Re: Getting around SSO

[Chris Jordan]

Johnnie,

In your guacamole properties, you can configure the extension priority so
that you can hit the guacamole login screen without being automatically
redirected to your IdP. This should allow you to still log in guacadmin (or
any non-SSO account), while preserving your SSO functionality. You will set
the priority according to the method used for SSO. I've provided two
examples below with links to the documentation.

extension-priority: *, saml
extension-priority: *, openid

https://guacamole.apache.org/doc/gug/saml-auth.html#presenting-unauthenticated-users-with-a-login-screen
https://guacamole.apache.org/doc/gug/openid-auth.html#presenting-unauthenticated-users-with-a-login-screen

On Fri, Apr 5, 2024 at 3:13 PM Tom Eaton  wrote:

> I created a guacadmin account in the IDP, this works and let's you use the
> guacadmin account as normal.
>
> On Fri, 5 Apr 2024, 19:59 Johnnie W Adams,  wrote:
>
>> Hi, folks,
>>
>>  I've inherited a single instance of Guacamole which is behind SSO.
>>
>>  This is unfortunate, because I can't log in as guacadmin. How do you
>> folks set up to go around SSO with admin logins?
>>
>> Thanks,
>>
>>  John A
>>
>> --
>> John Adams
>> Senior Linux/Middleware Administrator  | Information Technology Services
>> +1-501-916-3010 | jxad...@ualr.edu | http://ualr.edu/itservices
>> *UA Little Rock*
>>
>> Reminder:  IT Services will never ask for your password over the phone or
>> in an email. Always be suspicious of requests for personal information that
>> come via email, even from known contacts.  For more information or to
>> report suspicious email, visit IT Security
>> .
>>
>

-- 
Regards,
Chris

Re: Getting around SSO

[Tom Eaton]

I created a guacadmin account in the IDP, this works and let's you use the
guacadmin account as normal.

On Fri, 5 Apr 2024, 19:59 Johnnie W Adams,  wrote:

> Hi, folks,
>
>  I've inherited a single instance of Guacamole which is behind SSO.
>
>  This is unfortunate, because I can't log in as guacadmin. How do you
> folks set up to go around SSO with admin logins?
>
> Thanks,
>
>  John A
>
> --
> John Adams
> Senior Linux/Middleware Administrator  | Information Technology Services
> +1-501-916-3010 | jxad...@ualr.edu | http://ualr.edu/itservices
> *UA Little Rock*
>
> Reminder:  IT Services will never ask for your password over the phone or
> in an email. Always be suspicious of requests for personal information that
> come via email, even from known contacts.  For more information or to
> report suspicious email, visit IT Security
> .
>

Re: Getting around SSO

[Mike Wyatt]

The docs don't allow for better linking, but Guacamole has support for reading 
groups from the JWT. You have to do some work ahead of time in Guacamole itself 
to set up a group named after your "admin group", giving the group "Administer 
System" permissions (and others).

https://guacamole.apache.org/doc/gug/openid-auth.html#configuring-guacamole-for-single-sign-on-with-openid-connect

Search for "openid-groups-claim-type", and you might have to add the same value 
to "openid-scope".

Here's my notes / setup for Docker + Authelia:

https://github.com/mikew/homelab/blob/d4b058dea7f1eb741f7cb2746cd1e86d4674d424/services/auth/README.md?plain=1#L61-L64
https://github.com/mikew/homelab/blob/d4b058dea7f1eb741f7cb2746cd1e86d4674d424/services/remote-desktop-gateway/docker-compose.yml#L33-L39

> On Apr 5, 2024, at 3:58 PM, Johnnie W Adams  wrote:
> 
> Hi, folks,
> 
>  I've inherited a single instance of Guacamole which is behind SSO.
> 
>  This is unfortunate, because I can't log in as guacadmin. How do you 
> folks set up to go around SSO with admin logins?
> 
> Thanks,
> 
>  John A
> 
> -- 
> John Adams
> Senior Linux/Middleware Administrator  | Information Technology Services
> +1-501-916-3010 | jxad...@ualr.edu | http://ualr.edu/itservices
> UA Little Rock
> 
> Reminder:  IT Services will never ask for your password over the phone or in 
> an email. Always be suspicious of requests for personal information that come 
> via email, even from known contacts.  For more information or to report 
> suspicious email, visit IT Security.


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Getting around SSO

[Johnnie W Adams]

Hi, folks,

 I've inherited a single instance of Guacamole which is behind SSO.

 This is unfortunate, because I can't log in as guacadmin. How do you
folks set up to go around SSO with admin logins?

Thanks,

 John A

-- 
John Adams
Senior Linux/Middleware Administrator  | Information Technology Services
+1-501-916-3010 | jxad...@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder:  IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts.  For more information or to
report suspicious email, visit IT Security
.

RE: Issue with Windows 10 RDP

[Devine, Harry (FAA)]

I’m not really sure what happened, but the network was down on that VM, so I 
disabled it and re-enabled it.  Still got the errors.  Then on the Guac side, 
for that connection, I changed the Hostname to be the IP, set Security Mode to 
none (blank), and clicked “Ignore server certificate”, and it let me in.  Not 
sure why this didn’t work originally, but it seems good now.

Thanks,
Harry

From: Devine, Harry (FAA) 
Sent: Friday, April 5, 2024 7:32 AM
To: user@guacamole.apache.org
Subject: RE: Issue with Windows 10 RDP

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.

We have another set of Guacamole servers that have Windows connections and 
those work fine.  We only have FIPS enabled on our Linux servers where Guac is 
installed, so I don’t see how that would be causing anything.  Like I said 
earlier, I’ve tried every security setting in the Guac Connection page and none 
work.  I’m just not sure what I’m missing on the Windows machine.  The other 
Windows servers I mentioned earlier all prompt for a login name and password.  
This new one seems to get sent the user that’s logged into Guac and it rejects 
it.

Thanks,
Harry

From: Sean Hulbert 
mailto:shulb...@securitycentric.net.INVALID>>
Sent: Thursday, April 4, 2024 10:56 PM
To: user@guacamole.apache.org
Subject: Re: Issue with Windows 10 RDP

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.


Windows 10 Pro default install does not enable NLA, however updates will enable 
it, make sure NLA is disabled on Windows OS.

We run Windows OS in FIPS mode as part of our STIG, this works just fine. Our 
build out is on a Debian 11 OS using FIPS only encryption modules which are 
transparent to Guacamole.

Only registry setting I recall is to make Windows prompt for login when the 
legal notice is not set in the GPO.

Hope this helps.

Thank You
Sean Hulbert
Founder / CEO
Work Ph: 925.663.5565

Security Centric Inc.
A Cybersecurity Virtualization Enablement Company
StormCloud Gov, Protected CUI Environment!

[cid:image001.png@01DA8751.526B10A0]
Industry's most secure virtual desktops!

FedRAMP MIL4 in process (RAR)
System Award Management
CAGE: 8AUV4
SAM ID: UMJLJ8A7BMT3

AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the hacker you 
haven’t heard of!

CONFIDENTIALITY NOTICE: This communication with its contents may contain 
confidential and/or legally privileged information. It is solely for the use of 
the intended recipient(s). Unauthorized interception, review, use or disclosure 
is prohibited and may violate applicable laws including the Electronic 
Communications Privacy Act. If you are not the intended recipient, please 
contact the sender and destroy all copies of the communication. Content within 
this email communication is not legally binding as a contract and no promises 
are guaranteed unless in a formal contract outside this email communication.

igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris
On 4/4/2024 7:16 PM, Nick Couchman wrote:
On Thu, Apr 4, 2024 at 7:58 PM Jon Gerdes 
mailto:gerd...@blueloop.net>> wrote:
Dear all

Whatever that random internet link says, I have quite literally set up a 
Guacamole connection to a Windows 2022 server ... today.

Please don't fiddle with your registry unless you now what you are doing - you 
will probably end up less secure and without a solution.


Tend to agree, here - I use Guacamole on a daily basis to log in to Windows 10 
and 11, and Windows Server 2003 - 2022, and I do not have to make special 
registry modifications to get it to work. Most of the servers use NLA. That 
said, I am not using FIPS mode.

-Nick

Re: VNC to macOS Connections

[Sean Hulbert]

You my try this for information on xrdp on MacOS 
https://github.com/neutrinolabs/xrdp/issues/2194


Since mac is based on FreeBSD/NetBSD this may help 
https://www.jeremymorgan.com/tutorials/freebsd/how-to-remote-desktop-in-freebsd/




*Thank You*
Sean Hulbert
*Founder / CEO*
*Work Ph:* 925.663.5565

*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/


Industry's most secure virtual desktops!


*/FedRAMP MIL4 in process (RAR)/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*

AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the 
hacker you haven’t heard of!


CONFIDENTIALITY NOTICE: This communication with its contents may contain 
confidential and/or legally privileged information. It is solely for the 
use of the intended recipient(s). Unauthorized interception, review, use 
or disclosure is prohibited and may violate applicable laws including 
the Electronic Communications Privacy Act. If you are not the intended 
recipient, please contact the sender and destroy all copies of the 
communication. Content within this email communication is not legally 
binding as a contract and no promises are guaranteed unless in a formal 
contract outside this email communication.


igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris

On 4/5/2024 6:06 AM, Chris Herrmann wrote:
Currently, I've been using the macOS VNC implementation but would like 
to test RealVNC.  Unfortunately, I continue to have connection issues 
even after following all the documentation and forum information at 
RealVNC's website.


Has anyone had luck using RealVNC?

Thanks.

On Sun, Mar 24, 2024 at 12:17 AM Michael Jumper  
wrote:


On 3/22/24 08:14, Chris Herrmann wrote:
> We've set up a small Guacamole server to offer remote Xcode
access for
> students enrolled in a mobile app development course. Users
> authenticate to our CAS server to connect to the Guac server then
> re-authenticate at the macOS login prompt via AD binding.
>
> At present, we have set up a standard account on the macOS
clients to
> keep the VNC connection transparent to the user.  If a user
forgets to
> log out of macOS and clicks 'back' or closes the tab; the next
> connection auto-authenticates in macOS with the standard user we
set up
> for VNC.
>
> Did we miss something in the documentation to ensure this isn't
> possible? or should we change something in the server or client
> configuration?
>

You'll need to look into the configuration of your VNC server. In
this
case, the behavior you're seeing is entirely dictated by the VNC
server
and OS. There may be options within your VNC server that ensure new
connections are given new sessions, or that existing sessions time
out
after some period of time. The VNC client has no control over this,
unfortunately.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: VNC to macOS Connections

[Chris Herrmann]

Currently, I've been using the macOS VNC implementation but would like to
test RealVNC.  Unfortunately, I continue to have connection issues even
after following all the documentation and forum information at
RealVNC's website.

Has anyone had luck using RealVNC?

Thanks.

On Sun, Mar 24, 2024 at 12:17 AM Michael Jumper  wrote:

> On 3/22/24 08:14, Chris Herrmann wrote:
> > We've set up a small Guacamole server to offer remote Xcode access for
> > students enrolled in a mobile app development course.  Users
> > authenticate to our CAS server to connect to the Guac server then
> > re-authenticate at the macOS login prompt via AD binding.
> >
> > At present, we have set up a standard account on the macOS clients to
> > keep the VNC connection transparent to the user.  If a user forgets to
> > log out of macOS and clicks 'back' or closes the tab; the next
> > connection auto-authenticates in macOS with the standard user we set up
> > for VNC.
> >
> > Did we miss something in the documentation to ensure this isn't
> > possible? or should we change something in the server or client
> > configuration?
> >
>
> You'll need to look into the configuration of your VNC server. In this
> case, the behavior you're seeing is entirely dictated by the VNC server
> and OS. There may be options within your VNC server that ensure new
> connections are given new sessions, or that existing sessions time out
> after some period of time. The VNC client has no control over this,
> unfortunately.
>
> - Mike
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

RE: Issue with Windows 10 RDP

[Devine, Harry (FAA)]

We have another set of Guacamole servers that have Windows connections and 
those work fine.  We only have FIPS enabled on our Linux servers where Guac is 
installed, so I don’t see how that would be causing anything.  Like I said 
earlier, I’ve tried every security setting in the Guac Connection page and none 
work.  I’m just not sure what I’m missing on the Windows machine.  The other 
Windows servers I mentioned earlier all prompt for a login name and password.  
This new one seems to get sent the user that’s logged into Guac and it rejects 
it.

Thanks,
Harry

From: Sean Hulbert 
Sent: Thursday, April 4, 2024 10:56 PM
To: user@guacamole.apache.org
Subject: Re: Issue with Windows 10 RDP

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.


Windows 10 Pro default install does not enable NLA, however updates will enable 
it, make sure NLA is disabled on Windows OS.

We run Windows OS in FIPS mode as part of our STIG, this works just fine. Our 
build out is on a Debian 11 OS using FIPS only encryption modules which are 
transparent to Guacamole.

Only registry setting I recall is to make Windows prompt for login when the 
legal notice is not set in the GPO.

Hope this helps.

Thank You
Sean Hulbert
Founder / CEO
Work Ph: 925.663.5565

Security Centric Inc.
A Cybersecurity Virtualization Enablement Company
StormCloud Gov, Protected CUI Environment!

[cid:image001.png@01DA872B.5E739EB0]
Industry's most secure virtual desktops!

FedRAMP MIL4 in process (RAR)
System Award Management
CAGE: 8AUV4
SAM ID: UMJLJ8A7BMT3

AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the hacker you 
haven’t heard of!

CONFIDENTIALITY NOTICE: This communication with its contents may contain 
confidential and/or legally privileged information. It is solely for the use of 
the intended recipient(s). Unauthorized interception, review, use or disclosure 
is prohibited and may violate applicable laws including the Electronic 
Communications Privacy Act. If you are not the intended recipient, please 
contact the sender and destroy all copies of the communication. Content within 
this email communication is not legally binding as a contract and no promises 
are guaranteed unless in a formal contract outside this email communication.

igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris
On 4/4/2024 7:16 PM, Nick Couchman wrote:
On Thu, Apr 4, 2024 at 7:58 PM Jon Gerdes 
mailto:gerd...@blueloop.net>> wrote:
Dear all

Whatever that random internet link says, I have quite literally set up a 
Guacamole connection to a Windows 2022 server ... today.

Please don't fiddle with your registry unless you now what you are doing - you 
will probably end up less secure and without a solution.


Tend to agree, here - I use Guacamole on a daily basis to log in to Windows 10 
and 11, and Windows Server 2003 - 2022, and I do not have to make special 
registry modifications to get it to work. Most of the servers use NLA. That 
said, I am not using FIPS mode.

-Nick