1.3 Overview

The Remote Desktop Protocol: Authentication Redirection Virtual Channel (RDPEAR) Protocol allows the use of credentials over a Remote Desktop Protocol (RDP) connection without revealing those credentials to the remote system. Prior to this protocol, the authentication protocol under remote desktop, Credential Security Support Provider (CredSSP) Protocol [MS-CSSP], passed full credentials to the remote system. This is required because the remote system logs the user on to present the full interactive session.

RDPEAR Protocol is used to perform authentication over a Remote Desktop connection by establishing a virtual channel between the source and the target devices to relay authentication requests received by the target device to the source device. All authentication requests for Kerberos and NTLM are forwarded to the source over the new virtual channel, and responses to those requests are sent back to the target device to relay out to the resource server.

This protocol improves upon the CredSSP Protocol by allowing the remoting behavior without sending plaintext credentials over the wire. Instead, opaque credentials are sent to the CredSSP server. Any time the server needs to use credentials, a request message is sent to the CredSSP client that processes the request and provides the opaque credentials. Upon completion of the request, the client sends an output reply message containing the results of the operation back to the server.

Credential Guard, also called Remote Guard, will use RDPEAR Protocol to provide a safer mechanism to Remote Desktop into different machines. The feature is dependent on redirecting authentication requests over a virtual channel and using network logon to log the user into the target machine. This is a remote desktop protocol extension, where remote desktop client can remote into on-prem servers by enabling Remote Credential Guard.