- This topic has 7 replies, 4 voices, and was last updated 1 year, 11 months ago by
.
-
Posts
-
Hi,
We are using Dell WYSE 3040 using 8.6_807 to connect to a RDS Connection Broker with a few Session Hosts, all running Windows Server 2019. We are also using a Smart Card, YubiKey 5C NFC, to log into the collection, using PIV.
Now, all of a sudden, we cannot log into the collection using the YubiKey anymore, we only get “RD broker sign-on failed” and from what I can see, no entries in any log files. All certificates also seems to be fine, as well as date and time.
I can use the YubiKey to log into the collection from a pc, and I can log into the collection from the 3040, using username and password. It just seems to be the combination 3040 + YubiKey that has stopped working.
Any advice on how to troubleshoot this would be much appreciated.
If this was working earlier, then you must have changed something.
What could this be?
Configuration?
OS Updates or client and/or server site?CG
After much troubleshooting, we have now found the cause of the issue. Microsoft have released a security patch regarding CVE-2021-33764. This security fixed broke our connection to RD broker with smartcard from Dell ThinOS both on 8.6 and 9.1.
Microsoft have provided a temporary mitigation that allow devices that do not follow section 3.2.1 of RFC 4556 spec as required for CVE-2021-33764 and we have confirmed that when we do this temporary mitigation it works connecting to the broker again.
July 27, 2021—KB5005394 (OS Build 17763.2091) Out-of-band (microsoft.com)
So it seems like the Dell WYSE 3040 is not compliant and hopefully a permanent fix will be released soon. We have a ticket open with Dell regarding this.
jqm & anyone else: – Have you heard anything new on this? Your post really saved us and let us get all our 8.6 production clients back up and running! But so far we have heard nothing else from Dell on what the ultimate long term solution is here. Ergo, what I asked Dell:
– Do we just need everyone on wms 3.1x and/or ThinOS 9.x?
– Do we need to flash something? (thought there hasn’t been a new bios for the 3040 for a while, firmware is current on test thin client).
– Do we need to buy all new hardware? (ouch) I hear Dell is coming out with a replacement for the 3040 in another few months.And most worrying is the mitgation won’t work after Feb.8.
Currently we’re also having trouble getting smart cards to work with our dev wms 3.3.1 server; refuses to allow smartcard login, says “unknown username or password” – yet allows login with regular username and password with no problem.
On a test system, upgrade to 9.1.3129 and add the security patch for 9.1.3129. Test and report back your findings.
I am using WMS 3.3 276 however I don’t have access to smartcards. Also, make sure that you are using the latest WVD package.
Thanks! (though your suggestion for remedying the potential smartcard problem with 9.x and WMS doesn’t answer the question re: 8.x clients without WMS and the Microsoft mitigation. Been trying to see if Jamian here in Austin can find out anything about this as well).
Re: flashing 3040 to 9.1.3129 – suppose i have a client that’s on 9.1.2101. Can I just use the merlin image of 9.1.3129 to reimage it? I’ve already imaged multiple USB sticks successfully, and none of them are recognized at boot. The merlin image for 9.1.2101 worked fine. Already on latest bios (though 3040 bios hasn’t had an update for a while anyhow).
Thanks again : )
Well looks like having secure boot on was the culprit for getting to 9.1.3129 via Merlin. Other q about the mitigation status still stands though. : )
However, the problem with the smart cards still exists on 9.1.3129 w/ WMS 3.3.1. I do not see 3.3.276 on the Dell web site for WMS though so can’t try that.
Jamian in Dell Engineering had previously escalated this after my postings here, and confirmed it was unlikely either Dell nor Microsoft are going to do anything to remedy this. The mitigation is finally being patched/expiring on Aug 9 2022 next week per that microsoft kb i posted last year, above.
Jaiman had suggested trying Win Server 2022 to see if that would remedy the problem, but alas, after building one out, it does not. Still works fine with username & password, just not with Yubikey smartcard.
Any other suggestions to keep using smartcards with RDP here would be very appreciated. : )
- You must be logged in to reply to this topic.