can not connect to windows 11 on macos

[binbowang1987]

I use ./target/debug/ironrdp-client to connect to windows through rdp, but it report some errors. I need some help.

2024-07-24T14:42:40.624758Z ERROR ThreadId(10) crates/ironrdp-connector/src/connection.rs:279: Received connection failure code code=FailureCode(2)
2024-07-24T14:42:40.627250Z ERROR ThreadId(01) crates/ironrdp-client/src/gui.rs:249: error=Error { context: "Initiation", kind: Reason("enhanced RDP security not allowed by server"), source: None }
Connection error: [Initiation] reason: enhanced RDP security not allowed by server

[thenextman]

@binbowang1987 It sounds like your server doesn't have NLA (Network Level Authentication) enabled. That could be strange, since it would need to be explicitly disabled by policy on a Windows 11 system. Is that the case?

To my understanding, IronRDP (currently) only supports NLA (CredSSP).

[binbowang1987]

yes, the NLA is disabled on remote windows os. I enabled it and connect successful.
But, I have another problem. there is some error reporting, and the mouse position is wrong.

[thenextman]

The logged errors are DNS requests looking for a domain controller (this is part of Kerberos, which I guess you are not using). They should be benign but probably represent a bug. Can I ask how you launch the client - what command line do you use?

For the mouse position, this is likely due to mouse tracking not being setup properly on the native window. I'm not familiar with the GUI framework we're using for IronRDP so to be sure this gets seen, would you mind creating a separate issue for that?

[CBenoit]

To my understanding, IronRDP (currently) only supports NLA (CredSSP).

Actually, unless --no-tls is specified, IronRDP should handle the non-NLA, Graphical login authentication method, I tested a few times.

I wonder why we get this error:

Connection error: [Initiation] reason: enhanced RDP security not allowed by server

We are negotiating the authentication method and downgrade to non-NLA if that’s what the server wants.

As an alternative, maybe you could use --no-credssp and see if it works better, but enabling NLA is definitely a good thing to do anyway.

EDIT: I think "enhanced RDP security" is referring to both TLS (graphical logon) and NLA (CredSSP), so likely the server was only accepting the legacy Standard RDP security, and we indeed do not support that at all.

[binbowang1987]

The logged errors are DNS requests looking for a domain controller (this is part of Kerberos, which I guess you are not using). They should be benign but probably represent a bug. Can I ask how you launch the client - what command line do you use?

./target/debug/ironrdp-client -u username -p 'xxxx' 172.17.56.83

For the mouse position, this is likely due to mouse tracking not being setup properly on the native window. I'm not familiar with the GUI framework we're using for IronRDP so to be sure this gets seen, would you mind creating a separate issue for that?

yes, here is the releated issue #507

[CBenoit]

Thank you! I’ll close this issue now as it appears resolved, and we’ll investigate the other problem in the new issue you created.