Force Network Layer Authentication
Добавлено: Вт окт 06, 2020 10:58 am
Доброго времени суток!
Можно ли как то wtware указать форсировано использовать NLA при подключении к терминальному серверу который умеет работать с NLA и без NLA? У нас в продукции на сервере снята галочка "Require user authentication for remote connections by using Network Level Authentication".
но если клиент указывает в файле .rdp параметр "enablecredsspsupport:i:1", то используется NLA. Нам он очень нужен для правильной балансировке нагрузки через брокера, чтобы не ломались UPD профиля.
Примеры лога без обязательного NLA:
[ pfac] [ 9904.124474] Run /sbin/rdpclient 1.
[ gm] [ 9904.124481] Run '/sbin/rdpclient 1', log '/tmp/rdpclient.out', env '', pid ''.
[ pfac] [ 9904.124502] Ok, PID 2031.
[rdpclient 2031] [ 9904.125734] RDP Terminal Client, WTware 6.0.12, pipe 1, pid 2031.
[rdpclient 2031] [ 9904.126084] Use /lib/ui16.so.
[rdpclient 2031] [ 9904.126188] Make RDP session with 192.168.0.119, port 3389.
[rdpclient 2031] [ 9904.126213] Username: "testuser".
[rdpclient 2031] [ 9904.126232] Password: present.
[rdpclient 2031] [ 9904.126248] No PIN.
[rdpclient 2031] [ 9904.126267] Domain: "testdomain".
[rdpclient 2031] [ 9904.126284] No shell.
[rdpclient 2031] [ 9904.126300] No directory.
[rdpclient 2031] [ 9904.126314] Window: 1216x1024@16.
[rdpclient 2031] [ 9904.126324] PFlags 0x000001AE.
[rdpclient 2031] [ 9904.126334] Keyboard 00010426:00000426.
[rdpclient 2031] [ 9904.126345] My hostname "tc-test".
[rdpclient 2031] [ 9904.126374] TCP: connecting to 192.168.0.119:3389.
[rdpclient 2031] [ 9904.127087] TCP: connection with 192.168.0.119:3389 established.
[rdpclient 2031] [ 9904.127143] Turn keepalive on.
[rdpclient 2031] [ 9904.127285] Free ram after buffers allocation: 2920040 KB.
[rdpclient 2031] [ 9904.127306] Use Balance Info 52 bytes: 'tsv://MS Terminal Services Plugin.1.Office_RDS_Colle'.
[rdpclient 2031] [ 9904.138986] Server supports GFX Pipeline.
[rdpclient 2031] [ 9904.142283] Process RDP server certificate.
[rdpclient 2031] [ 9904.142307] RDP4 encryption.
[rdpclient 2031] [ 9904.145205] Enable font smoothing and Desktop Composition.
[rdpclient 2031] [ 9904.326755] GFX codec.
[rdpclient 2031] [ 9904.334366] Graphics output buffer 1216x1024, 1 monitors.
[rdpclient 2031] [ 9904.334405] Monitor 0: 0.0-1215.1023 primary.
[rdpclient 2031] [ 9905.327280] Run 3 tile threads.
В итоге клиент пытается залогинится в брокера, игнорируя redirect packet
Пример подключения к серверу где обязателен NLA:
pfac] [ 72.412223] Run /sbin/rdpclient 1.
[ gm] [ 72.412230] Run '/sbin/rdpclient 1', log '/tmp/rdpclient.out', env '', pid ''.
[ pfac] [ 72.412251] Ok, PID 1236.
[rdpclient 1236] [ 72.413479] RDP Terminal Client, WTware 6.0.12, pipe 1, pid 1236.
[rdpclient 1236] [ 72.413821] Use /lib/ui16.so.
[rdpclient 1236] [ 72.413941] Make RDP session with 192.168.0.137, port 3389.
[rdpclient 1236] [ 72.413962] Username: "testuser".
[rdpclient 1236] [ 72.413976] Password: present.
[rdpclient 1236] [ 72.413993] No PIN.
[rdpclient 1236] [ 72.414008] Domain: "testdomain".
[rdpclient 1236] [ 72.414025] No shell.
[rdpclient 1236] [ 72.414039] No directory.
[rdpclient 1236] [ 72.414050] Window: 1216x1024@16.
[rdpclient 1236] [ 72.414062] PFlags 0x000001AE.
[rdpclient 1236] [ 72.414073] Keyboard 00010426:00000426.
[rdpclient 1236] [ 72.414086] My hostname "tc-test".
[rdpclient 1236] [ 72.414095] TCP: connecting to 192.168.0.137:3389.
[rdpclient 1236] [ 72.414846] TCP: connection with 192.168.0.137:3389 established.
[rdpclient 1236] [ 72.414886] Turn keepalive on.
[rdpclient 1236] [ 72.415048] Free ram after buffers allocation: 2963320 KB.
[rdpclient 1236] [ 72.415073] Use Balance Info 52 bytes: 'tsv://MS Terminal Services Plugin.1.Office_RDS_Colle'.
[rdpclient 1236] [ 72.429252] Reconnect with NLA enabled.
[rdpclient 1236] [ 72.429278] TCP: reconnecting to 192.168.0.137:3389.
[rdpclient 1236] [ 72.429550] TCP: connection with 192.168.0.137:3389 established.
[rdpclient 1236] [ 72.429578] Turn keepalive on.
[rdpclient 1236] [ 72.429591] Use Balance Info 52 bytes: 'tsv://MS Terminal Services Plugin.1.Office_RDS_Colle'.
[rdpclient 1236] [ 72.433932] Server supports GFX Pipeline.
[rdpclient 1236] [ 72.433963] NLA.
[rdpclient 1236] [ 72.433983] SSL/TLS.
wtwawre тут сразу переключается на NLA и всё работает как доктор прописал.
Можно ли как то wtware указать форсировано использовать NLA при подключении к терминальному серверу который умеет работать с NLA и без NLA? У нас в продукции на сервере снята галочка "Require user authentication for remote connections by using Network Level Authentication".
но если клиент указывает в файле .rdp параметр "enablecredsspsupport:i:1", то используется NLA. Нам он очень нужен для правильной балансировке нагрузки через брокера, чтобы не ломались UPD профиля.
Примеры лога без обязательного NLA:
[ pfac] [ 9904.124474] Run /sbin/rdpclient 1.
[ gm] [ 9904.124481] Run '/sbin/rdpclient 1', log '/tmp/rdpclient.out', env '', pid ''.
[ pfac] [ 9904.124502] Ok, PID 2031.
[rdpclient 2031] [ 9904.125734] RDP Terminal Client, WTware 6.0.12, pipe 1, pid 2031.
[rdpclient 2031] [ 9904.126084] Use /lib/ui16.so.
[rdpclient 2031] [ 9904.126188] Make RDP session with 192.168.0.119, port 3389.
[rdpclient 2031] [ 9904.126213] Username: "testuser".
[rdpclient 2031] [ 9904.126232] Password: present.
[rdpclient 2031] [ 9904.126248] No PIN.
[rdpclient 2031] [ 9904.126267] Domain: "testdomain".
[rdpclient 2031] [ 9904.126284] No shell.
[rdpclient 2031] [ 9904.126300] No directory.
[rdpclient 2031] [ 9904.126314] Window: 1216x1024@16.
[rdpclient 2031] [ 9904.126324] PFlags 0x000001AE.
[rdpclient 2031] [ 9904.126334] Keyboard 00010426:00000426.
[rdpclient 2031] [ 9904.126345] My hostname "tc-test".
[rdpclient 2031] [ 9904.126374] TCP: connecting to 192.168.0.119:3389.
[rdpclient 2031] [ 9904.127087] TCP: connection with 192.168.0.119:3389 established.
[rdpclient 2031] [ 9904.127143] Turn keepalive on.
[rdpclient 2031] [ 9904.127285] Free ram after buffers allocation: 2920040 KB.
[rdpclient 2031] [ 9904.127306] Use Balance Info 52 bytes: 'tsv://MS Terminal Services Plugin.1.Office_RDS_Colle'.
[rdpclient 2031] [ 9904.138986] Server supports GFX Pipeline.
[rdpclient 2031] [ 9904.142283] Process RDP server certificate.
[rdpclient 2031] [ 9904.142307] RDP4 encryption.
[rdpclient 2031] [ 9904.145205] Enable font smoothing and Desktop Composition.
[rdpclient 2031] [ 9904.326755] GFX codec.
[rdpclient 2031] [ 9904.334366] Graphics output buffer 1216x1024, 1 monitors.
[rdpclient 2031] [ 9904.334405] Monitor 0: 0.0-1215.1023 primary.
[rdpclient 2031] [ 9905.327280] Run 3 tile threads.
В итоге клиент пытается залогинится в брокера, игнорируя redirect packet
Пример подключения к серверу где обязателен NLA:
pfac] [ 72.412223] Run /sbin/rdpclient 1.
[ gm] [ 72.412230] Run '/sbin/rdpclient 1', log '/tmp/rdpclient.out', env '', pid ''.
[ pfac] [ 72.412251] Ok, PID 1236.
[rdpclient 1236] [ 72.413479] RDP Terminal Client, WTware 6.0.12, pipe 1, pid 1236.
[rdpclient 1236] [ 72.413821] Use /lib/ui16.so.
[rdpclient 1236] [ 72.413941] Make RDP session with 192.168.0.137, port 3389.
[rdpclient 1236] [ 72.413962] Username: "testuser".
[rdpclient 1236] [ 72.413976] Password: present.
[rdpclient 1236] [ 72.413993] No PIN.
[rdpclient 1236] [ 72.414008] Domain: "testdomain".
[rdpclient 1236] [ 72.414025] No shell.
[rdpclient 1236] [ 72.414039] No directory.
[rdpclient 1236] [ 72.414050] Window: 1216x1024@16.
[rdpclient 1236] [ 72.414062] PFlags 0x000001AE.
[rdpclient 1236] [ 72.414073] Keyboard 00010426:00000426.
[rdpclient 1236] [ 72.414086] My hostname "tc-test".
[rdpclient 1236] [ 72.414095] TCP: connecting to 192.168.0.137:3389.
[rdpclient 1236] [ 72.414846] TCP: connection with 192.168.0.137:3389 established.
[rdpclient 1236] [ 72.414886] Turn keepalive on.
[rdpclient 1236] [ 72.415048] Free ram after buffers allocation: 2963320 KB.
[rdpclient 1236] [ 72.415073] Use Balance Info 52 bytes: 'tsv://MS Terminal Services Plugin.1.Office_RDS_Colle'.
[rdpclient 1236] [ 72.429252] Reconnect with NLA enabled.
[rdpclient 1236] [ 72.429278] TCP: reconnecting to 192.168.0.137:3389.
[rdpclient 1236] [ 72.429550] TCP: connection with 192.168.0.137:3389 established.
[rdpclient 1236] [ 72.429578] Turn keepalive on.
[rdpclient 1236] [ 72.429591] Use Balance Info 52 bytes: 'tsv://MS Terminal Services Plugin.1.Office_RDS_Colle'.
[rdpclient 1236] [ 72.433932] Server supports GFX Pipeline.
[rdpclient 1236] [ 72.433963] NLA.
[rdpclient 1236] [ 72.433983] SSL/TLS.
wtwawre тут сразу переключается на NLA и всё работает как доктор прописал.