From c7dc736a3f535f97cc73eeadf80c297fae67b4df Mon Sep 17 00:00:00 2001
From: gpotter2 <10530980+gpotter2@users.noreply.github.com>
Date: Tue, 22 Apr 2025 19:32:51 +0200
Subject: [PATCH] Support 'Restrict Credential Delegation' mode

---
 libfreerdp/core/nego.c | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/libfreerdp/core/nego.c b/libfreerdp/core/nego.c
index f6d0d4f80..2c9b3a64a 100644
--- a/libfreerdp/core/nego.c
+++ b/libfreerdp/core/nego.c
@@ -1258,18 +1258,30 @@ BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s)
 
 	if (flags & REDIRECTED_AUTHENTICATION_MODE_REQUIRED)
 	{
-		if (!nego->RemoteCredsGuardSupported)
-		{
-			WLog_Print(nego->log, WLOG_ERROR,
-			           "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED but disabled");
-			return FALSE;
-		}
-		else
+		if (nego->RemoteCredsGuardSupported)
 		{
 			WLog_Print(nego->log, WLOG_INFO,
 			           "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED");
+			nego->RemoteCredsGuardActive = TRUE;
+		}
+		else
+		{
+			/* If both RESTRICTED_ADMIN_MODE_REQUIRED and REDIRECTED_AUTHENTICATION_MODE_REQUIRED
+			 * are set, it means one or the other. In this case, don't fail if Remote Guard isn't
+			 * available. */
+			if (flags & RESTRICTED_ADMIN_MODE_REQUIRED)
+			{
+				WLog_Print(nego->log, WLOG_INFO,
+				           "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED ignored.");
+			}
+			else
+			{
+				WLog_Print(
+				    nego->log, WLOG_ERROR,
+				    "RDP_NEG_REQ::flags REDIRECTED_AUTHENTICATION_MODE_REQUIRED but disabled");
+				return FALSE;
+			}
 		}
-		nego->RemoteCredsGuardActive = TRUE;
 	}
 
 	Stream_Read_UINT16(s, length);