Bug 501477

Summary: NTML_MESSAGE_HEADER Invalid Signature - SEC_E_INVALID TOKEN
Product: [Plasma] KRdp Reporter: Ash <ashleysommer>
Component: generalAssignee: Unassigned bugs <unassigned-bugs-null>
Status: REPORTED ---    
Severity: normal CC: ahiemstra
Priority: NOR    
Version First Reported In: 6.3.3   
Target Milestone: ---   
Platform: Neon   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Ash 2025-03-14 06:46:34 UTC 
I got provisioned a new Windows 11 laptop from my new workplace.
I'm trying to use the built-in "Remote Desktop Connection" software to connect to KRDP on my KDE Neon Desktop

Using latest release KRDP v6.3.3 on Up-to-date KDE-Neon, and windows laptop with latest Windows 11 updates.

After entering the IP address and username into the connection window, plasma xdg-desktop-portal-kde asks me to share my screen. I click "OK".
Then I am asked to enter the password. I enter the correct password, windows shows an authentication error.

Here is the output from krdpserver cli:
----
org.kde.krdp: Initializing Freedesktop Portal Session
org.kde.krdp: Session setup completed, start processing...
[16:08:59:857] [296889:302985] [INFO][com.freerdp.core.connection] - Client Security: NLA:0 TLS:0 RDP:1
[16:08:59:857] [296889:302985] [INFO][com.freerdp.core.connection] - Server Security: NLA:1 TLS:0 RDP:0
[16:08:59:857] [296889:302985] [WARN][com.freerdp.core.connection] - server supports only NLA Security
[16:08:59:857] [296889:302985] [ERROR][com.freerdp.core.connection] - Protocol security negotiation failure
[16:08:59:860] [296889:302985] [ERROR][com.freerdp.core.peer] - peer_recv_callback: CONNECTION_STATE_INITIAL - rdp_server_accept_nego() fail
[16:08:59:860] [296889:302985] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
org.kde.krdp: Unable to check file descriptor
org.kde.krdp: Closing session
org.kde.krdp: Closing Freedesktop Portal Session
org.kde.krdp: Initializing Freedesktop Portal Session
org.kde.krdp: Session setup completed, start processing...
[16:10:38:453] [296889:304164] [INFO][com.freerdp.core.connection] - Client Security: NLA:1 TLS:1 RDP:0
[16:10:38:453] [296889:304164] [INFO][com.freerdp.core.connection] - Server Security: NLA:1 TLS:0 RDP:0
[16:10:38:453] [296889:304164] [INFO][com.freerdp.core.connection] - Negotiated Security: NLA:1 TLS:0 RDP:0
org.kde.krdp: Started Freedesktop Portal session
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
kpipewire_vaapi_logging: VAAPI: entrypoint 6 of profile 14 is not supported by the device "/dev/dri/renderD128"
kpipewire_vaapi_logging: VAAPI: entrypoint 8 of profile 14 is not supported by the device "/dev/dri/renderD128"
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
kpipewire_vaapi_logging: VAAPI: entrypoint 6 of profile 14 is not supported by the device "/dev/dri/renderD128"
kpipewire_vaapi_logging: VAAPI: entrypoint 8 of profile 14 is not supported by the device "/dev/dri/renderD128"
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
[16:10:56:380] [296889:304164] [ERROR][com.winpr.sspi.NTLM] - NTLM_MESSAGE_HEADER Invalid signature, got `z+, expected NTLMSSP
[16:10:56:380] [296889:304164] [WARN][com.winpr.negotiate] - AcceptSecurityContext status SEC_E_INVALID_TOKEN [0x80090308]
[16:10:56:380] [296889:304164] [WARN][com.winpr.sspi] - AcceptSecurityContext status SEC_E_INVALID_TOKEN [0x80090308]
[16:10:56:380] [296889:304164] [ERROR][com.freerdp.core.nla] - AcceptSecurityContext status SEC_E_INVALID_TOKEN [0x80090308]
[16:10:56:380] [296889:304164] [ERROR][com.freerdp.core.transport] - client authentication failure
[16:10:56:380] [296889:304164] [ERROR][com.freerdp.core.peer] - peer_recv_callback: CONNECTION_STATE_INITIAL - rdp_server_accept_nego() fail
[16:10:56:380] [296889:304164] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
org.kde.krdp: Unable to check file descriptor
org.kde.krdp: Closing session
org.kde.krdp: Closing Freedesktop Portal Session
---

I believe the key issue is this line:
"NTLM_MESSAGE_HEADER Invalid signature, got `z+, expected NTLMSSP"
Whatever kind of NTLM the Windows client is using seems to be not compatible with KRDP.
Comment 1 Ash 2025-03-14 06:49:42 UTC 
Sorry, can't edit my post. I just realized the first 11 lines are from testing a different client (that does not support NLA).
Disregard the first 11 lines of the log output, the report should start from line 12, (at [16:10:38]) where the windows client connects.
Comment 2 Ash 2025-03-21 04:42:11 UTC 
I'm confident this would be solved by moving to libfreerdp-server3.
Comment 3 Arjen Hiemstra 2025-03-21 09:42:46 UTC 
KRDP master was already ported to FreeRDP3, so in that case this should resolve itself once that's released with Plasma 6.4.
Comment 4 Ash 2025-03-23 10:20:51 UTC 
Today I upgraded to the KRdp build from Neon-unstable, that is built against FreeRDP3.

I'm getting a different error, but it is still not working.

---
org.kde.krdp: Listening for connections on QHostAddress(QHostAddress::Any) 3389
org.kde.krdp: Initializing Freedesktop Portal Session
org.kde.krdp: Session setup completed, start processing...
org.kde.krdp: Started Freedesktop Portal session
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
kpipewire_vaapi_logging: VAAPI: Intel iHD driver for Intel(R) Gen Graphics - 24.1.0 () in use for device "/dev/dri/renderD128"
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
kpipewire_vaapi_logging: VAAPI: entrypoint 6 of profile 14 is not supported by the device "/dev/dri/renderD128"
kpipewire_vaapi_logging: VAAPI: entrypoint 8 of profile 14 is not supported by the device "/dev/dri/renderD128"
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
kpipewire_vaapi_logging: VAAPI: entrypoint 6 of profile 14 is not supported by the device "/dev/dri/renderD128"
kpipewire_vaapi_logging: VAAPI: entrypoint 8 of profile 14 is not supported by the device "/dev/dri/renderD128"
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
libva info: VA-API version 1.20.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_20
libva info: va_openDriver() returns 0
[20:13:19:022] [1685676:0019b8ce] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INVALID_HANDLE [0x80090301]
[20:13:19:022] [1685676:0019b8ce] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INVALID_HANDLE [0x80090301]
[20:13:19:022] [1685676:0019b8ce] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
[20:13:19:023] [1685676:0019b8ce] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
[20:13:19:023] [1685676:0019b8ce] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
org.kde.krdp: Unable to check file descriptor
org.kde.krdp: Closing session
org.kde.krdp: Closing Freedesktop Portal Session
---

I believe the relevant error is "AcceptSecurityContext status SEC_E_INVALID_HANDLE [0x80090301]"

There is a new error displayed on the Windows side too, the message says "The token supplied to the function is invalid", which after a quick search usually indicates a password error.

I don't know if this is a KRDP issue or a FreeRDP3 issue or a Windows 11 issue at this point.
Comment 5 Ash 2025-03-23 21:53:31 UTC 
Okay, this is not a bug in KRDP. I tried the latest version of gnome-remote-desktop (that is built against the same version of FreeRDP3) and it gives exactly the same error.

I think I'm seeing a version of this:
https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/162

I don't have permission on the Windows laptop to check the configured group policies, but there must be a setting that is preventing a connection to a non-whitelisted RDP endpoint.
Weirdly, it seems like Windows implements this by still sending the connection, but without any security context attached, so FreeRDP errors at this line:
https://github.com/FreeRDP/FreeRDP/blob/acf830946cb8358f03ac9bdaad61da4397fb58fc/winpr/libwinpr/sspi/NTLM/ntlm.c#L495

The next thing I can try is to borrow a different (non-organisation) Windows laptop from a friend and see if that can connect to KRDP.