Forum Discussion

Nicolas_COLLET's avatar
Nicolas_COLLET
Icon for Nimbostratus rankNimbostratus
Apr 13, 2017

RDG with BigIP APM and Windows 10 1703 creators update

Hello,

 

We used BIG IP APM 11.6.1 HF2 and we configure APM with RDG to centralize rdp access. It's work good with a lot of differents versions of Windows (7, 8, 8.1, 10 "1607") but not with the last version of Windows 10 (1703) named creators update.

 

Apparently, Microsoft decide to change authentification in rdp client (mstsc.exe or activex rdp). Now, rdp client force to used Kerberos authentification but RDG doesn't support it.

 

I don't find any solution to force rdp client to modify default authentification and enable NTLM auth.

 

But apparently, with RDP client and when I try to connect to the Remote Desktop Gateway, it's not the process mstsc it's connect to RDG but it's LSASS with try to Kerberos authentification.

 

Like it's explain in this article : http://www.thewindowsclub.com/credential-guard-windows-10

 

For example, this is a connexion from Windows 8.1 :

 

RDG_OUT_DATA /remoteDesktopGateway/

 

HTTP/1.1 Cache-Control: no-cache

 

Connection: Keep-Alive

 

Pragma: no-cache Accept: /

 

User-Agent: MS-RDGateway/1.0

 

RDG-Connection-Id: {B96140B7-3D9A-4DC0-88BC-7B40C49C1A4D} RDG-Correlation-Id: {0CC5ACC4-323D-4D50-9A9C-D0FFD9430000} RDG-User-Id: xxxxxxxxxxxxxxxxxxxx

 

Host: rdg.mondomaine.fr

 

Authorization: NTLM xxxxxxxxxxxxxxxxxxxxxxxxxxx==

 

clientless-mode: 1 X-F5-Client: rdg-http

 

This is a connexion from Windows 10 creators update (1703) :

 

First connect to KDC Proxy :

 

And after to RDG but with auth scheme Negotiate and not NTLM :

 

RDG_OUT_DATA /remoteDesktopGateway/

 

HTTP/1.1 Cache-Control: no-cache

 

Connection: Upgrade

 

Pragma: no-cache Upgrade: websocket Accept: /

 

User-Agent: MS-RDGateway/1.0

 

RDG-Connection-Id: {2FE597B6-00AE-42BC-A47D-A67BE884237D} RDG-Correlation-Id: {1F76CE0F-C75D-462E-9F15-FFA5951F0000} RDG-User-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxx== RDG-Client-Generation: Win326.2=5

 

Sec-WebSocket-Key: 6ekVx9V3iMEKWPlNVsbZ5g== Sec-WebSocket-Version: 13

 

Host: rdg.mondomaine.fr Authorization: Negotiate xxxxxxxxxxxxxxxxxxxxxxxxxxx==

 

clientless-mode: 1 X-F5-Client: rdg-http

 

Anybody have an idea to do something with configuration of APM or irule to try to accept Kerberos authentification receive by rdp client ?

 

Best regards

 

APM
security

16 Replies

Sort By
  • Nicolas_COLLET's avatar
    Nicolas_COLLET
    Icon for Nimbostratus rankNimbostratus
    Apr 25, 2017

    Hello,

     

    It's need to used the workaround in my computer to correct this problem. For now the workaround is to replace one dll and one exe with the older version like explained in another thread:

     

    You can replace the mstsc.exe and mstscax.dll library located in %windir%\SysWOW64\ with the "backup" file in "Windows.old\WINDOWS\SysWOW64" and in %windir%\System32\ with the "backup" file in "Windows.old\WINDOWS\System32".

     

    You will need to take ownership of the file and give Administrators Full control access to be able to replace it. Please backup the file you are replacing

     

    Best regards

     

  • Jason_Grimme's avatar
    Jason_Grimme
    Icon for Nimbostratus rankNimbostratus
    Aug 07, 2017

    I installed version 13, still same issue. Any one has have more details?

     

  • Nicolas_COLLET's avatar
    Nicolas_COLLET
    Icon for Nimbostratus rankNimbostratus
    Aug 09, 2017

    I agree with you, v13 doesn't solved anything for this with HF2 or not.

     

    In my opinion, this is a new behavior implemented by Microsoft and they did not communicate on it.

     

    I think F5 does not necessarily inform about this change.

     

    If you want to follow the exchanges with the forum partner Microsoft, here is the post:

     

    Windows 10 1703 - unable to connect via Remote Desktop Gateway - Force to use Kerberos for authentication

     

    It's need to open a case in F5, but we have no time to this for the moment, so I used workaround.

     

  • mjohnson_151651's avatar
    mjohnson_151651
    Icon for Nimbostratus rankNimbostratus
    Aug 16, 2017

    Is this still an issue?

     

    We are looking to do this since Citrix doesn't want to support 1703 for VDA so we were going to move to the F5.

     

  • Marcus_B_299992's avatar
    Marcus_B_299992
    Icon for Nimbostratus rankNimbostratus
    Nov 22, 2017

    Could you please clarify what do you mean by "new feature native RDP". We are trying to configure this with 12.1.1 HF1 / 12.1.2 HF1 and 13.0.0 HF2 but nothings works.

     

    The first request is as follows: POST /KdcProxy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: kerberos/1.0 Content-Length: 255 Host: our.domain.tld

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Nov 27, 2017

      from the release notes: https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-13-0-0.html

       

      it might be this

       

      Launch native RDP client from APM webtop without F5 client component code

RDP resources can now be configured to launch native RDP clients on Windows or Mac OS X. Previously, F5 client component code (ActiveX control or Java applet) was required on the user's desktop. This feature addresses recent changes in some browsers such as Firefox and Chrome or Microsoft Edge to drop support for Java and Active-X plug-ins.

      dont have version 13 around to have a look.