Re: HTML5 RDP doesn't work without SSO

mgilan · ‎01-07-2020

Hi,

I upgrade customers PSA cluster from 9.0r4 to 9.1r3, and HTML5 RDP profiles without SSO stopped working. The same profiles, but with SSO, work ok.

When I did packet-capture, I can see that the non-SSO sessions terminate because of "Encrypted Alert". Unfortunately, I don't have access to the server logs at this moment and will have to ask the customer to review those.

In PSA logs, those connections do look as very quick, but successful.

Is anyone facing the same issue?

zanyterp · ‎01-14-2020

SSO is required for HTML5 bookmarks
I am not sure how you were seeing this work previously

shbeuving · ‎01-14-2020

We've done a rollback of 9.1r3 to 9.1r1 since it was ditching the VPN tunnel every 10 minutes with encrypted alert. (user disconnect since it doesn't qualify re-evaluated policies). Also we didn't use sso on tunnel.

Hope that 9.1r4 doesn't have this issue
Ps: in the release notes of 9.1r2 I've read that there was an update on the msft html5 rdp profile

mgilan · ‎01-15-2020

That's the first time I see this. HTML5 RDP w/o SSO do work for me for "ages" - I simply do not fill in the <USER> and <PASSWORD> vars.

Anyway, the customer got a testing non-SSO profile working yesterday:

1. Disable NLA
2. change the registry key

Windows-->Run-->regedit-->HKEY_LOCAL_MACHINE-->System-->CurrentControlWindows-->Run-->regedit-->Set-->Control-->TerminalServer-->Winstations-->Rdp-tcp-->Securitylayer

We will have to do more testing on this.

mgilan · ‎01-15-2020

I do not see any L3 VPN related issues in r3 at the moment, but I will monitor this closely - thanks for the info.

Regarding the "msft html5 rdp", are you referring to the added support for 'RDWeb' resource profiles? I saw that in the r2 RN; as it is configured under web profiles, I didn't have a close look yet. On the other hand, I'm not saying that it might not affect the existing HTML5 profiles under the hood.