[Samba] Test-ComputerSecureChannel -Verbose False since windows 10/11 update 07/2023

Peter Milesson miles at atmos.eu
Wed Jul 12 18:46:17 UTC 2023

On 12.07.2023 18:45, Rowland Penny via samba wrote:
> On 12/07/2023 15:07, Arnaud FLORENT via samba wrote:
>> Hello
>> having also issues with KB5028166on window 10 22H2 with samba 
>> 4.15.13-Ubuntu used as old NT domain PDC
> At least that points to it not being solely an AD problem, something 
> in basic authentication ?
> Rowland
Hi folks,

I did some testing with xfreerdp on Windows 10 PCs (22H2) and a Windows 
2016 server (1607), just updated.

1. xfreerdp as a Samba (4.17.8) domain user with sec:nla to updated 
Windows 10 PC - does not work
2. xfreerdp as a local user with sec:nla to updated Windows 10 PC - works
3. xfreerdp as a Samba domain user with sec:tls to updated Windows 10 PC 
- works after disabling mandatory NLA in the PC. The roaming profile 
seems to load without warnings or errors
4. xfreerdp as the same Samba domain user to a Windows 10 PC that was 
not updated - works
5. xfreerdp with sec:nla to a recently updated Windows 2016 (1607) 
server in a Windows AD domain - works

So for those that need access via RDP as domain users, the only 
(hopefully very temporary) way seems to disable mandatory NLA in the PC, 
and connect with sec:tls. There seems to be quite a few TLS options for 
raising the TLS security level. The drawback is, that the user is 
presented with the classic login window, but I guess that is not a big 



More information about the samba mailing list