Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FS] Support for “Remote Credential Guard” (aka Kerberos/GSSAPI authentication and delegation) #401

Open
mgkuhn opened this issue Jun 17, 2022 · 0 comments
Open

[FS] Support for “Remote Credential Guard” (aka Kerberos/GSSAPI authentication and delegation) #401

mgkuhn opened this issue Jun 17, 2022 · 0 comments

Comments

@mgkuhn
Copy link

mgkuhn commented Jun 17, 2022

In 2016, Microsoft added a new authentication mode to their remote-desktop implementation, which they call Windows Defender Remote Credential Guard. This allows single-signon authentication via Kerberos, without sending either the user's password nor their NTLM credentials to the host. Instead, a Kerberos ticket is used to authenticate the user on the RDP host, and that time-limited ticket is then also forwarded to the RDP host such that the user can then use from there other servers via delegated Kerberos authentication.

On Windows this requires:

  • Windows 10, version 1607 or Windows Server 2016 or newer.
  • The host requires a registry attribute set to allow “Restricted Admin connections”, which also enables Kerberos.
  • The host (probably) needs to be be “trusted for Kerberos delegation” in Active Directory

I was able to use Kerberos authentication and delegation on Windows after enabling it with

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

on the host, and requesting it with command-line option

mstsc.exe /remoteGuard

on the Windows client. I then was able to login without having to provide any password and got a Kerberos ticket at the remote end.

Unfortunately, rdesktop 1.9.0 (Ubuntu 20.04) does not yet appear to support Kerberos user authentication and delegation. It appears to already be able to use Kerberos to establish a secure tunnel for the connection via CredSSP, but not yet to complete the authentication using a Kerberos ticket.

Could this be added?

As I mentioned in #197, this forum thread points at the specification that would have to be implemented:

In [MS-CSSP], TSCredentials can now have a TSRemoteGuardCreds credential type.

References:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mgkuhn