FreeRDP: wfreerdp fails to connect using vmconnect from Windows Server 2016
Describe the bug
Using wfreerdp on Windows Server 2016 (Core), I cannot connect to Windows, centos, or empty (no OS installed) VMs via /vmconnect, where I previously could.
To Reproduce
- Install Server 2016 Core’
- Enable Hyper-V
- Create a VM, even if empty
- Patch
- Attempt to connect to VM via wfreerdp, fail
Expected behavior
Connection should work
** Application details
- Version of FreeRDP: 2.0.0-dev (git 1855e36) and 2.0.0-dev4 (735ab2e8b)
- Command line used:
wfreerdp.exe /vmconnect:a-long-guid /v:hypervisor.hostname.fqdn /t:guest-vmname /cert-ignore - output of
/buildconfig:
This is FreeRDP version 2.0.0-dev4 (735ab2e8b)
Build configuration: BUILD_TESTING=OFF BUILTIN_CHANNELS=ON HAVE_EXECINFO_H= HAVE_FCNTL_H=1 HAVE_INTTYPES_H=1 HAVE_SYSLOG_H= HAVE_SYS_FILIO_H= HAVE_SYS_MODEM_H= HAVE_SYS_SELECT_H= HAVE_SYS_SOCKIO_H= HAVE_SYS_STRTIO_H= HAVE_TM_GMTOFF= HAVE_UNISTD_H= WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_CLIPRDR=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_FAAC=OFF WITH_FAAD2=OFF WITH_GFX_H264=ON WITH_GPROF=OFF WITH_GSM=OFF WITH_GSSAPI=OFF WITH_GSTREAMER_0_10=OFF WITH_ICU=OFF WITH_IPP=OFF WITH_JPEG=OFF WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_MEDIA_FOUNDATION=ON WITH_NATIVE_SSPI=ON WITH_OPENH264=OFF WITH_OPENSSL=ON WITH_PROFILER=OFF WITH_SAMPLE=OFF WITH_SERVER=OFF WITH_SERVER_INTERFACE=ON WITH_SMARTCARD_INSPECT=OFF WITH_SSE2=ON WITH_THIRD_PARTY=OFF WITH_WIN8=OFF WITH_WINMM=ON WITH_X264=OFF
Build type: Release
CFLAGS: /DWIN32 /D_WINDOWS /Gd /W3
Compiler: MSVC, 18.0.40629.0
Target architecture: x64
- OS version connecting to
(irrelevant, but if it helps, Server 2016, Centos 7, and an empty/no-OS VM where I need console...) - If available the log output from a run with
/log-level:trace
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.channels.cliprdr.client] - VirtualChannelEntryEx
[06:57:48:821] [5036:00000bc8] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core.nego] - Enabling security layer negotiation: FALSE
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core.nego] - Enabling restricted admin mode: FALSE
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core.nego] - Enabling RDP security: TRUE
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core.nego] - Enabling TLS security: TRUE
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core.nego] - Enabling NLA security: TRUE
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core.nego] - Enabling NLA extended security: FALSE
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core.nego] - Security Layer Negotiation is disabled
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core.nego] - Sending preconnection PDU
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core] - connecting to peer 169.254.5.255
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core.nego] - Negotiated NLA security
[06:57:48:821] [5036:00000bc8] [DEBUG][com.freerdp.core.nego] - nego_security_connect with PROTOCOL_NLA
[06:57:54:823] [5036:00000bc8] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExW
[06:57:54:823] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - nla_client_init 350 : packageName=N ; cbMaxToken=48256
[06:57:54:948] [5036:00000bc8] [TRACE][com.freerdp.core.nla] - InitializeSecurityContext status SEC_I_CONTINUE_NEEDED [0x00090312]
[06:57:54:948] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - Sending Authentication Token
[06:57:54:948] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - 0000 60 81 86 06 06 2b 06 01 05 05 02 a0 7c 30 7a a0 `....+......|0z.
...
[06:57:54:948] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - 0080 72 63 2e 64 6f 6d 61 69 6e REDACTED
[06:57:54:948] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - CredSSP protocol support 6, peer supports 6
[06:57:54:948] [5036:00000bc8] [TRACE][com.freerdp.core.nla] - InitializeSecurityContext SEC_I_CONTINUE_NEEDED [0x00090312]
[06:57:54:948] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - Sending Authentication Token
[06:57:54:948] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - 0000 a1 82 13 42 30 82 13 3e a0 03 0a 01 01 a2 82 13 ...B0..>........
...
[06:57:54:964] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - 1340 5c b0 8a 8e a4 08 \.....
[06:57:54:964] [5036:00000bc8] [TRACE][com.freerdp.core.nla] - InitializeSecurityContext SEC_E_OK [0x00000000]
[06:57:54:964] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - Sending Authentication Token
[06:57:54:964] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - 0000 a1 27 30 25 a0 03 0a 01 00 a3 1e 04 1c 04 04 04 .'0%............
[06:57:54:964] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - 0010 ff ff ff ff ff 00 00 00 00 47 0d 1d a2 f8 a9 2e .........G......
[06:57:54:964] [5036:00000bc8] [DEBUG][com.freerdp.core.nla] - 0020 9b 32 14 a9 e9 80 e4 26 ae .2.....&.
[06:57:54:964] [5036:00000bc8] [DEBUG][com.freerdp.core.transport] - transport_check_fds: transport_read_pdu() - -1
[06:57:54:964] [5036:00000bc8] [DEBUG][com.freerdp.core.rdp] - transport_check_fds() - -1
[06:57:54:964] [5036:00000bc8] [DEBUG][com.freerdp.client.windows] - Main thread exited with 131087
[06:57:54:964] [5036:000020dc] [DEBUG][com.freerdp.client.windows] - Keyboard thread exited.
[06:57:54:964] [5036:00000bc8] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_PASSWORD_CERTAINLY_EXPIRED [0x0002000F]
[06:57:54:964] [5036:00000bc8] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Additional context Add any other context about the problem here.
Connecting from Windows Server 2016 (Datacenter, Core)
BuildNumber : 14393
Version : 10.0.14393
This is likely related to a patch (worked perfectly for a long time).
This appears to be related, but seems more related to the server side - I’m failing to pull up a console for a no-operating-system VM - things like NLA should be completely irrelevant, from my understanding?
Thanks!
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 1
- Comments: 18 (9 by maintainers)
Commits related to this issue
- Regression: added back kerberos signature fix that was lost in a recent refactor #4801 — committed to FreeRDP/FreeRDP by byteboon 6 years ago
- Merge pull request #4918 from byteboon/master Regression: added back kerberos signature fix that was lost in a recent refactor #4801 — committed to FreeRDP/FreeRDP by akallabeth 6 years ago
Submitted PR #4918
It would appear that the fix I made two years ago in #3349 has been removed with the recent CredSSP refactor. The patch would handle the case where an authentication hash was generated that was shorter than expected and would compress the extra space in the response packet before sending it. I’m guessing this is your issue as I can reproduce the regression on our systems here. I have a new patch that I’ll try to get in a PR today.