Bug 7100 - Avoid dual authentication prompts with RDP load balancer
Summary: Avoid dual authentication prompts with RDP load balancer
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: | rdesktop (deprecated) (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.10.0
Assignee: Henrik Andersson
Depends on:
Reported: 2018-01-16 11:27 CET by Karl Mikaelsson
Modified: 2019-02-07 15:52 CET (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Karl Mikaelsson cendio 2018-01-16 11:27:46 CET
* thinlinc-rdesktop-4.8.0post-5672.r33005.i686
* RHEL 6.9 i386

When I log in to ThinLinc with SSH public key authentication
and start tl-run-rdesktop, I expect to see an rdesktop window.

What actually happens:

rdesktop hangs on a read from stdin.

This is (most likely) a password prompt from rdesktop. tl-run-rdesktop does not handle this and present it to the user. After running tl-sso-update-password, tl-run-rdesktop works as expected.
Comment 1 Peter Åstrand cendio 2018-01-16 13:34:20 CET
This problem originates from the upstream fix:

commit 1aaafc80c037f57c3742ccb25b279467fcbf58b5
Author: Henrik Andersson <hean01@cendio.com>
Date:   2017-08-15 12:37:14 +0200

    Always prompt for password if not provided via commandline.
    This fixes several issues where credentials are required
    before the connection is carried out. Such as dual
    authentication prompts when redirected by load balancer.

We need to explore the various solutions.
Comment 4 Henrik Andersson cendio 2018-02-15 09:35:50 CET
We have decided to patch out the required password prompt locally in ThinLinc for the upcoming release due to the upstream solution is not 100% correct.
Comment 7 Pierre Ossman cendio 2018-02-27 14:58:55 CET
Unfortunately the #ifdef wasn't enough as SSO no longer works now.

The #ifdef completely removes the call to read_password(). We need to bring back the prompt_password variable and associated behaviour from r32760.
Comment 10 Pierre Ossman cendio 2018-03-05 15:12:41 CET
Tested that we now have the same behaviour as in ThinLinc 4.8.0. Tested against 2008R2, 2012R2 and 2016, both with and without CredSSP, and with and without redirection.

With SSO everything works fine. Without SSO you get one server side auth in every case except redirect for a new session when you get two (same on all Windows versions).
Comment 11 Pierre Ossman cendio 2019-02-07 15:45:14 CET
rdesktop (and associated tools) is being removed from the ThinLinc product.

Note You need to log in before you can comment on or make changes to this bug.