7162888311
7162888311
Aug 17, 2023
view1493
view2
0
Goto Top

Linux Fehlermeldung: STNEGO: STATUS-LOGON-FAILURE bei Verbindungsaufbau mit Smartcard über xFreeRDP

GermanQuestionLinuxUbuntuWindows ServerNetworks
article-picture
Sehr geehrte Community,

ich nutze auf meinem Lenovo ThinClient M75n (LeTOS) Thinkcentre die xFreeRDP-Software, um mich von meiner Linux-Maschine mit einem Windows Server 2019 zu verbinden. Hierbei verwende ich die YubiKey 5 NFC Smartcard von Yubico zur Authentifizierung. Das verwendete Zertifikat ist gültig und korrekt.

Um den Fehler einzugrenzen, habe ich einen Testaufbau mit einem Lenovo-Notebook und Ubuntu durchgeführt. Leider erhalte ich beim Verbindungsversuch eine Fehlermeldung, die mir Schwierigkeiten bereitet:

[15:12:13:486] [10900:10901] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from Server.

Gemäß dem Microsoft-Fehlercode handelt es sich hierbei um den Fehler "The attempted logon is invalid. This is either due to a bad username or authentication information." Dieser Fehler tritt auf, wenn die Anmeldeinformationen oder der Benutzername falsch sind. Da ich jedoch mit Zertifikaten arbeite, vermute ich, dass die Übermittlung oder Prüfung der Zertifikate nicht ordnungsgemäß funktioniert.

Ich bin sicher, dass der Benutzername und das Passwort korrekt sind. Daher liegt die Vermutung nahe, dass es bei der Übertragung oder Prüfung der Zertifikate Probleme gibt. Allerdings bin ich unsicher, wie ich dieses Problem am besten prüfen und beheben kann. Jegliche Hinweise oder Anleitungen, wie ich die Zertifikatübermittlung korrekt einrichten und diesen Fehler beheben kann, wären äußerst hilfreich.


Befehl:
root@verwalter-ThinkPad-X230:~# xfreerdp /log-level:trace /sec:all /v:<IP-ADDRESS> /smartcard-logon /u:<USERNAME> /p:"" /d:<DOMAIN> /dynamic-resolution

(In diesem Fall ist es egal ob ich das Passwort richtig setze oder wie oben leer lasse, nur wenn ich /p:"" komplett entferne taucht eine andere Fehlermeldung auf)

Ausschnitt Komplettes Log:
[15:12:12:832] [10900:10900] [ERROR][com.freerdp.client.common.cmdline] - unknown protocol security: all
[15:12:12:832] [10900:10900] [DEBUG][com.freerdp.client.common] - This is Build configuration: BUILD_TESTING=OFF BUILTIN_CHANNELS=ON HAVE_AIO_H=1 HAVE_EXECINFO_H=1 HAVE_FCNTL_H=1 HAVE_GETLOGIN_R=1 HAVE_GETPWUID_R=1 HAVE_INTTYPES_H=1 HAVE_JOURNALD_H=TRUE HAVE_MATH_C99_LONG_DOUBLE=1 HAVE_POLL_H=1 HAVE_PTHREAD_MUTEX_TIMEDLOCK=ON HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIBS= HAVE_PTHREAD_MUTEX_TIMEDLOCK_SYMBOL=1 HAVE_SYSLOG_H=1 HAVE_SYS_EVENTFD_H=1 HAVE_SYS_FILIO_H= HAVE_SYS_MODEM_H= HAVE_SYS_SELECT_H=1 HAVE_SYS_SOCKIO_H= HAVE_SYS_STRTIO_H= HAVE_SYS_TIMERFD_H=1 HAVE_TM_GMTOFF=1 HAVE_UNISTD_H=1 HAVE_XI_TOUCH_CLASS=1 WITH_ALSA=ON WITH_CAIRO=ON WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLANG_FORMAT=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_CUPS=ON WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_RDPGFX=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF_AVAILABLE=0 WITH_DEBUG_URBDRC=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_CLIPRDR=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_EVENTFD_READ_WRITE=1 WITH_FAAC=OFF WITH_FAAD2=OFF WITH_FFMPEG=OFF WITH_GFX_H264=OFF WITH_GPROF=OFF WITH_GSM=OFF WITH_GSSAPI=OFF WITH_ICU=ON WITH_IPP=OFF WITH_JPEG=ON WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_LIBSYSTEMD=ON WITH_MACAUDIO=OFF WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_OPENCL=OFF WITH_OPENH264=OFF WITH_OPENSLES=OFF WITH_OPENSSL=ON WITH_OSS=ON WITH_PAM=ON WITH_PCSC=ON WITH_PROFILER=OFF WITH_PROXY=OFF WITH_PULSE=ON WITH_SAMPLE=OFF WITH_SANITIZE_ADDRESS=OFF WITH_SANITIZE_ADDRESS_AVAILABLE=1 WITH_SANITIZE_MEMORY=OFF WITH_SANITIZE_MEMORY_AVAILABLE=1 WITH_SANITIZE_THREAD=OFF WITH_SANITIZE_THREAD_AVAILABLE=1 WITH_SERVER=ON WITH_SERVER_CHANNELS=ON WITH_SERVER_INTERFACE=ON WITH_SHADOW=ON WITH_SMARTCARD_INSPECT=OFF WITH_SOXR=OFF WITH_SSE2=ON WITH_SWSCALE=OFF WITH_THIRD_PARTY=OFF WITH_VALGRIND_MEMCHECK=OFF WITH_VALGRIND_MEMCHECK_AVAILABLE=1 WITH_VERBOSE_WINPR_ASSERT=ON WITH_WAYLAND=ON WITH_WINPR_TOOLS=ON WITH_X11=ON WITH_XCURSOR=ON WITH_XDAMAGE=ON WITH_XEXT=ON WITH_XFIXES=ON WITH_XI=ON WITH_XINERAMA=ON WITH_XKBFILE=ON WITH_XRANDR=ON WITH_XRENDER=ON WITH_XSHM=ON WITH_XTEST=ON WITH_XV=ON WITH_ZLIB=ON
Build type:          RelWithDebInfo
CFLAGS:              -g -O2 -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Wall -Wno-unused-result -Wno-unused-but-set-variable -Wno-deprecated-declarations -fvisibility=hidden -Wimplicit-function-declaration -Wredundant-decls -g -fno-omit-frame-pointer -DWINPR_DLL
Compiler:            GNU, 11.3.0
Target architecture: x64

[15:12:12:832] [10900:10901] [DEBUG][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[15:12:12:832] [10900:10901] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[15:12:12:832] [10900:10901] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[15:12:12:832] [10900:10901] [DEBUG][com.freerdp.channels.cliprdr.client] - VirtualChannelEntryEx
[15:12:12:832] [10900:10901] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[15:12:12:832] [10900:10901] [DEBUG][com.freerdp.channels.drdynvc.client] - VirtualChannelEntryEx
[15:12:12:832] [10900:10901] [DEBUG][com.freerdp.client.common.cmdline] - loading channelEx drdynvc
[15:12:12:833] [10900:10901] [DEBUG][com.freerdp.client.x11] - Property 261 does not exist
[15:12:12:836] [10900:10901] [DEBUG][com.freerdp.primitives] - primitives benchmark result:
[15:12:12:995] [10900:10901] [DEBUG][com.freerdp.primitives] -  * generic= 38
[15:12:12:148] [10900:10901] [DEBUG][com.freerdp.primitives] -  * optimized= 72
[15:12:12:148] [10900:10901] [DEBUG][com.freerdp.primitives] - primitives autodetect, using optimized
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core.nego] - Enabling security layer negotiation: TRUE
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core.nego] - Enabling restricted admin mode: FALSE
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core.nego] - Enabling RDP security: TRUE
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core.nego] - Enabling TLS security: TRUE
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core.nego] - Enabling NLA security: TRUE
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core.nego] - Enabling NLA extended security: FALSE
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_NLA
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core.nego] - Attempting NLA security
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state
[15:12:12:150] [10900:10901] [DEBUG][com.freerdp.core] - connecting to peer <IP-ADDRESS>
[15:12:12:181] [10900:10901] [DEBUG][com.freerdp.core.nego] - RequestedProtocols: 3
[15:12:12:215] [10900:10901] [DEBUG][com.freerdp.core.nego] - RDP_NEG_RSP
[15:12:12:215] [10900:10901] [DEBUG][com.freerdp.core.nego] - selected_protocol: 2
[15:12:12:215] [10900:10901] [DEBUG][com.freerdp.core.nego] - state: NEGO_STATE_FINAL
[15:12:12:215] [10900:10901] [DEBUG][com.freerdp.core.nego] - Negotiated NLA security
[15:12:12:215] [10900:10901] [DEBUG][com.freerdp.core.nego] - nego_security_connect with PROTOCOL_HYBRID
[15:12:12:283] [10900:10901] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0  
[15:12:12:283] [10900:10901] [WARN][com.freerdp.crypto] - CN = <FullQualifiedDomainName>
[15:12:12:284] [10900:10901] [DEBUG][com.winpr.utils] - Could not open SAM file!
[15:12:12:284] [10900:10901] [INFO][com.freerdp.client.common] - Authentication via smartcard
[15:12:12:284] [10900:10901] [DEBUG][com.winpr.sspi] - InitSecurityInterfaceExA
[15:12:12:284] [10900:10901] [DEBUG][com.freerdp.core.nla] - nla_client_init 411 : packageName=Negotiate ; cbMaxToken=12256
[15:12:12:284] [10900:10901] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_INITIAL to NTLM_STATE_INITIAL
[15:12:12:284] [10900:10901] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_INITIAL to NTLM_STATE_NEGOTIATE
[15:12:12:284] [10900:10901] [DEBUG][com.winpr.sspi.NTLM] - Write flags [0xe20882b7] NTLMSSP_NEGOTIATE_UNICODE|NTLMSSP_NEGOTIATE_OEM|NTLMSSP_REQUEST_TARGET|NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL|NTLMSSP_NEGOTIATE_LM_KEY|NTLMSSP_NEGOTIATE_NTLM|NTLMSSP_NEGOTIATE_ALWAYS_SIGN|NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY|NTLMSSP_NEGOTIATE_VERSION|NTLMSSP_NEGOTIATE_128|NTLMSSP_NEGOTIATE_KEY_EXCH
[15:12:12:284] [10900:10901] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_NEGOTIATE to NTLM_STATE_CHALLENGE
[15:12:12:284] [10900:10901] [TRACE][com.freerdp.core.nla] -  InitializeSecurityContext status SEC_I_CONTINUE_NEEDED [0x00090312]
[15:12:12:284] [10900:10901] [DEBUG][com.freerdp.core.nla] - Client: Sending Authentication Token
[15:12:12:284] [10900:10901] [DEBUG][com.freerdp.core.nla] - NLA.negoToken (length = 40):
[15:12:12:385] [10900:10901] [DEBUG][com.freerdp.core.nla] - CredSSP protocol support 6, peer supports 6
[15:12:12:385] [10900:10901] [DEBUG][com.winpr.sspi.NTLM] - Read flags [0xe2898235] NTLMSSP_NEGOTIATE_UNICODE|NTLMSSP_REQUEST_TARGET|NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL|NTLMSSP_NEGOTIATE_NTLM|NTLMSSP_NEGOTIATE_ALWAYS_SIGN|NTLMSSP_TARGET_TYPE_DOMAIN|NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY|NTLMSSP_NEGOTIATE_TARGET_INFO|NTLMSSP_NEGOTIATE_VERSION|NTLMSSP_NEGOTIATE_128|NTLMSSP_NEGOTIATE_KEY_EXCH
[15:12:12:385] [10900:10901] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_CHALLENGE to NTLM_STATE_AUTHENTICATE
[15:12:12:385] [10900:10901] [DEBUG][com.winpr.sspi.NTLM] - Write flags [0xe288b235] NTLMSSP_NEGOTIATE_UNICODE|NTLMSSP_REQUEST_TARGET|NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL|NTLMSSP_NEGOTIATE_NTLM|NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED|NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED|NTLMSSP_NEGOTIATE_ALWAYS_SIGN|NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY|NTLMSSP_NEGOTIATE_TARGET_INFO|NTLMSSP_NEGOTIATE_VERSION|NTLMSSP_NEGOTIATE_128|NTLMSSP_NEGOTIATE_KEY_EXCH
[15:12:12:385] [10900:10901] [DEBUG][com.winpr.sspi.NTLM] - change state from NTLM_STATE_AUTHENTICATE to NTLM_STATE_FINAL
[15:12:12:385] [10900:10901] [TRACE][com.freerdp.core.nla] - InitializeSecurityContext  SEC_E_OK [0x00000000]
[15:12:12:385] [10900:10901] [DEBUG][com.freerdp.core.nla] - Client: Sending Authentication Token
[15:12:12:386] [10900:10901] [DEBUG][com.freerdp.core.nla] - NLA.negoToken (length = 468):
[15:12:12:386] [10900:10901] [DEBUG][com.freerdp.core.nla] - NLA.pubKeyAuth (length = 48):
[15:12:13:486] [10900:10901] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[15:12:13:486] [10900:10901] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[15:12:13:486] [10900:10901] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[15:12:13:486] [10900:10901] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
[15:12:13:486] [10900:10901] [DEBUG][com.freerdp.core.rdp] - transport_check_fds() - -1

Falls Fragen aufkommen, bitte einfach stellen.

Mit Freundlichen Grüßen EaryTide
comment-contentCommentShareShare
Share on Facebook Share on Twitter Share on Reddit Share on Linkedin

Content-Key: 8179468580

Url: https://administrator.de/contentid/8179468580

Printed on: May 11, 2024 at 12:05 o'clock

2 Comments
Latest comment
Goto Top
Member: TK1987
TK1987 Aug 17, 2023 at 14:15:36 (UTC)
Goto Top
Moin,

das ist eigentlich eher ein FreeRDP- als ein Linux- Problem. Vielleicht wäre es zielführender, direkt bei den Entwicklern nachzufragen -> https://github.com/FreeRDP/FreeRDP/issues

Gruß Thomas
Mitglied: 7162888311
7162888311 Aug 18, 2023 at 08:19:25 (UTC)
Goto Top
Zitat von @TK1987:

Moin,

das ist eigentlich eher ein FreeRDP- als ein Linux- Problem. Vielleicht wäre es zielführender, direkt bei den Entwicklern nachzufragen -> https://github.com/FreeRDP/FreeRDP/issues

Gruß Thomas

Hallo Thomas,

Issue bei GitHub eröffnet: github.com/FreeRDP/FreeRDP/issues/9302

Mit Freundlichen Grüßen
EaryTide
heart2
GermanQuestionLinuxUbuntuWindows ServerNetworks
Hotly discussed
LinuxeroWireguard with systemd and nftablesLinuxero - 9 Comments