www.cendio.com
Bug 7100 - Avoid dual authentication prompts with RDP load balancer
: Avoid dual authentication prompts with RDP load balancer
Status: CLOSED WONTFIX
: ThinLinc
| rdesktop (deprecated)
: trunk
: PC Unknown
: P2 Normal
: 4.10.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2018-01-16 11:27 by
Modified: 2019-02-07 15:52 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2018-01-16 11:27:46
* thinlinc-rdesktop-4.8.0post-5672.r33005.i686
* RHEL 6.9 i386

When I log in to ThinLinc with SSH public key authentication
and start tl-run-rdesktop, I expect to see an rdesktop window.

What actually happens:

rdesktop hangs on a read from stdin.

This is (most likely) a password prompt from rdesktop. tl-run-rdesktop does not
handle this and present it to the user. After running tl-sso-update-password,
tl-run-rdesktop works as expected.
------- Comment #1 From cendio 2018-01-16 13:34:20 -------
This problem originates from the upstream fix:

commit 1aaafc80c037f57c3742ccb25b279467fcbf58b5
Author: Henrik Andersson <hean01@cendio.com>
Date:   2017-08-15 12:37:14 +0200

    Always prompt for password if not provided via commandline.

    This fixes several issues where credentials are required
    before the connection is carried out. Such as dual
    authentication prompts when redirected by load balancer.

We need to explore the various solutions.
------- Comment #4 From cendio 2018-02-15 09:35:50 -------
We have decided to patch out the required password prompt locally in ThinLinc
for the upcoming release due to the upstream solution is not 100% correct.
------- Comment #7 From cendio 2018-02-27 14:58:55 -------
Unfortunately the #ifdef wasn't enough as SSO no longer works now.

The #ifdef completely removes the call to read_password(). We need to bring
back the prompt_password variable and associated behaviour from r32760.
------- Comment #10 From cendio 2018-03-05 15:12:41 -------
Tested that we now have the same behaviour as in ThinLinc 4.8.0. Tested against
2008R2, 2012R2 and 2016, both with and without CredSSP, and with and without
redirection.

With SSO everything works fine. Without SSO you get one server side auth in
every case except redirect for a new session when you get two (same on all
Windows versions).
------- Comment #11 From cendio 2019-02-07 15:45:14 -------
rdesktop (and associated tools) is being removed from the ThinLinc product.