rdesktop aborts due to untrusted certificate

I have rdesktop v1.9.0. I'm trying to connect to remote Win10 host. rdesktop aborts with following error:

rdesktop -v -x -z -E -d domain -u user user.domain.com
Autoselecting keyboard map 'en-us' from locale
is_wm_active(): WM name: awes
Connecting to server using NLA...
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
TLS  Session info: (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)

Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Failed to connect using NLA, trying with SSL
Failed to connect, CredSSP required by server (check if server has disabled old TLS versions, if yes use -V option).

The connection goes inside encrypted VPN tunnel. Remote host is definitely available and I'm absolutely sure the remote certificate is trusted (but may be expired).

I'm able to connect to the very same machine using window remote desktop application (it display me the same warning, but gives an option to ignore certificate issue and continue connection).

I read man rdesktop a few times and tried various options related to encryption and certs (e.g. -E), nothing seems to help. Neither helps internet search.

How do I force rdesktop to trust remote certificate and continue connection to remote host?


Solution 1:

No, rdesktop aborts for reasons which have nothing to do with the certificate. (It does remember and "trust" individual certificates as other clients do, and your output says that an exception has already been added.)

The problem here is that rdesktop has incomplete NLA (CredSSP) support – it does not support the NTLM authentication mechanism required for password-based logins, so it cannot prompt you for credentials before connection the way Windows MSTSC does. (And its Kerberos support is a bit buggy as well.)

In other words, rdesktop only works with the older XP/2003 login process, where you'd establish a connection first and see the server's login screen afterwards. FreeRDP is a more suitable client for connecting to modern hosts (Windows 7/8/10):

xfreerdp /bpp:32 /gfx +aero +fonts /d:domain /u:user /v:user.domain.com [/cert-...]

With FreeRDP you can add the option /cert-tofu to implement the "trust on first connection" certificate checking (as in MSTSC), or you can use /cert-ignore to completely disable certificate checking.

If you must use rdesktop, then you will have to disable NLA ("Network Level Authentication") requirement on the Windows 10 host – although that's generally not recommended due to much higher attack surface.