I have a computer named ws24 (192.168.1.168) and another named srvPPassTest2.
I have written a program running on ws24 that is an "RDP proxy". It accepts connections from RDP clients on port 7070 (configurable) and forwards them to srvPPassTest2. I do the following to configure the computers to use the proxy:
- I create a certificate for the Proxy with the following command:
./makecert -n "CN=ws24.pleasant.local" -pe -ss Root -sr localMachine -sky exchange -m 120 -r -a sha1 -eku 1.3.6.1.5.5.7.3.1- Then I export it with private key to create a .pfx that the Proxy will use.
- I also export it without the private key and import that into srvPPassTest2's Certificates (Local Computer) - Trusted Root Certification Authorities/Certificate folder.
- I run
Enable-WSManCredSSP -role client -DelegateComputer srvPPassTest2 Enable-WSManCredSSP -role client -DelegateComputer ws24 Enable-WSManCredSSP -role client -DelegateComputer 192.168.1.168
on ws24. I'm sure they're not all necessary but it's not working yet so I'm trying everything. - On ws24 I make the following registry changes:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages - add tspkg
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders - add credssp.dll
- I run
Enable-WSManCredSSP -role Serveron srvPPassTest2.
If you get any errors on the WSManCredSSP calls, try calling Enable-PSRemoting first.
Here's what happens when I run the rdp proxy and use the RDP client to connect to it:
- On ws24, I use the RDP client to connect to 192.168.1.168:7070. The use of an ip address instead of a name prevents the client from responding that you can't connect to yourself.
- The proxy receives and modifies (if necessary) the ConnectionRequestPDU message of the RDP Protocol to ensure the SupportedProtocol flags are set to ProtocolHybrid & ProtocolSSL. This will ensure the use of CredSSP. That is forwarded to srvPPassTest2.
- The proxy mitm's the TLS handshake.
- The proxy receives the clients NTLMNegotiate message, takes some information from it and creates a new one to forward to the target srvPPassTest2.
- Likewise with the NTLMChallenge and NTLMAuthentication.
- The RDP client and server are continuing fine at this point. They don't return errors or exhibit strange behavior.
- The machines exchange certificate public keys, encrypted with the key from the NTLM exchange.
- The client sends a TSRequest with a TSCredential. The proxy receives it, verifies information and constructs one with different credentials to send to srvPPassTest2.
- Forward message from client, length 462
- Forward message from srvppasstest2, length 108
- Forward message from client, length 12
Then I get an error popup from the rdp client:
An authentication error has occured (Code: 0x609)
Remote computer: 192.1.168.1.168
The only relevant result when I look up error 0x609 is here and I've followed those steps. One important thing to note: I had this proxy working 3 months ago. Then srvPPassTest2 was reverted to a previous state and now the proxy doesn't work. I can't revert srvPPassTest2 to the state when it was working, that vm wasn't mine and the snapshot wasn't saved by IT >:(
Where does one find information about code 0x609?
What other possible settings, on ws24, or srvPPassTest2 am I missing? I think the certificate should probably be in an additional folder on srvPPassTest2, but I don't know which.
Is there anything I can do to troubleshoot? The NTLM and TSCredential exchanges are all working flawlessly.
