Re: [FreeRDP-devel] FIPS and NLA

Thu, 21 Nov 2019 00:17:30 -0800 

Hi,

basic kerberos support can be activated (-DWITH_GSSAPI=ON), but it is
currently more or less in an alpha state (various issues and nobody
actively working on improving it)

As for the NLA issue, you could just remove the line and check if it
works (there have been some improvements regarding NLA, so the force off
might be outdated)


regards

Armin

On 11/21/19 12:20 AM, Ransom, Geoffrey M. via FreeRDP-devel wrote:
> Hello
>    I work in a mixed Linux/Windows environment where we are required to have 
> FIPS and NLA enabled and this doesn't seem to work for freerdp. We can't 
> connect to windows 10 systems with NLA enabled from our redhat linux systems 
> with fips enabled.
>
> I went digging through the source to see what is going on and found the 
> following in "libfreerdp/core/connection.c"...
>
>         /* FIPS Mode forces the following and overrides the following(by 
> happening later */
>         /* in the command line processing): */
>         /* 1. Disables NLA Security since NLA in freerdp uses NTLM(no 
> Kerberos support yet) which uses
>          * algorithms */
>         /*      not allowed in FIPS for sensitive data. So, we disallow NLA 
> when FIPS is required. */
>         /* 2. Forces the only supported RDP encryption method to be FIPS. */
>         if (settings->FIPSMode || winpr_FIPSMode())
>         {
>                 settings->NlaSecurity = FALSE;
>                 settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS;
>         }
>
> This makes it sound like FIPS and NLA can't coexist right now. I can't seem 
> to find details on what the NLA extended protocols are to see if this is a 
> workaround for this issue.
>
> Is there a way to use freerdp between systems requiring FIPS on linux and NLA 
> on windows 10?
> If so, could you point me towards documentation for it?
>
> Is there a bug/project entry for adding NLA kerberos support for freerdp that 
> I can follow?
> Is there another RDP client that supports fips and NLA?
>
> Thanks.
>
>
>  
>
>
>
> _______________________________________________
> FreeRDP-devel mailing list
> FreeRDP-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freerdp-devel


_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel

Reply via email to