none
Java(1.6.x) RDP 6 client implementation based on [MS-CSSP], [MS-SPNG], and [MS-RDPBCGR] is not working in all the Machines having Windows XP, 7 and Ubuntu-Desktop. RRS feed

  • Question

  • Hi,

    We built RDP 7 client developed in java as per the Specifications of [MS-CSSP], [MS-SPNG], and [MS-RDPBCGR] using ProperJavaRDP code. The new feature in this client is NLA or NTLM Authentication. This NTLM Authentication is implemented based on FreeRDP reference code. We tested our client from windows XP, windows 7 and Ubuntu-Desktop machines with the Target servers as  windows XP, windows 7, windows 2008 server respectively.

    We faced some issues and prepared test cases based on the results. Those test cases are listed as below in the table.

     

     

    RDP 6 Server

     

     

    Windows XP

    Windows 7 (NTLM Authentication)

     

    RDP 6 Client

    Windows XP

    working

    Working in some machines,  Not working in some machines

    Windows 7

    working

    Working in some machines,  Not working in some machines

    Ubuntu

    working

    Working in some machines,  Not working in some machines

    Wednesday, April 4, 2012 2:25 PM

All replies

  • Hi G Pavan Kumar,

    Although your post is pertinent to the specifications [MS-CSSP], [MS-SPNG], and [MS-RDPBCGR], I don't see a specific question aside from the fact that you "faced some issues" and some scenarios are "not working".  We would be better able to assist you if you could provide a specific question or problem you are trying to solve. 

    Best regards,
    Tom Jebo
    Escalation Engineer
    Microsoft Open Specifications

    Wednesday, April 4, 2012 3:16 PM
    Moderator
  • Hi Tom Jebo,

     

     

    RDP 6 Server

     

     

    Windows XP

    Windows 7 (NTLM Authentication)

     

    RDP 6 Client

    Windows XP

    getting the server console

    getting the server console in some machines, not getting the server console in some machines,

     

    Windows 7

    getting the server console

    getting the server console in some machines, not getting the server console in some machines,

     

    Ubuntu

    getting the server console

    getting the server console in some machines, not getting the server console in some machines,

     

    we use CredSSP as external security protocol, it is having 9 messages as per [MS-CSSP].

             1. TLS client Hello (client to server)

             2. TLS server Hello (server to client)

             3. TLS client key exchange ChangeCiperSpec Finished (client to server)

             4. TLS ChangeCiperSpec Finished (server to client)

             5. TLS encrypted(TSRequest[SPNEGO Token]) (client to server)

             6. TLS encrypted(TSRequest[SPNEGO Token]) (server to client)

             7. TLS encrypted(TSRequest[SPNEGO encrypted(Server's public key)])  (client to server)

             8. TLS encrypted(TSRequest[SPNEGO encrypted(Server's public key+1)]) (server to client)

             9. TLS encrypted(TSRequest[SPNEGO encrypted( User credentials)]) (client to server)

    We followed FreeRDP reference code to implement above 9 messages of CredSSP .

    The issue is in the case of not getting the console, the communication stops at after sending TLS encrypted(TSRequest[SPNEGO encrypted(Server's public key)]) from client to server .




    Thursday, April 5, 2012 10:07 AM
  • Hi G Pavan Kumar,

    Thanks for the additional information.  One of the Open Specfications team members will respond shortly to help you with this problem.

    Best regards,
    Tom Jebo
    Escalation Engineer
    Microsoft Open Specifications

    Thursday, April 5, 2012 3:01 PM
    Moderator
  • Hi G Pavan Kumar,

    Thank you for your issue.  In the exchange you cited above, Windows expects the client-to-server messages ClientKeyExchange, ChangeCipherSpec and Finished messages to travel in THE SAME network frame.  From RFC 2246 (TLS 1.0), which was used at the time, 7.3. “Handshake Protocol overview”:

          Client                                               Server

          ClientHello                  -------->
                                                          ServerHello
                                                         Certificate*
                                                   ServerKeyExchange*
                                                  CertificateRequest*
                                       <--------      ServerHelloDone
          Certificate*
          ClientKeyExchange
          CertificateVerify*
          [ChangeCipherSpec]
          Finished                     -------->
                                                   [ChangeCipherSpec]
                                       <--------             Finished
          Application Data             <------->     Application Data

    We interpreted these messages as travelling together.  We understand that many implementers choose a different interpretation and send those messages in separate packets. We addressed this in [MS-RDPBCGR] as a Product Behavior Note (Appendix A) to section 5.4.5.1 “Transport Layer Security (TLS) 1.0” saying:

    <21> Section 5.4.5.1: Microsoft RDP 5.2, 6.0, 6.1, 7.0, 7.1, and 8.0 servers expect that the final set of client-to-server TLS handshake messages (ClientKeyExchange, ChangeCipherSpec, and Finished, illustrated in [RFC2246] Figure 1), be sent together in a single frame.

    You may be facing additional issues after the topic above is addressed.  If you do, please send me a network trace to “dochelp (at) Microsoft (dot) com”.

    Bryan


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Thursday, April 5, 2012 6:18 PM
    Moderator