HI, Thx for your answers.
I am testing freerdp 3.1.0 with Kerberos, and it work great. The client computer doesn't need to kerberos configured. So it's looks good for guacd. > Two issues, here: >* guacamole.properties is only for Guacamole Client, not for guacd. >* I do not know of any options for guacamole.properties that would apply to >Kerberos authentication I get this information from AI... But i didn't find any documentations who explains options purposed... ! I supposed that's options were specific at the host config. so... and after some tests, I understand that the AI gave me bad informations... > David replied, already, pointing out that FreeRDP 2.x wasn't really >complete/stable with respect to Kerberos, and I'll just add that Guacamole >does not support FreeRDP 3.x at the moment. Yes i have also checked that on the apache-guacemole jira and a request already exists for that. >I suspect that some changes will need to be made to Guacamole in order to >make this work: >* Support for FreeRDP 3.x, which contains more stable/complete Kerberos >support. >* Support for Kerberos authentication in Guacamole Client, allowing users >to log in seamlessly from browser to Guacamole with Kerberos. >* Ability to pass the Kerberos ticket used for authentication in Guacamole >Client on to guacd for RDP authentication. > All completely do-able, just some required time/effort to accomplish it :-). I think the support of FreeRDP 3.x should be enouhgt to get a fonctionnal Kerberos authentication. The Others steps will make guacamole client more user-friendly and high-secure. Microsoft are preparing the end of NTLM so it will be great to get kerberos on Guaca. As you said, effort and time are needed to accomplish it but i'am not able to help you on dev :(. Thks again for you answers, and i if you need a tester, i am here ;) ! -Sylvain ________________________________ De : Nick Couchman <vn...@apache.org> Envoyé : mardi 16 janvier 2024 13:41 À : dev@guacamole.apache.org <dev@guacamole.apache.org> Objet : Re: Apache Guacamole and Kerberos protocol ! On Mon, Jan 15, 2024 at 11:55 AM Sylvain GUIBERT < sylvain.guib...@siflorence.com> wrote: > Hi all ! > > I'am using Aapche-Guacamole since 1 years now to remote control devices > RDP / VNC and SSH. > For VNC and SSH, it works great. > > For RDP we recently encoutered a issue when we tryied to force KErberos > authentication instead of NTLM. Kerberos authentication is available for > freerdp since version 2.x but not compiled by default. I made some tests / "hack" to tried to get Kerberos under Apache-Gacamole : > > David replied, already, pointing out that FreeRDP 2.x wasn't really complete/stable with respect to Kerberos, and I'll just add that Guacamole does not support FreeRDP 3.x at the moment. > Tried to use the guacamole.properties files to configure kerberos > authentication realm > Two issues, here: * guacamole.properties is only for Guacamole Client, not for guacd. * I do not know of any options for guacamole.properties that would apply to Kerberos authentication. > Tried to add the guacamole machine to a domain to be able to get Kerberos > Ticket > Yes, I suspect this would be required. > Compilation of freerdp from source with kerberos supports and install > Apache-Gucamole with the compiled libraires : Ko :( > > I would like to get this functionnality avalaible but i don't know how to > do. What is the right way to add it ? Is it possible ? > > I suspect that some changes will need to be made to Guacamole in order to make this work: * Support for FreeRDP 3.x, which contains more stable/complete Kerberos support. * Support for Kerberos authentication in Guacamole Client, allowing users to log in seamlessly from browser to Guacamole with Kerberos. * Ability to pass the Kerberos ticket used for authentication in Guacamole Client on to guacd for RDP authentication. All completely do-able, just some required time/effort to accomplish it :-). -Nick
