1

How are credentials passed CredSSP in remote desktop gateway to the destination RDP machines?

Is the TLS tunnel created just like regular RDP sessions?

Is HTTPS used?

I was thinking something like:

Pplain RDP in AD environment first you get your TGS from the DC and then you do TLS to the target server and crendetials are passed via CredSSP and that's how you establish the session.

So in RD Gateway scenarios (big RDP deployments), the client establishes the connection with the gateway via HTTPS, that has TLS by default but credentials are passed via CredSSP inside TLS. Then the gateway just "passes" the credentials unencrypted after ending the TLS tunnel, to the target RDP, and then this last one validates the access? After that RDP packets are sent back to the gateway which ultimately encrypts again the packets inside TLS and HTTPS back to the source client.

Something like that?

Improve this question
4
  • By default, a Remote Desktop Gateway does not pass credentials (known as delegation). But it can be configured for delegation using Group Policy. (Computer Configuration\Administrative Templates\System\Credentials Delegation).
    – Greg Askew
    Nov 3 at 5:58
  • FYI, you can configure windows not to pass credentials at all. For security reasons, you should consider to use remote credential guard which simply redirects authentication request to the machine you come from. learn.microsoft.com/en-us/windows/security/identity-protection/… - it's very easy to setup.
    – Bernd Schwanenmeister
    Nov 3 at 9:29
  • I'd like to add that Remote Credential guard enables SSO as well :-)
    – Bernd Schwanenmeister
    Nov 3 at 9:52
  • so if it doesnt pass credentials that means the gateway authenticates and it just passes rdp traffic to client through https?
    – Matías Huartamendía
    Nov 4 at 6:20

1 Answer 1

Reset to default
0

The RDP client initiates a connection to the RD Session Host by sending an X.224 Connection Request protocol data unit (PDU), as described in [MS-RDPBCGR] section 1.3.1.1. The server responds with an X.224 Connection Confirm PDU. All subsequent data sent between the RDP client and RD server is wrapped in an X.224 Data PDU.

By proxy, basic settings are exchanged between the RDP client and RD Session Host using the Multipoint Communication Service (MCS) Connect Initial PDU and MCS Connect Response PDU, as described in [MS-RDPBCGR] section 1.3.1.1. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdsod/68276a0e-896c-41ee-862e-d05fdcbc2d2b

The authentication is done by the Rd gateway, and the rd gateway creates a secure rdo connection to rd session host

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .