Terminal Service Plus

Hello

Does anyone know a way to change the message when a user logs in to html5 with the wrong username and password??

I would like users to get to the windows "The user name or password is incorrect." instead.

Is this possible?

Thanks,
Brian

Just a quick update on this, I have 2 servers, identical. Both running 8.40.12.14 One of them gives the "Network Level Auth - Wrong cred" error and the other allows the windows "username or pass..." message.
Another server I have installed 9.30.4.26 and it gives the unwanted "Network Level Auth..." error. Hopefully this can be changed

Thanks again

Hello,

You can prevent this message from appearing if you activate the gateway portal feature. By doing so you can assign servers to users / groups and the authentication process is done before actually log in. More information about this can be found here : http://www.terminalserviceplus.com/docs ... eway-users

Hi Oliver,

Thanks for the reply.
I have not activated this feature on any of my servers.

I have 3 servers (well 6 really, but to keep it simple we'll say 3)
Server1 - 8.40.12.14
Server2 - 8.40.12.14
Server3 - 9.30.4.26

On all 3 servers, common.js has been modified as shown here:
http://tsplus.net/forum/viewtopic.php?f=8&t=3728

Server1 and server3, both show the windows error as my users prefer. Server2 shows 'Network Level Auth'.

I am very confused as to why. ON server3, I made the change to common.js as shown in the link above, and this removed the 'network level auth' message. Soo I'm uncertain as to why server2 is the only one showing it.

Thanks,
Brian

Hello Brian,

by default the html5 client uses highest available security authentication level NLA(CredSPP NTLMv2/v1) despite of server settings.
But, on server side Microsoft's RDP server offers 3 options.
1. Disable RDP
2. Compatibility mode, (client oriented or server oriented)
3. NLA level clients only.

If you enable Option 3. than you will never get "both show the windows error as my users prefer", you will always get authentication error by wrong user/pass, same like mstsc.exe
If you enable Option 2. than there are 2 known behaviours.

Behaviour 2.1 - client oriented - if client supports NLA, but login or pass does not match, you will get NLA - wrong credentials, because server does not throw error about no-NLA support. But if client does not support NLA anyway, because first request is of RDP auth level type, than you get "windows error".

Behaviour 2.2 - server oriented - despite of fact, if client supports NLA or not, on NLA request server responses with error command, according to this command the client switches to RDP auth level and on second connection it will authenticate on- RDP level and than by wrong login/pass you get "windows error".

I assume, your server N2 uses type 2.1 client oriented, therefore on wrong login/pass you get this NLA message.
If you ask me, on what exactly it depends, I have no answer for you, why there is client or server behaviour for compatibility mode. I noticed, on older systems it uses always server oriented way, but on new systems it seems to depend on installed patches, same Windows system on different machines may show different behaviours, server or client oriented, seems really to depend on latest patches.

Now to final question, how to enforce client to use always RDP level authentication and not NLA to get your "windows error".
1. First of all go sure you use setting on server >> 2. Compatibility mode, (client oriented or server oriented)
2. Next locate, TSplus\Clients\webserver
3. and create there file settings.bin (TSplus\Clients\webserver\settings.bin) with following content
enabled_rdp_credssp=false
4. Now open GUI and restart server to take changes effect.
(you can check, if option is in effect by looking inside weblog.txt in same directory, it should contain "Disabled RDP CredSPP only", also at least it will still use SSL tunnel for connection).

From now the client will always use RDP level only and so you will get your "windows error".

Remember, disabled NLA lowers security level, and if you ask, if it is possible to force Microsoft RDP server to use NLA and by wrong login or pass to show their "windows error", the answer is NO, it acts like mstsc.exe in this manner, that is why NLA is higher level, login and pass has to be provided before connection, not after, so you fail already on network level.