Tuesday, July 30, 2024

Re: xfreerdp / remmina won't connect to Win11 RDP with NLA

On 2024-07-30, Lévai Dániel <leva@ecentrum.hu> wrote:
> Hi all,
>
> I'm noticing that xfreerdp and remmina fails to connect to a Windows 11 machine while using NLA:
>
> $ xfreerdp /v:host /u:user@example.com /d:MicrosoftAccount /sec:nla
> [17:04:04:954] [26344:92f3b640] [WARN][com.freerdp.crypto] - Certificate verification failure 'unable to get local issuer certificate (20)' at stack position 0
> [17:04:04:954] [26344:92f3b640] [WARN][com.freerdp.crypto] - CN = daniell-kvm-windows11
> Password:
> [17:04:08:675] [26344:92f3b640] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert internal error
> [17:04:08:675] [26344:92f3b640] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
> [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert internal error
> [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
> [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core] - freerdp_post_connect failed
>
> Remmina just says "Cannot connect to the RDP server" after a couple of seconds.
>
> Funny thing is, every attempt results in a successful logon event on Windows.
>
> Switching off NLA on the Windows machine and trying /sec:tls with xfreerdp (or switching to TLS security in Remmina) shows the usual graphical logon screen where I can login without a problem. Same clients on other OSes also work (Android, Linux, etc...).
>
> Is this something to do with LibreSSL, maybe? Has this ever worked on OpenBSD?

I'm able to connect to a W2022 DC using "xfreerdp /u:username
/d:somedomain /v:xx.xx.xx.xx:3389 /sec:nla" and typing the password at
the Password: prompt. I'm not sure how to tell if it's really using NLA
but I suspect that non-NLA logins are probably disabled on the Windows
side.

Have you tried the same freerdp version on e.g. Linux to see how that
works?

(Better to compare the same version if possible otherwise there is an
extra complication - the old workaround for lack of posix timers is
no longer enough, we cannot update to freerdp 3.x, so maybe missing
upstream fixes - it's possible they may have fixed something for newer
versions of Windows).

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)