Forum Discussion
NimbostratusRDG with BigIP APM and Windows 10 1703 creators update
Hello,
We used BIG IP APM 11.6.1 HF2 and we configure APM with RDG to centralize rdp access. It's work good with a lot of differents versions of Windows (7, 8, 8.1, 10 "1607") but not with the last version of Windows 10 (1703) named creators update.
Apparently, Microsoft decide to change authentification in rdp client (mstsc.exe or activex rdp). Now, rdp client force to used Kerberos authentification but RDG doesn't support it.
I don't find any solution to force rdp client to modify default authentification and enable NTLM auth.
But apparently, with RDP client and when I try to connect to the Remote Desktop Gateway, it's not the process mstsc it's connect to RDG but it's LSASS with try to Kerberos authentification.
Like it's explain in this article : http://www.thewindowsclub.com/credential-guard-windows-10
For example, this is a connexion from Windows 8.1 :
RDG_OUT_DATA /remoteDesktopGateway/
HTTP/1.1 Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache Accept: /
User-Agent: MS-RDGateway/1.0
RDG-Connection-Id: {B96140B7-3D9A-4DC0-88BC-7B40C49C1A4D} RDG-Correlation-Id: {0CC5ACC4-323D-4D50-9A9C-D0FFD9430000} RDG-User-Id: xxxxxxxxxxxxxxxxxxxx
Host: rdg.mondomaine.fr
Authorization: NTLM xxxxxxxxxxxxxxxxxxxxxxxxxxx==
clientless-mode: 1 X-F5-Client: rdg-http
This is a connexion from Windows 10 creators update (1703) :
First connect to KDC Proxy :
And after to RDG but with auth scheme Negotiate and not NTLM :
RDG_OUT_DATA /remoteDesktopGateway/
HTTP/1.1 Cache-Control: no-cache
Connection: Upgrade
Pragma: no-cache Upgrade: websocket Accept: /
User-Agent: MS-RDGateway/1.0
RDG-Connection-Id: {2FE597B6-00AE-42BC-A47D-A67BE884237D} RDG-Correlation-Id: {1F76CE0F-C75D-462E-9F15-FFA5951F0000} RDG-User-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxx== RDG-Client-Generation: Win326.2=5
Sec-WebSocket-Key: 6ekVx9V3iMEKWPlNVsbZ5g== Sec-WebSocket-Version: 13
Host: rdg.mondomaine.fr Authorization: Negotiate xxxxxxxxxxxxxxxxxxxxxxxxxxx==
clientless-mode: 1 X-F5-Client: rdg-http
Anybody have an idea to do something with configuration of APM or irule to try to accept Kerberos authentification receive by rdp client ?
Best regards
16 Replies
W59Any news on this? Does somebody know of any information better than this? https://partnersupport.microsoft.com/en-us/par_clientsol/forum/par_win/windows-10-1703-unable-to-connect-via-remote/1e9cec01-38d2-44ab-95ab-b1128964ccf4?tm=1492175212211&auth=1&rtAction=1492467708123.
Jason_Grimme_15so I'm assuming most people better at searching than me have found this, but I stumbled upon this article from JANUARY!!!
https://support.f5.com/csp/article/K98510679
K98510679
Has the uber simple fix, plainly listed.
Hopefully this can help someone more attentive than me.
Jason_GrimmeI found this about 10 minutes after I took the time to finally write a simple script to replace the files for me, here again if anyone wants...
takeown /f C:\Windows\system32\mstsc.exe takeown /f C:\Windows\syswow64\mstsc.exe takeown /f C:\Windows\system32\mstscax.dll takeown /f C:\Windows\syswow64\mstscax.dll icacls C:\Windows\system32\mstsc.exe /grant users:f icacls C:\Windows\syswow64\mstsc.exe /grant users:f icacls C:\Windows\system32\mstscax.dll /grant users:f icacls C:\Windows\syswow64\mstscax.dll /grant users:f ren c:\Windows\system32\mstsc.exe mstsc.%date:~4,2%%date:~7,2%%date:~10,4%.exe ren c:\Windows\system32\mstscax.dll mstscax.%date:~4,2%%date:~7,2%%date:~10,4%.dll ren c:\Windows\syswow64\mstsc.exe mstsc.%date:~4,2%%date:~7,2%%date:~10,4%.exe ren c:\Windows\syswow64\mstscax.dll mstscax.%date:~4,2%%date:~7,2%%date:~10,4%.dll copy mstsc*.* C:\windows\system32 copy mstsc*.* C:\windows\syswow64- Jason_Grimme_15
I found this about 10 minutes after I took the time to finally write a simple script to replace the files for me, here again if anyone wants...
takeown /f C:\Windows\system32\mstsc.exe takeown /f C:\Windows\syswow64\mstsc.exe takeown /f C:\Windows\system32\mstscax.dll takeown /f C:\Windows\syswow64\mstscax.dll icacls C:\Windows\system32\mstsc.exe /grant users:f icacls C:\Windows\syswow64\mstsc.exe /grant users:f icacls C:\Windows\system32\mstscax.dll /grant users:f icacls C:\Windows\syswow64\mstscax.dll /grant users:f ren c:\Windows\system32\mstsc.exe mstsc.%date:~4,2%%date:~7,2%%date:~10,4%.exe ren c:\Windows\system32\mstscax.dll mstscax.%date:~4,2%%date:~7,2%%date:~10,4%.dll ren c:\Windows\syswow64\mstsc.exe mstsc.%date:~4,2%%date:~7,2%%date:~10,4%.exe ren c:\Windows\syswow64\mstscax.dll mstscax.%date:~4,2%%date:~7,2%%date:~10,4%.dll copy mstsc*.* C:\windows\system32 copy mstsc*.* C:\windows\syswow64
- Jason_Grimme
so I'm assuming most people better at searching than me have found this, but I stumbled upon this article from JANUARY!!!
https://support.f5.com/csp/article/K98510679
K98510679
Has the uber simple fix, plainly listed.
Hopefully this can help someone more attentive than me.
