Red Hat Bugzilla – Bug 1131693
Error connecting to VM using RDP if NLA is enabled
Last modified: 2015-07-10 04:49:37 EDT
Description of problem: Using RDP console connection, if Network Level Authentication (NLA) is enabled on RDP server, client is not able to connect. The error in RHEV Admin Portal is "Error connecting to VM using RDP:\n2825" Version-Release number of selected component (if applicable): rhevm-3.4.1-0.31.el6ev.noarch How reproducible: 100% Steps to Reproduce: 1. From a Windows station, login in Admin. Portal (or UserPortal) 2. Select a Windows VM with RDP/NLA enabled. 3. Right click / Console Options 4. Select "Remote Desktop" 5. Click OK. 6. Right Click / Console 7. A window will request confirmation. Click "Connect". Actual results: No connection and a message "Error connecting to VM using RDP:\n2825". Expected results: Connect to VM using RDP/NLA. Additional info: Analysing the console.rdp file downloaded when "Console Invocation" is "Native Client", I noticed the following option: enablecredsspsupport:i:0 Changing it to: enablecredsspsupport:i:1 And using this file to connect to the VM, the connection happens. According to the source code, this option was setted to "0" in order the get SSO working: ... 15 private Boolean enableCredSspSupport = false; // Disable 'Credential Security Support Provider (CredSSP)' to enable 16 // SSO. ... Please confirm if SSO and enablecredsspsupport are mutual exclusive and, if not, enable it by default. It will be used only if OS supports: 0 - RDP will not use CredSSP, even if the operating system supports CredSSP. 1 - RDP will use CredSSP, if the operating system supports CredSSP. Anyway, if they are mutual exclusive, please consider setting "enableCredSspSupport" to true when using "Native Client", since SSO cannot be used in "Native Client" mode, according to the commit message that introduced the mentioned code: commit 625b7452d840793df5e72764193c98c5ba121cdf ... NOTE: The automatic login feature will not work with non-plugin invocation, because there is no straightforward way to pass a password in the RDP descriptor. ...
Hi Amador, I just confirmed that SSO and enablecredsspsupport=1 are mutualy exclusive. According to microsoft.technet, it should be ok to allow that for 'Native client' invocation, I'll do it this way, then. Thanks.
(In reply to Frantisek Kobzik from comment #1) > Hi Amador, > > I just confirmed that SSO and enablecredsspsupport=1 are mutualy exclusive. > > According to microsoft.technet, it should be ok to allow that for 'Native > client' invocation, I'll do it this way, then. > > Thanks. Thank you Frantisek. Also, I'm concerned about how to instruct users. Maybe with simple messages like: ... Console Invocation o Auto o Native client (Required for NLA) o Browser plugin (Required for SSO) ... Or on the message that appears when mouse-over the Console Invocation's "?".
Hi Amador! Current patch makes the hints display in the "?" icon.
Verified in rhevm-3.5.0-0.13.beta.el6ev.noarch (vt4). Verification steps (following the reproducer): 1. From a Windows station, login in Admin. Portal (or UserPortal) 2. Select a Windows VM with RDP/NLA enabled. 3. Right click / Console Options 4. Select "Remote Desktop" 5. Click OK. 6. Right Click / Console 7. A window will request confirmation. Click "Connect". Result: RDP connection to VM is successfully established. In console.rdp file is option "enablecredsspsupport:i:1".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0158.html