RDG with BigIP APM and Windows 10 1703 creators update
Hello,
We used BIG IP APM 11.6.1 HF2 and we configure APM with RDG to centralize rdp access. It's work good with a lot of differents versions of Windows (7, 8, 8.1, 10 "1607") but not with the last version of Windows 10 (1703) named creators update.
Apparently, Microsoft decide to change authentification in rdp client (mstsc.exe or activex rdp). Now, rdp client force to used Kerberos authentification but RDG doesn't support it.
I don't find any solution to force rdp client to modify default authentification and enable NTLM auth.
But apparently, with RDP client and when I try to connect to the Remote Desktop Gateway, it's not the process mstsc it's connect to RDG but it's LSASS with try to Kerberos authentification.
Like it's explain in this article : http://www.thewindowsclub.com/credential-guard-windows-10
For example, this is a connexion from Windows 8.1 :
RDG_OUT_DATA /remoteDesktopGateway/
HTTP/1.1 Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache Accept: /
User-Agent: MS-RDGateway/1.0
RDG-Connection-Id: {B96140B7-3D9A-4DC0-88BC-7B40C49C1A4D} RDG-Correlation-Id: {0CC5ACC4-323D-4D50-9A9C-D0FFD9430000} RDG-User-Id: xxxxxxxxxxxxxxxxxxxx
Host: rdg.mondomaine.fr
Authorization: NTLM xxxxxxxxxxxxxxxxxxxxxxxxxxx==
clientless-mode: 1 X-F5-Client: rdg-http
This is a connexion from Windows 10 creators update (1703) :
First connect to KDC Proxy :
And after to RDG but with auth scheme Negotiate and not NTLM :
RDG_OUT_DATA /remoteDesktopGateway/
HTTP/1.1 Cache-Control: no-cache
Connection: Upgrade
Pragma: no-cache Upgrade: websocket Accept: /
User-Agent: MS-RDGateway/1.0
RDG-Connection-Id: {2FE597B6-00AE-42BC-A47D-A67BE884237D} RDG-Correlation-Id: {1F76CE0F-C75D-462E-9F15-FFA5951F0000} RDG-User-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxx== RDG-Client-Generation: Win326.2=5
Sec-WebSocket-Key: 6ekVx9V3iMEKWPlNVsbZ5g== Sec-WebSocket-Version: 13
Host: rdg.mondomaine.fr Authorization: Negotiate xxxxxxxxxxxxxxxxxxxxxxxxxxx==
clientless-mode: 1 X-F5-Client: rdg-http
Anybody have an idea to do something with configuration of APM or irule to try to accept Kerberos authentification receive by rdp client ?
Best regards