On 2024-07-30, Lévai Dániel <l...@ecentrum.hu> wrote: > Hi all, > > I'm noticing that xfreerdp and remmina fails to connect to a Windows 11 > machine while using NLA: > > $ xfreerdp /v:host /u:u...@example.com /d:MicrosoftAccount /sec:nla > [17:04:04:954] [26344:92f3b640] [WARN][com.freerdp.crypto] - Certificate > verification failure 'unable to get local issuer certificate (20)' at stack > position 0 > [17:04:04:954] [26344:92f3b640] [WARN][com.freerdp.crypto] - CN = > daniell-kvm-windows11 > Password: > [17:04:08:675] [26344:92f3b640] [ERROR][com.freerdp.core.transport] - > BIO_read returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert > internal error > [17:04:08:675] [26344:92f3b640] [ERROR][com.freerdp.core] - > transport_read_layer:freerdp_set_last_error_ex > ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] > [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core.transport] - > BIO_read returned an error: error:1404C438:SSL routines:ST_OK:tlsv1 alert > internal error > [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core] - > transport_read_layer:freerdp_set_last_error_ex > ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] > [17:04:08:823] [26344:92f3b640] [ERROR][com.freerdp.core] - > freerdp_post_connect failed > > Remmina just says "Cannot connect to the RDP server" after a couple of > seconds. > > Funny thing is, every attempt results in a successful logon event on Windows. > > Switching off NLA on the Windows machine and trying /sec:tls with xfreerdp > (or switching to TLS security in Remmina) shows the usual graphical logon > screen where I can login without a problem. Same clients on other OSes also > work (Android, Linux, etc...). > > Is this something to do with LibreSSL, maybe? Has this ever worked on OpenBSD?
I'm able to connect to a W2022 DC using "xfreerdp /u:username /d:somedomain /v:xx.xx.xx.xx:3389 /sec:nla" and typing the password at the Password: prompt. I'm not sure how to tell if it's really using NLA but I suspect that non-NLA logins are probably disabled on the Windows side. Have you tried the same freerdp version on e.g. Linux to see how that works? (Better to compare the same version if possible otherwise there is an extra complication - the old workaround for lack of posix timers is no longer enough, we cannot update to freerdp 3.x, so maybe missing upstream fixes - it's possible they may have fixed something for newer versions of Windows).
