Start a new topic

Support for Kerberos for RDP from Windows OS to Windows OS

 Hello,


this right be related to https://support.royalapps.com/support/discussions/topics/17000022528, however here I am talking about connecting from Windows OS (Win 10 and 11).
I'm using RoyalTS 6.1.60925.

I've noticed on domain DCs in the NTLM Operational Log in "Applications and services Logs -> Microsoft -> Windows -> NTLM - Operational" that every RDP connection initiated by RoyalTS is logged as an NTLM authentication, wheres from my understanding it should be best case to use Kerberos.


Example Log entry:


Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: Server name
User name: user
Domain name: domain
Workstation name: Client name
Secure Channel type: 2

Audit NTLM authentication requests within the domain ***** that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options.

If you want to allow NTLM authentication requests in the domain **** , set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain ****, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain **** to which clients are allowed to use NTLM authentication.

This might be a configuration thing, however I was unable to find anything telling what I would need to set in RoyalTS to change the behavior.

I did some testing with the native RDP client and also MobaXterm in comparison, which to not lead to the same or a similar log entry.

Is this something not available / supported in version 6.1.60925 and specific to V7 upwards or maybe not currently supported altogether?


 I've just been made aware of this change, which may also impact RoyalTS (unless I am missing a configuration option) The evolution of Windows authentication | Windows IT Pro Blog (microsoft.com).

Hi Stefan,


this is something we can't directly support without Microsoft enabling it or FreeRDP implementing it. In V6 we only have Microsoft's RDP ActiveX (which ships with Windows). When MS enables this scenario and provides means to configure it on the client side (or maybe just switch behavior), we can provide support for that in Royal TS. Maybe there's already a way to set it up but MS hasn't provided any documentation for this. If you have some sort of Enterprise Agreement with them, you could check with them if there's a way to do it now or if they plan to provide support for this.


In V7 we are also making use of FreeRDP on Windows. Not as feature rich as the MS RDP ActiveX but there are some things which are available there which aren't in the ActiveX. Once there's support for this in FreeRDP, you could make use of it in V7 using the additional command line arguments.


Regards,
Stefan

Login or Signup to post a comment