Symptoms

After upgrading to Windows 10 Creators Update (version 1703), when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect. Windows 10 Version 1703 RDP client is using Negotiate HTTP authentication scheme, while APM requires NTLM scheme for RD Gateway.

Impact

Remote desktop client is not able to authenticate and connect to the desktop.

Conditions

- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature. - You upgrade to Windows 10 Creators Update (version 1703).

Workaround

Use either of the following workarounds: -- Force the Windows RDP client to use NTLM authentication scheme (instead of Negotiate) by setting Group Policy 'User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway\Set RD Gateway authentication method' to 'Ask for credentials, use NTLM protocol'. -- Use the following iRule to convert Negotiate to NTLM: when HTTP_REQUEST { set is_rdg_request [expr { [HTTP::method] starts_with "RDG_" }] if {!$is_rdg_request} { return; } set auth [HTTP::header Authorization] set is_nego_auth [expr { $auth contains "Negotiate" }] if { $is_nego_auth } { set auth [string map {"Negotiate" "NTLM"} $auth] HTTP::header replace Authorization $auth } } when HTTP_RESPONSE_RELEASE { if {!$is_rdg_request || !$is_nego_auth} { return; } catch { set auth [HTTP::header WWW-Authenticate] if { $auth contains "NTLM" } { set auth [string map {"NTLM" "Negotiate"} $auth] HTTP::header replace WWW-Authenticate $auth } } }

Fix Information

After upgrading to Windows 10 Creators Update (version 1703), the RDP client can still authenticate and connect via APM used as RD Gateway.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips