locked
[MS-CSSP] [MS-NLMP] [MS-SPNG] mstsc.exe disconnects on NTLM CHALLENGE message sent by current FreeRDP server RRS feed

  • Question

  • Hi,

    I am currently working on an implementation of server-side network level authentication as part of FreeRDP. I've been stuck very hard on the same problem for over a week now, and I'm truly out of ideas. If my server-side NLA implementation works from Linux to Linux, I just can't get mstsc.exe to connect to any of the experimental servers. I have a version of the server for Linux and a very basic one for Windows, and in both cases, mstsc.exe disconnects after the FreeRDP server sends the NTLM CHALLENGE message.

    Here's a sample capture:

    client sends NTLM NEGOTIATE message

    0000   30 37 a0 03 02 01 02 a1 30 30 2e 30 2c a0 2a 04  07......00.0,.*.
    0010   28 4e 54 4c 4d 53 53 50 00 01 00 00 00 b7 82 08  (NTLMSSP........
    0020   e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0030   00 06 01 b1 1d 00 00 00 0f                       .........

    server sends NTLM CHALLENGE message

    0000   30 81 94 a0 03 02 01 02 a1 81 8c 30 81 89 30 81  0..........0..0.
    0010   86 a0 81 83 04 81 80 4e 54 4c 4d 53 53 50 00 02  .......NTLMSSP..
    0020   00 00 00 08 00 08 00 38 00 00 00 35 82 8a e2 c1  .......8...5....
    0030   0a ff ae 28 a1 e1 07 00 00 00 00 00 00 00 00 40  ...(...........@
    0040   00 40 00 40 00 00 00 06 01 b1 1d 00 00 00 0f 45  .@.@...........E
    0050   00 4e 00 56 00 59 00 02 00 08 00 45 00 4e 00 56  .N.V.Y.....E.N.V
    0060   00 59 00 01 00 08 00 45 00 4e 00 56 00 59 00 04  .Y.....E.N.V.Y..
    0070   00 08 00 65 00 6e 00 76 00 79 00 03 00 08 00 65  ...e.n.v.y.....e
    0080   00 6e 00 76 00 79 00 07 00 08 00 0c e2 42 a4 17  .n.v.y.......B..
    0090   50 cd 01 00 00 00 00                             P......

    client disconnects

    In the above scenario, I have the server running on a Windows 7 SP1 laptop called "envy" on the alternative port 4489. Another machine from the same network running Windows 7 SP1 attempts connecting and throws the following error: An authentication error has occurred (Code: 0x80070057)

    In the wireshark capture, we can see that mstsc.exe closes the TCP connection upon reception of the NTLM CHALLENGE message. I thought maybe this had to do with an issue related to incompatible TLS features being used (the server uses OpenSSL), but it is not the case. I know it's not that because the same server with NLA disabled works fine with mstsc.

    I've tried everything. I took captures with mstsc and the Microsoft RDP server for comparison, I had some minor differences in encoding which were not bugs, but I still modified my code to get *identical* messages. No luck, even identical messages do not work.

    I thought maybe this had to do with the SSL certificate used by my server. Originally, the name in the certificate did not match the TargetName and the data sent in TargetInfo, so that could have explained the disconnection. I fixed my certificate to have one with the proper name and the exact same properties as the certificates generated for the Microsoft RDP server. No luck there again, mstsc.exe is still stubborn and does not want to connect.

    I'm thinking maybe this has to do with policies, SPN configurations, or something else which I haven't figured out yet. However, there's really not that much contained within those few messages, so I'm really lost.

    Some important precisions: I am implementing a drop-in replacement of the NTLM SSPI module. On Linux, I have an NTLM SSPI module that exports the exact same interface as the original module and implements NTLM according to MS-NLMP. This helps for portability, because my server could then make use of the Windows NTLM SSPI module on Windows and avoid managing credentials separately, while also benefiting from the robustness of the original. I can optionally build against my own module on Windows otherwise, but the result is the same. No matter if the server is only Linux or Windows, uses my own NTLM module or the original, mstsc.exe just doesn't want to connect and there's something which I'm obviously missing.

    Other possibly interesting information: the Windows FreeRDP client can make use of the Windows NTLM SSPI module to properly connect to any NLA RDP server. However, when connecting from the Windows FreeRDP client to the Windows FreeRDP server, my client will pass the NTLM CHALLENGE message, send the NTLM AUTHENTICATE message, but will then fail to properly decrypt the public key echo sent by the server with SEC_E_MESSAGE_ALTERED. Maybe these problems are related, not sure exactly how. My implementation obviously does not make the same check for a possible disconnection when receiving the NTLM CHALLENGE message which is why it does not disconnect. When using my own NTLM module though, I get no errors at all, so there might be a slight difference in implementation between my NTLM module and the original.

    Could you help me out with this? I'm seriously stuck on this one

    I can send you the wireshark packet capture along with certificates in private

    Thanks!,

    - Marc-Andre

    Friday, June 22, 2012 2:07 AM

Answers

All replies

  • Marc-Andre,

    We will be working offline and will post a summary of resolution once the investigation is completed.

    Thanks,

    Edgar

    Friday, June 22, 2012 6:20 AM
  • Marc-Andre,

    As you communicated to me offline, you have found the root cause of this issue. The resolution was to enable some compatibility options when calling OpenSSL libraries.

    Thanks,

    Edgar


    Wednesday, June 27, 2012 5:07 PM