Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1131693 - Error connecting to VM using RDP if NLA is enabled
Summary: Error connecting to VM using RDP if NLA is enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-webadmin-portal
Version: 3.4.0
Hardware: All
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.5.0
Assignee: Frantisek Kobzik
QA Contact: Pavel Novotny
URL:
Whiteboard: virt
Depends On:
Blocks: rhev3.5beta 1156165
TreeView+ depends on / blocked
 
Reported: 2014-08-19 20:36 UTC by Amador Pahim
Modified: 2019-03-22 07:20 UTC (History)
11 users (show)

Fixed In Version: vt2.2
Doc Type: Bug Fix
Doc Text:
The fix allows Network Level Authentication to be used with Native Remote Desktop Protocol (RDP) client. Note that Network Level Authentication is still disabled for RDP browser plug-in.
Clone Of:
Environment:
Last Closed: 2015-02-11 18:08:20 UTC
oVirt Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0158 normal SHIPPED_LIVE Important: Red Hat Enterprise Virtualization Manager 3.5.0 2015-02-11 22:38:50 UTC
oVirt gerrit 31997 master MERGED frontend: Allow NLA auth for Native RDP execution Never
oVirt gerrit 32028 ovirt-engine-3.5 MERGED frontend: Allow NLA auth for Native RDP execution Never

Description Amador Pahim 2014-08-19 20:36:22 UTC
Description of problem:
Using RDP console connection, if Network Level Authentication (NLA) is enabled on RDP server, client is not able to connect. The error in RHEV Admin Portal is "Error connecting to VM using RDP:\n2825"

Version-Release number of selected component (if applicable):
rhevm-3.4.1-0.31.el6ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. From a Windows station, login in Admin. Portal (or UserPortal)
2. Select a Windows VM with RDP/NLA enabled.
3. Right click / Console Options
4. Select "Remote Desktop"
5. Click OK.
6. Right Click / Console
7. A window will request confirmation. Click "Connect".

Actual results:
No connection and a message "Error connecting to VM using RDP:\n2825".

Expected results:
Connect to VM using RDP/NLA.

Additional info:
Analysing the console.rdp file downloaded when "Console Invocation" is "Native Client", I noticed the following option:

  enablecredsspsupport:i:0

Changing it to:

  enablecredsspsupport:i:1

And using this file to connect to the VM, the connection happens. According to the source code, this option was setted to "0" in order the get SSO working:
...
 15     private Boolean enableCredSspSupport = false; // Disable 'Credential Security Support Provider (CredSSP)' to enable
 16                                                   // SSO.
...

Please confirm if SSO and enablecredsspsupport are mutual exclusive and, if not, enable it by default. It will be used only if OS supports:

 0 - RDP will not use CredSSP, even if the operating system supports CredSSP.
 1 - RDP will use CredSSP, if the operating system supports CredSSP.

Anyway, if they are mutual exclusive, please consider setting "enableCredSspSupport" to true when using "Native Client", since SSO cannot be used in "Native Client" mode, according to the commit message that introduced the mentioned code:

commit 625b7452d840793df5e72764193c98c5ba121cdf
...    
    NOTE: The automatic login feature will not work with non-plugin
    invocation, because there is no straightforward way to pass a password
    in the RDP descriptor.
...

Comment 1 Frantisek Kobzik 2014-08-26 13:45:47 UTC
Hi Amador,

I just confirmed that SSO and enablecredsspsupport=1 are mutualy exclusive.

According to microsoft.technet, it should be ok to allow that for 'Native client' invocation, I'll do it this way, then.

Thanks.

Comment 2 Amador Pahim 2014-08-26 13:58:36 UTC
(In reply to Frantisek Kobzik from comment #1)
> Hi Amador,
> 
> I just confirmed that SSO and enablecredsspsupport=1 are mutualy exclusive.
> 
> According to microsoft.technet, it should be ok to allow that for 'Native
> client' invocation, I'll do it this way, then.
> 
> Thanks.

Thank you Frantisek. Also, I'm concerned about how to instruct users. Maybe with simple messages like:

...
Console Invocation
o Auto
o Native client (Required for NLA)
o Browser plugin (Required for SSO)
...

Or on the message that appears when mouse-over the Console Invocation's "?".

Comment 3 Frantisek Kobzik 2014-08-27 07:06:52 UTC
Hi Amador!
Current patch makes the hints display in the "?" icon.

Comment 6 Pavel Novotny 2014-10-06 16:14:00 UTC
Verified in rhevm-3.5.0-0.13.beta.el6ev.noarch (vt4).

Verification steps (following the reproducer):
1. From a Windows station, login in Admin. Portal (or UserPortal)
2. Select a Windows VM with RDP/NLA enabled.
3. Right click / Console Options
4. Select "Remote Desktop"
5. Click OK.
6. Right Click / Console
7. A window will request confirmation. Click "Connect".

Result:
RDP connection to VM is successfully established.
In console.rdp file is option "enablecredsspsupport:i:1".

Comment 8 errata-xmlrpc 2015-02-11 18:08:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html


Note You need to log in before you can comment on or make changes to this bug.