_from_link]: tzid: Europe/**
[09:20:50:154] [54183:77f9b000] [DEBUG][com.winpr.timezone] - [winpr_get_timezone_from_link]: tzid: Europe/**
[09:20:50:154] [54183:77f9b000] [DEBUG][com.winpr.timezone] - [winpr_get_timezone_from_link]: tzid: Europe/**
[09:20:50:165] [54183:77f9b000] [INFO][Devolutions.Rdp.Credentials] - [Parse]: parsing "********", "**.**" (Mstsc) => "Username: "********" Domain: "**.**""
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_connect_begin]: resetting error state
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx rdpdr
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx rdpsnd
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx RDMJump
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx RDMCmd
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx RDMLog
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.channels.channels.cliprdr.client] - [cliprdr_VirtualChannelEntryEx]: VirtualChannelEntryEx
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx cliprdr
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.channels.drdynvc.client] - [drdynvc_VirtualChannelEntryEx]: VirtualChannelEntryEx
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx drdynvc
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.settings] - [log_monitor_configuration]: [BEGIN] MonitorDefArray[1]
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.settings] - [log_monitor]: [0] [primary] {0x0-2308x1234} [0] {1000x1000, orientation: 0, desktopScale: 100, deviceScale: 100}
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.settings] - [log_monitor_configuration]: [END] MonitorDefArray[1]
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx rdpdr
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx rdpsnd
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx RDMJump
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx RDMCmd
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx RDMLog
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.channels.channels.cliprdr.client] - [cliprdr_VirtualChannelEntryEx]: VirtualChannelEntryEx
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx cliprdr
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.channels.drdynvc.client] - [drdynvc_VirtualChannelEntryEx]: VirtualChannelEntryEx
[09:20:50:168] [54183:77f9b000] [DEBUG][com.freerdp.client.common.cmdline] - [freerdp_client_load_static_channel_addin]: loading channelEx drdynvc
[09:20:50:168] [54183:77f9b000] [ERROR][com.freerdp.channels.virtual.channel] - [virtchan_virtual_channel_init_event_ex]: Unhandled event type 0
[09:20:50:168] [54183:77f9b000] [ERROR][com.freerdp.channels.virtual.channel] - [virtchan_virtual_channel_init_event_ex]: Unhandled event type 0
[09:20:50:169] [54183:77f9b000] [ERROR][com.freerdp.channels.virtual.channel] - [virtchan_virtual_channel_init_event_ex]: Unhandled event type 0
[09:20:50:169] [54183:77f9b000] [DEBUG][com.freerdp.primitives] - [primitives_autodetect_best]: primitives benchmark: only one backend, skipping...
[09:20:50:169] [54183:77f9b000] [DEBUG][com.freerdp.primitives] - [primitives_autodetect_best]: primitives autodetect, using optimized
[09:20:50:169] [54183:77f9b000] [WARN][com.freerdp.codec.nsc.neon] - [nsc_init_neon]: TODO: Implement neon optimized version of this function
[09:20:50:175] [54183:77f9b000] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x1510eae00]: *************************************************
[09:20:50:176] [54183:77f9b000] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x1510eae00]: This build is using [runtime-check] build options:
[09:20:50:176] [54183:77f9b000] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x1510eae00]: * 'WITH_VERBOSE_WINPR_ASSERT=ON'
[09:20:50:176] [54183:77f9b000] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x1510eae00]:
[09:20:50:176] [54183:77f9b000] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x1510eae00]: [runtime-check] build options might slow down the application
[09:20:50:176] [54183:77f9b000] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x1510eae00]: *************************************************
[09:20:50:176] [54183:77f9b000] [WARN][com.freerdp.core.rdp] - [log_build_warn_cipher][0x1510eae00]: *************************************************
[09:20:50:176] [54183:77f9b000] [WARN][com.freerdp.core.rdp] - [log_build_warn_cipher][0x1510eae00]: [SSL] {Cipher} build or configuration missing:
[09:20:50:176] [54183:77f9b000] [WARN][com.freerdp.core.rdp] - [log_build_warn_cipher][0x1510eae00]: * des-ede3-cbc: RDP security FIPS mode will not work
[09:20:50:176] [54183:77f9b000] [WARN][com.freerdp.core.rdp] - [log_build_warn_cipher][0x1510eae00]: *************************************************
[09:20:50:176] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_set_negotiation_enabled]: Enabling security layer negotiation: TRUE
[09:20:50:176] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_set_restricted_admin_mode_required]: Enabling restricted admin mode: FALSE
[09:20:50:176] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_set_RCG_required]: Enabling remoteCredentialGuards: FALSE
[09:20:50:176] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_enable_rdp]: Enabling RDP security: TRUE
[09:20:50:176] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_enable_tls]: Enabling TLS security: TRUE
[09:20:50:176] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_enable_nla]: Enabling NLA security: FALSE
[09:20:50:176] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_enable_ext]: Enabling NLA extended security: FALSE
[09:20:50:176] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_enable_rdstls]: Enabling RDSTLS security: FALSE
[09:20:50:176] [54183:77f9b000] [WARN][com.freerdp.core.nego] - [nego_enable_aad]: This build does not support AAD security, disabling.
[09:20:50:176] [54183:77f9b000] [DEBUG][com.freerdp.core.rdp] - [rdp_client_transition_to_state][0x1510eae00]: CONNECTION_STATE_INITIAL --> CONNECTION_STATE_NEGO
[09:20:50:178] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_is_hostname_resolvable]: resetting error state
[09:20:50:179] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: resetting error state
[09:20:50:179] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: connecting to peer *.*.*.*
[09:20:50:183] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_connect]: state: NEGO_STATE_TLS
[09:20:50:183] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_attempt_tls]: Attempting TLS security
[09:20:50:183] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_send_negotiation_request]: RequestedProtocols: [SSL][0x00000001]
[09:20:50:199] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_process_negotiation_failure]: RDP_NEG_FAILURE
[09:20:50:199] [54183:77f9b000] [WARN][com.freerdp.core.nego] - [nego_process_negotiation_failure]: Error: HYBRID_REQUIRED_BY_SERVER
[09:20:50:199] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_connect]: state: NEGO_STATE_RDP
[09:20:50:199] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_attempt_rdp]: Attempting RDP security
[09:20:50:200] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_is_hostname_resolvable]: resetting error state
[09:20:50:200] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: resetting error state
[09:20:50:200] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: connecting to peer *.*.*.*
[09:20:50:204] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_send_negotiation_request]: RequestedProtocols: [RDP][0x00000000]
[09:20:50:225] [54183:77f9b000] [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read returned a system error 54: Connection reset by peer
[09:20:50:225] [54183:77f9b000] [ERROR][com.freerdp.core] - [transport_read_layer]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[09:20:50:226] [54183:77f9b000] [DEBUG][com.freerdp.core.rdp] - [rdp_finalize_reset_flags][0x1510eae00]: [CONNECTION_STATE_NEGO] reset finalize_sc_pdus
[09:20:50:226] [54183:77f9b000] [DEBUG][com.freerdp.core.rdp] - [rdp_client_transition_to_state][0x1510eae00]: CONNECTION_STATE_NEGO --> CONNECTION_STATE_INITIAL
[09:20:50:227] [54183:77f9b000] [WARN][com.freerdp.codec.nsc.neon] - [nsc_init_neon]: TODO: Implement neon optimized version of this function
[09:20:50:230] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_set_negotiation_enabled]: Enabling security layer negotiation: TRUE
[09:20:50:230] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_set_restricted_admin_mode_required]: Enabling restricted admin mode: FALSE
[09:20:50:230] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_set_RCG_required]: Enabling remoteCredentialGuards: FALSE
[09:20:50:230] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_enable_rdp]: Enabling RDP security: TRUE
[09:20:50:230] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_enable_tls]: Enabling TLS security: TRUE
[09:20:50:230] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_enable_nla]: Enabling NLA security: FALSE
[09:20:50:230] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_enable_ext]: Enabling NLA extended security: FALSE
[09:20:50:230] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_enable_rdstls]: Enabling RDSTLS security: FALSE
[09:20:50:230] [54183:77f9b000] [WARN][com.freerdp.core.nego] - [nego_enable_aad]: This build does not support AAD security, disabling.
[09:20:50:230] [54183:77f9b000] [DEBUG][com.freerdp.core.rdp] - [rdp_client_transition_to_state][0x1510eae00]: CONNECTION_STATE_INITIAL --> CONNECTION_STATE_NEGO
[09:20:50:232] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_is_hostname_resolvable]: resetting error state
[09:20:50:232] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: resetting error state
[09:20:50:232] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: connecting to peer *.*.*.*
[09:20:50:237] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_connect]: state: NEGO_STATE_TLS
[09:20:50:237] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_attempt_tls]: Attempting TLS security
[09:20:50:237] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_send_negotiation_request]: RequestedProtocols: [SSL][0x00000001]
[09:20:50:259] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_process_negotiation_failure]: RDP_NEG_FAILURE
[09:20:50:259] [54183:77f9b000] [WARN][com.freerdp.core.nego] - [nego_process_negotiation_failure]: Error: HYBRID_REQUIRED_BY_SERVER
[09:20:50:259] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_connect]: state: NEGO_STATE_RDP
[09:20:50:259] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_attempt_rdp]: Attempting RDP security
[09:20:50:260] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_is_hostname_resolvable]: resetting error state
[09:20:50:260] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: resetting error state
[09:20:50:260] [54183:77f9b000] [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: connecting to peer *.*.*.*
[09:20:50:266] [54183:77f9b000] [DEBUG][com.freerdp.core.nego] - [nego_send_negotiation_request]: RequestedProtocols: [RDP][0x00000000]
[09:20:50:280] [54183:77f9b000] [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read returned a system error 54: Connection reset by peer
[09:20:50:280] [54183:77f9b000] [ERROR][com.freerdp.core] - [transport_read_layer]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[09:20:50:280] [54183:77f9b000] [ERROR][com.freerdp.core] - [freerdp_connect]: freerdp_post_connect failed
[09:20:50:281] [54183:77f9b000] [DEBUG][com.freerdp.core.rdp] - [rdp_finalize_reset_flags][0x1510eae00]: [CONNECTION_STATE_NEGO] reset finalize_sc_pdus
[09:20:50:281] [54183:77f9b000] [DEBUG][com.freerdp.core.rdp] - [rdp_client_transition_to_state][0x1510eae00]: CONNECTION_STATE_NEGO --> CONNECTION_STATE_INITIAL

ca7a4ef0-6f2e-4762-be8e-1f78e661ae88.png

All Comments (5)

avatar
Richard Markiewicz

Hello

Thanks for the issue report and for posting the log. I'm sorry for the inconvenience.

Your settings look right, but for some reason we're negotiating TLS security instead of NLA (which is a requirement for your use case), despite it being enabled.

Was this something that was working in a prior version and broke after updating RDM Mac? Or it's the first time you try this?

Regardless, I will see if I can reproduce the problem on my side.

Thanks and kind regards,

Richard Markievicz

avatar
kmkldv98

Hello!

Thank you for the reply. I installed RDM two days ago, so it is the first time.

avatar
Richard Markiewicz

Hello

This is weird; I haven't been able to reproduce your problem. The issue is clearly that NLA is not being enabled on the connection, but your settings clearly show that it is enabled in the session.

Your issue report is excellent, but is there anything missing?

  • What kind of data source are you using?
  • Are you using some kind of 3rd party integration (e.g. CyberArk, Splashtop)?
  • Are you using templates in RDM?


Is this just a vanilla RDP session defined directly in your vault? Assuming it's the that, can you export the entry and send it to me by PM or to service@devolutions.net (mentioning this forum thread). Just right-click, "Export > Export selection (.rdm)...", and be sure to leave "Include credentials" unchecked.

Please, let me know if something isn't clear

Kind regards,

Richard Markievicz

avatar
kmkldv98

Hello!

Here are the answers to you questions:

  1. Local Data Source
  2. I have no 3rd party integrations
  3. I was not using templates at first, but today I created a Default template for RDP, which automatically sets the authentication settings to Portable/Kerberos.


All the connections were imported from a Windows version of RDM (in a .rdm file).

However, I restarted my Mac earlier and now all the connections work! I suppose that is the most basic thing I should've done first. :(

Anyways, thank you very much Richard!

avatar
Richard Markiewicz

Hello

Well, I can't begin to explain why that would change something, but I'm happy that it worked.

Note that you can also override the authentication settings at the application level: Settings >Types > Remote Desktop (RDP), under "Authentication". Then you wouldn't need the template.

Please don't hesitate if you have further questions or comments

Kind regards,

Richard Markievicz