2.2.1.1.1 RDP Negotiation Request (RDP_NEG_REQ)

Article
04/23/2024

The RDP Negotiation Request structure is used by a client to advertise the security protocols which it supports.

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
type								flags								length
requestedProtocols

type (1 byte): An 8-bit, unsigned integer that indicates the packet type. This field MUST be set to 0x01 (TYPE_RDP_NEG_REQ).

flags (1 byte): An 8-bit, unsigned integer that contains protocol flags.

Flag	Meaning
RESTRICTED_ADMIN_MODE_REQUIRED 0x01	Indicates that the client requires credential-less logon over CredSSP (also known as "restricted admin mode"). If the server supports this mode then it is acceptable for the client to send empty credentials in the TSPasswordCreds structure defined in [MS-CSSP] section 2.2.1.2.1.<2>
REDIRECTED_AUTHENTICATION_MODE_REQUIRED 0x02	Indicates that the client requires credential-less logon over CredSSP with redirected authentication over CredSSP (also known as "Remote Credential Guard"). If the server supports this mode, the client can send a redirected logon buffer in the TSRemoteGuardCreds structure defined in [MS-CSSP] section 2.2.1.2.3.
CORRELATION_INFO_PRESENT 0x08	The optional rdpCorrelationInfo field of the 224 Connection Request PDU (section 2.2.1.1) is present.

Flag

Meaning

RESTRICTED_ADMIN_MODE_REQUIRED

0x01

Indicates that the client requires credential-less logon over CredSSP (also known as "restricted admin mode"). If the server supports this mode then it is acceptable for the client to send empty credentials in the TSPasswordCreds structure defined in [MS-CSSP] section 2.2.1.2.1.<2>

REDIRECTED_AUTHENTICATION_MODE_REQUIRED 0x02

Indicates that the client requires credential-less logon over CredSSP with redirected authentication over CredSSP (also known as "Remote Credential Guard"). If the server supports this mode, the client can send a redirected logon buffer in the TSRemoteGuardCreds structure defined in [MS-CSSP] section 2.2.1.2.3.

CORRELATION_INFO_PRESENT

0x08

The optional rdpCorrelationInfo field of the 224 Connection Request PDU (section 2.2.1.1) is present.

length (2 bytes): A 16-bit, unsigned integer that specifies the packet size. This field MUST be set to 0x0008 (8 bytes).

requestedProtocols (4 bytes): A 32-bit, unsigned integer that contains flags indicating the supported security protocols.

Flag	Meaning
PROTOCOL_RDP 0x00000000	Standard RDP Security (section 5.3).
PROTOCOL_SSL 0x00000001	TLS 1.0, 1.1, or 1.2 (section 5.4.5.1).
PROTOCOL_HYBRID 0x00000002	Credential Security Support Provider protocol (CredSSP) (section 5.4.5.2). If this flag is set, then the PROTOCOL_SSL (0x00000001) flag SHOULD also be set because Transport Layer Security (TLS) is a subset of CredSSP.
PROTOCOL_RDSTLS 0x00000004	RDSTLS protocol (section 5.4.5.3).
PROTOCOL_HYBRID_EX 0x00000008	Credential Security Support Provider protocol (CredSSP) (section 5.4.5.2) coupled with the Early User Authorization Result PDU (section 2.2.10.2). If this flag is set, then the PROTOCOL_HYBRID (0x00000002) flag SHOULD also be set. For more information on the sequencing of the CredSSP messages and the Early User Authorization Result PDU, see sections 5.4.2.1 and 5.4.2.2.
PROTOCOL_RDSAAD 0x00000010	RDS-AAD-Auth Security (section 5.4.5.4).

2.2.1.1.1 RDP Negotiation Request (RDP_NEG_REQ)

Additional resources