** Description changed:
- - Source package: gnome-remote-desktop
- - Release: Ubuntu 25.10
- - Package version: 49.0-0ubuntu1.1
- - Expected: GDM login screen appears via RDP when connecting from Windows
mstsc.exe to port 3389
-
-Actual:Blackscreenfor~30secondsthendisconnect.ServerlogsshowNLAhandshakefailure:nla_server_recv_stream:nla_recv()error:-1andConnectionresetbypeer
+ - Source package: gnome-remote-desktop
+ - Release: Ubuntu 25.10
+ - Package version: 49.0-0ubuntu1.1
+ - Expected: GDM login screen appears via RDP when connecting from Windows
mstsc.exe to port 3389
+ -Actual:Black screen for ~30 seconds then disconnect. Server logs show NLA
handshakefailure:nla_server_recv_stream:nla_recv()error:-1 and Connection reset
by peer
-
- On Ubuntu 25.10 (GNOME 49, gnome-remote-desktop 49.0), system-level headless
RDP via `gnome-remote-desktop` consistently fails NLA (Network Level
Authentication) when connecting from Windows 10/11 `mstsc.exe`. The Windows
client connects, shows a black screen for ~30 seconds, then disconnects. The
GRD server logs show `nla_server_recv_stream: nla_recv() error: -1` and `client
authentication failure` on every attempt.
+ On Ubuntu 25.10 (GNOME 49, gnome-remote-desktop 49.0), system-level
+ headless RDP via `gnome-remote-desktop` consistently fails NLA (Network
+ Level Authentication) when connecting from Windows 10/11 `mstsc.exe`.
+ The Windows client connects, shows a black screen for ~30 seconds, then
+ disconnects. The GRD server logs show `nla_server_recv_stream:
+ nla_recv() error: -1` and `client authentication failure` on every
+ attempt.
XFCE4 + xrdp on the same machine works perfectly on port 3390,
confirming network connectivity and RDP client functionality are not the
issue.
## Environment
- **OS**: Ubuntu 25.10 (Questing), kernel 6.17.0-14-generic
- **Hardware**: Hyper-V VM (Microsoft Corporation Virtual Machine), AMD Ryzen
5 7430U
- **GPU**: Virtual — `/dev/dri/card1` only (no card0), no VGA device on lspci
- **No TPM**: GRD falls back to GKeyFile for credential storage
- **No physical display**: Headless server, no monitor attached
### Package versions
| Package | Version |
|---------|---------|
| gnome-remote-desktop | 49.0-0ubuntu1.1 |
| gdm3 | 49.0.1-1ubuntu2.1 |
| gnome-shell | 49.0-1ubuntu1.2 |
| mutter-common | 49.0-2ubuntu5.3 |
| libfreerdp3-3 | 3.16.0+dfsg-2ubuntu0.1 |
| libwinpr3-3 | 3.16.0+dfsg-2ubuntu0.1 |
### GRD configuration
```
$ sudo grdctl --system status --show-credentials
Overall:
- Unit status: active
+ Unit status: active
RDP:
- Status: enabled
- Port: 3389
- TLS certificate: /var/lib/gnome-remote-desktop/rdp-tls.crt
- TLS key: /var/lib/gnome-remote-desktop/rdp-tls.key
- Username: ubuntu
- Password: ubuntu
+ Status: enabled
+ Port: 3389
+ TLS certificate: /var/lib/gnome-remote-desktop/rdp-tls.crt
+ TLS key: /var/lib/gnome-remote-desktop/rdp-tls.key
+ Username: ubuntu
+ Password: ubuntu
```
## Steps to reproduce
1. Install Ubuntu 25.10 server in a Ubuntu Multipass Hyper-V VM (headless, no
physical display)
2. Install GNOME desktop: `apt-get install -y gdm3 gnome-remote-desktop
gnome-shell gnome-session`
3. Generate TLS certificates:
- ```bash
- sudo openssl req -newkey rsa:2048 -nodes \
- -keyout /var/lib/gnome-remote-desktop/rdp-tls.key \
- -x509 -days 365 \
- -out /var/lib/gnome-remote-desktop/rdp-tls.crt \
- -subj "/CN=$(hostname)"
- sudo chown gnome-remote-desktop:gnome-remote-desktop
/var/lib/gnome-remote-desktop/rdp-tls.*
- sudo chmod 600 /var/lib/gnome-remote-desktop/rdp-tls.key
- ```
+ ```bash
+ sudo openssl req -newkey rsa:2048 -nodes \
+ -keyout /var/lib/gnome-remote-desktop/rdp-tls.key \
+ -x509 -days 365 \
+ -out /var/lib/gnome-remote-desktop/rdp-tls.crt \
+ -subj "/CN=$(hostname)"
+ sudo chown gnome-remote-desktop:gnome-remote-desktop
/var/lib/gnome-remote-desktop/rdp-tls.*
+ sudo chmod 600 /var/lib/gnome-remote-desktop/rdp-tls.key
+ ```
4. Configure system RDP:
- ```bash
- sudo grdctl --system rdp set-tls-cert
/var/lib/gnome-remote-desktop/rdp-tls.crt
- sudo grdctl --system rdp set-tls-key
/var/lib/gnome-remote-desktop/rdp-tls.key
- sudo grdctl --system rdp set-credentials ubuntu ubuntu
- sudo grdctl --system rdp enable
- sudo systemctl enable --now gnome-remote-desktop.service
- sudo systemctl set-default graphical.target
- ```
+ ```bash
+ sudo grdctl --system rdp set-tls-cert
/var/lib/gnome-remote-desktop/rdp-tls.crt
+ sudo grdctl --system rdp set-tls-key
/var/lib/gnome-remote-desktop/rdp-tls.key
+ sudo grdctl --system rdp set-credentials ubuntu ubuntu
+ sudo grdctl --system rdp enable
+ sudo systemctl enable --now gnome-remote-desktop.service
+ sudo systemctl set-default graphical.target
+ ```
5. Verify GDM greeter is running (gnome-shell process under gdm-greeter user)
and port 3389 is listening
6. From Windows 10 or 11, open `mstsc.exe`, connect to `<vm-ip>:3389` with
username `ubuntu`, password `ubuntu`
### Expected result
GDM login screen appears via RDP, allowing user authentication to a GNOME
Wayland session.
### Actual result
Windows RDP client shows a black screen for ~30 seconds, then disconnects. No
login screen ever appears.
## Server-side logs
Every connection attempt produces the same NLA failure sequence in
`journalctl -u gnome-remote-desktop`:
```
[ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read
returned a system error 104: Connection reset by peer
[ERROR][com.freerdp.core.peer] - [transport_read_layer]:
ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[ERROR][com.freerdp.core.nla] - [nla_server_recv_stream]: nla_recv() error: -1
[ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client
authentication failure
[ERROR][com.freerdp.api] - [peer_recv_callback_internal]:
CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
[ERROR][com.freerdp.core.transport] - [transport_check_fds]:
transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
[WARN][com.freerdp.core.rdp] - [rdp_send_deactivate_all]: rdpMcs::userId ==
0, skip sending PDU_TYPE_DEACTIVATE_ALL
[ERROR][com.freerdp.core.transport] - [transport_default_write]:
BIO_should_retry returned an error: error:80000020:system library::Broken pipe
[RDP] Network or intentional disconnect, stopping session
[DaemonSystem] Aborting handover, removing remote client with remote id
/org/gnome/RemoteDesktop/Client/XXXXXXXXXX
[ERROR][com.freerdp.core.peer] - [rdp_set_error_info]:
ERRINFO_CB_CONNECTION_CANCELLED [0x00010409]
```
Earlier attempts (before creating `/etc/winpr3/SAM`) also showed:
```
[ERROR][com.winpr.sspi.NTLM] - [ntlm_fetch_ntlm_v2_hash]: Error: Could not
find user in SAM database
```
GRD startup consistently shows:
```
Init TPM credentials failed because No TPM device found, using GKeyFile as
fallback
```
## Workarounds attempted (all failed)
### 1. SAM file for FreeRDP NTLM auth
Created `/etc/winpr3/SAM` with NTLM hash via `winpr-hash3 -u ubuntu -p ubuntu
-f sam`. Eliminated the "SAM database" error but NLA handshake still fails with
`Connection reset by peer`.
### 2. TLS certificates generated with winpr-makecert3
Replaced openssl-generated certs with `winpr-makecert3 -rdp -silent`
certificates (RDP-specific key usage extensions). No change — same NLA failure.
### 3. Disable/re-enable RDP cycle
```bash
sudo grdctl --system rdp disable
sudo grdctl --system rdp set-credentials ubuntu ubuntu
sudo grdctl --system rdp enable
sudo systemctl restart gnome-remote-desktop
```
No change.
### 4. loginctl enable-linger
Enabled user session lingering: `sudo loginctl enable-linger ubuntu`. No
change.
### 5. User-level RDP certificates
Generated separate per-user TLS certificates and configured via `grdctl rdp
set-credentials`. Failed with "BIO_new failed for certificate" / "Object does
not exist at path /org/freedesktop/secrets/collection/login" (no GNOME keyring
in headless context).
### 6. Clean service restart ordering
Stopped both services, restarted GDM first (waited for greeter to fully
launch), then started GRD. GRD started cleanly with "RDP server started" — same
NLA failure on connection.
### 7. Multiple credential combinations
Tested `rdpuser/changeme`, `ubuntu/ubuntu` — same result regardless of
credentials, because the NLA handshake fails before credentials are even
checked.
### 8. gsettings for gnome-remote-desktop user
Enabled RDP via gsettings in addition to grdctl:
```bash
sudo -u gnome-remote-desktop dbus-launch gsettings set
org.gnome.desktop.remote-desktop.rdp enable true
sudo -u gnome-remote-desktop dbus-launch gsettings set
org.gnome.desktop.remote-desktop.rdp view-only false
sudo -u gnome-remote-desktop dbus-launch gsettings set
org.gnome.desktop.remote-desktop.rdp tls-cert
/var/lib/gnome-remote-desktop/rdp-tls.crt
sudo -u gnome-remote-desktop dbus-launch gsettings set
org.gnome.desktop.remote-desktop.rdp tls-key
/var/lib/gnome-remote-desktop/rdp-tls.key
```
No change — same NLA failure.
### 9. Full ezone.co.uk guide
Followed the complete guide from
https://www.ezone.co.uk/blog/working-headless-rdp-with-gnome-remote-desktop-on-ubuntu-25-10.html
including system + user certificates, loginctl enable-linger, and both system
and user grdctl configuration. User-level `grdctl rdp set-credentials` fails
with "Object does not exist at path /org/freedesktop/secrets/collection/login"
(no GNOME keyring available in headless SSH session). Same NLA failure on
connection.
## Additional context
### GDM greeter does launch successfully
After fixing a separate nsswitch.conf issue (kanidm NSS module blocking
`gdm-greeter` DynamicUser resolution — fixed by adding `systemd` to the passwd
NSS chain), the GDM greeter launches correctly:
```
$ ps -ef | grep gnome-shell
gdm-gre+ 1168728 ... /usr/bin/gnome-shell # greeter is running
```
GDM debug logs confirm full greeter lifecycle:
```
Gdm: GdmSessionWorker: state ACCREDITED
Gdm: GdmSessionWorker: state SESSION_OPENED
pam_unix(gdm-launch-environment:session): session opened for user
gdm-greeter(uid=60578)
```
### xrdp works on same machine
XFCE4 + xrdp on port 3390 works perfectly from the same Windows client,
confirming:
- Network path is clear
- Windows RDP client is functional
- Unix password authentication works (`ubuntu/ubuntu`)
### The connection appears to partially establish
The Windows client briefly connects (shows black), the
`update_read_refresh_rect` warning appears in logs (client is sending refresh
requests), then GRD aborts the handover after ~30 seconds. This suggests the
RDP transport connects but NLA never completes, so the display handover to the
GNOME compositor never happens.
### Server supports only NLA Security
One log entry shows: `server supports only NLA Security` followed by
`Protocol security negotiation failure`. There is no `grdctl` option to disable
NLA or allow fallback to RDP Security or TLS Security, which means Windows
clients that fail NLA have no alternative path.
## Related bugs
- [LP #2089611](https://bugs.launchpad.net/bugs/2089611) — RDP blank screen
on Ubuntu 24.04, Confirmed, unassigned
- [LP #1983199](https://bugs.launchpad.net/bugs/1983199) — Unable to connect
to Ubuntu RDP remote desktop
- [RH #2189376](https://bugzilla.redhat.com/show_bug.cgi?id=2189376) — GRD
cannot connect with Windows 10/11 RDP client, CredSSP error (closed EOL)
- [GNOME
Discourse](https://discourse.gnome.org/t/gnome-rdp-black-screen-ubuntu-24-04-1/23502)
— GNOME RDP black screen discussion
## Suggested fixes
1. **Allow security negotiation fallback**: Add a `grdctl` option to allow
TLS or RDP security in addition to NLA, so clients that fail NTLM can still
connect
2. **Fix NTLM/NLA with GKeyFile credentials**: When TPM is unavailable and
credentials are stored in GKeyFile, ensure FreeRDP's server-side NTLM can
resolve them during the NLA handshake
3. **Document headless VM setup**: The interaction between GDM DynamicUser,
nsswitch.conf, and GRD system mode is undocumented and breaks in non-trivial
configurations
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2141992
Title:
GNOME Remote Desktop: Headless system-level RDP fails NLA handshake
with Windows mstsc — black screen
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnome-remote-desktop/+bug/2141992/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
