You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In 2016, Microsoft added a new authentication mode to their remote-desktop implementation, which they call Windows Defender Remote Credential Guard. This allows single-signon authentication via Kerberos, without sending either the user's password nor their NTLM credentials to the host. Instead, a Kerberos ticket is used to authenticate the user on the RDP host, and that time-limited ticket is then also forwarded to the RDP host such that the user can then use from there other servers via delegated Kerberos authentication.
On Windows this requires:
Windows 10, version 1607 or Windows Server 2016 or newer.
The host requires a registry attribute set to allow “Restricted Admin connections”, which also enables Kerberos.
The host (probably) needs to be be “trusted for Kerberos delegation” in Active Directory
I was able to use Kerberos authentication and delegation on Windows after enabling it with
on the host, and requesting it with command-line option
mstsc.exe /remoteGuard
on the Windows client. I then was able to login without having to provide any password and got a Kerberos ticket at the remote end.
Unfortunately, rdesktop 1.9.0 (Ubuntu 20.04) does not yet appear to support Kerberos user authentication and delegation. It appears to already be able to use Kerberos to establish a secure tunnel for the connection via CredSSP, but not yet to complete the authentication using a Kerberos ticket.
Could this be added?
As I mentioned in #197, this forum thread points at the specification that would have to be implemented:
In [MS-CSSP], TSCredentials can now have a TSRemoteGuardCreds credential type.
In 2016, Microsoft added a new authentication mode to their remote-desktop implementation, which they call Windows Defender Remote Credential Guard. This allows single-signon authentication via Kerberos, without sending either the user's password nor their NTLM credentials to the host. Instead, a Kerberos ticket is used to authenticate the user on the RDP host, and that time-limited ticket is then also forwarded to the RDP host such that the user can then use from there other servers via delegated Kerberos authentication.
On Windows this requires:
I was able to use Kerberos authentication and delegation on Windows after enabling it with
on the host, and requesting it with command-line option
on the Windows client. I then was able to login without having to provide any password and got a Kerberos ticket at the remote end.
Unfortunately, rdesktop 1.9.0 (Ubuntu 20.04) does not yet appear to support Kerberos user authentication and delegation. It appears to already be able to use Kerberos to establish a secure tunnel for the connection via CredSSP, but not yet to complete the authentication using a Kerberos ticket.
Could this be added?
As I mentioned in #197, this forum thread points at the specification that would have to be implemented:
The text was updated successfully, but these errors were encountered: