Re: Weird Windows 10 RDP issue

[Fertig, Brian]

I changed it to RDP. I will remove the NLA settings from the registry and see 
what happens.  But I honestly never get that far in guac.

Brian

Get Outlook for iOS<https://aka.ms/o0ukef>

From: Mike Jumper 
Sent: Monday, February 22, 2021 8:54:19 PM
To: user@guacamole.apache.org 
Subject: Re: Weird Windows 10 RDP issue

Caution: This e-mail originated from outside of Philips, be careful for 
phishing.

On Mon, Feb 22, 2021 at 2:29 PM Fertig, Brian 
 wrote:

Mike,



Thanks for the reply this is literally it.  I have a bunch of Windows servers 
but no windows 10.  This is my first.  I think its something in windows but I 
cant put my finger on it..  I did make the registry changes for NLA and such 
but no dice..

You should not need to make any registry changes with respect to NLA. It's an 
important security feature of RDP which Guacamole supports. If you see a 
recommendation to disable NLA through registry settings, I recommend dismissing 
it out of hand unless you (independently of Guacamole) simply do not want NLA 
to be used.

The only case where disabling NLA would be desirable is if you want Windows to 
present a graphical login screen of its own.


[cid:177cc90937d4cff311]


What do you see in your guacd logs from this? Your previous logs note security 
mode "any" (the default), which does not match the above.

Michael Jumper
CEO, Lead Developer
Glyptodon 
Inc<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fenterprise.glyptodon.com%2F=04%7C01%7C%7C7ff76fc5b8ca4f9597cf08d8d79e0c6f%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C637496421124331671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=KL9m01EP0mc%2Baps2RrPJAayxrmNkobgsqvLVMpDXE8w%3D=0>.


The information contained in this message may be confidential and legally 
protected under applicable law. The message is intended solely for the 
addressee(s). If you are not the intended recipient, you are hereby notified 
that any use, forwarding, dissemination, or reproduction of this message is 
strictly prohibited and may be unlawful. If you are not the intended recipient, 
please contact the sender by return e-mail and destroy all copies of the 
original message.

Re: Weird Windows 10 RDP issue

[Mike Jumper]

On Mon, Feb 22, 2021 at 2:29 PM Fertig, Brian
 wrote:

> Mike,
>
>
>
> Thanks for the reply this is literally it.  I have a bunch of Windows
> servers but no windows 10.  This is my first.  I think its something in
> windows but I cant put my finger on it..  I did make the registry changes
> for NLA and such but no dice..
>

You should not need to make any registry changes with respect to NLA. It's
an important security feature of RDP which Guacamole supports. If you see a
recommendation to disable NLA through registry settings, I recommend
dismissing it out of hand unless you (independently of Guacamole) simply do
not want NLA to be used.

The only case where disabling NLA would be desirable is if you want Windows
to present a graphical login screen of its own.


>
What do you see in your guacd logs from this? Your previous logs note
security mode "any" (the default), which does not match the above.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

Re: Weird Windows 10 RDP issue

[Mike Jumper]

On Mon, Feb 22, 2021 at 12:36 PM Bill Sandor  wrote:

> That is the $50m question.  I did not even realize there was an admin
> section of the web portal for setting up configurations, I thought it was
> all done though editing the user-mapping.xml file.
>

Nope - the "user-mapping.xml" file primarily exists to allow quick testing
of a deployment before moving on to one of the supported databases, which
provide the admin interface you mention.


> I recently deployed a docker container of Guacamole to see if that would
> work, and in there I noticed there is an admin login & password and an
> admin section of the web portal for setting up the connections.
>
> How do I log into the admin web portal on the from-scratch install?  I
> can’t find any listing of a default admin login/password in the
> documentation.  Do I somehow add an admin user to user-mapping.xml?  The
> only user I created (test) does not have admin rights.
>

No, you would not use "user-mapping.xml" at all. The admin interface
results from having a supported database installed and configured, and the
default admin account is created as a part of that process:

http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-database-creation
http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-default-user

Once you have the database support in place (or any other authentication
extension), there is no need for "user-mapping.xml".

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

RE: Weird Windows 10 RDP issue

[Fertig, Brian]

Mike,

  Thanks for the reply this is literally it.  I have a bunch of Windows servers 
but no windows 10.  This is my first.  I think its something in windows but I 
cant put my finger on it..  I did make the registry changes for NLA and such 
but no dice..

[cid:image001.png@01D70940.3773ECA0]

Brian

From: Mike Jumper 
Sent: Sunday, February 21, 2021 1:57 PM
To: user@guacamole.apache.org
Subject: Re: Weird Windows 10 RDP issue

Caution: This e-mail originated from outside of Philips, be careful for 
phishing.

On Sat, Feb 20, 2021 at 7:21 PM Fertig, Brian 
mailto:brian.fer...@philips.com.invalid>> 
wrote:
So got this issue..  I setup a Windows 10 host in Guac.  I have checked 
firewalls, settings, etc.  I cant make heads or tails.  This is in the GUACD 
log..

Feb 21 03:17:05 ip-172-31-6-188 tomcat9[111889]: 03:17:05.399 
[http-nio-8080-exec-6] DEBUG o.a.g.net.InetGuacamoleSocket - Connecting to 
guacd at localhost:4822.
Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Creating new client for protocol 
"rdp"
Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Connection ID is 
"$1217b78c-d8f5-4826-a381-4cd1ebd85654"
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Security mode: Negotiate (ANY)
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Resize method: none
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: User 
"@d45054ab-6557-45c8-bc93-b6d06a578993" joined connection 
"$1217b78c-d8f5-4826-a381-4cd1ebd85654" (1 users now present)
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "base"
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "en-us-qwerty"
Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: RDP server closed/refused 
connection: Connection failed (server unreachable?)
Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: User 
"@d45054ab-6557-45c8-bc93-b6d06a578993" disconnected (0 users remain)
Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: Last user of connection 
"$1217b78c-d8f5-4826-a381-4cd1ebd85654" disconnected
Feb 21 03:17:20 ip-172-31-6-188 guacd[115076]: Connection 
"$1217b78c-d8f5-4826-a381-4cd1ebd85654" removed.

On the windows host I get this error:
A fatal error occurred while creating a TLS client credential. The internal 
error state is 10011.

So I know what the SCHANNEL error is.  I have dealt with it quite a bit.  
HOWEVER I don't have the foggiest idea how to fix it with Guac.  What Crypto 
should I be using?  This is the latest and greatest Windows 10.

Now I have said to not use SSL/Crypto in the guac settings.  I have also 
disabled NLA and enabled the security setting in the registry.  Any insights 
would be awesome!

You shouldn't need to disable NLA or TLS, especially with most recent versions 
of Windows requiring these mechanisms by default. They should just work, either 
with embedded credentials, credential pass-through, or automatic credential 
prompting.

What specific parameters and values are you specifying for the Guacamole 
connection?

Michael Jumper
CEO, Lead Developer
Glyptodon 
Inc<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fenterprise.glyptodon.com%2F=04%7C01%7C%7Cb94b833a96ca41ef75f408d8d69a9ca0%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C637495306834006069%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=wq1sablzzQz1O4%2FRCd%2F20j%2FeySe5tSsJ5O9yf8rD%2FBg%3D=0>.


The information contained in this message may be confidential and legally 
protected under applicable law. The message is intended solely for the 
addressee(s). If you are not the intended recipient, you are hereby notified 
that any use, forwarding, dissemination, or reproduction of this message is 
strictly prohibited and may be unlawful. If you are not the intended recipient, 
please contact the sender by return e-mail and destroy all copies of the 
original message.

Re: Weird Windows 10 RDP issue

[Bill Sandor]

That is the $50m question.  I did not even realize there was an admin section 
of the web portal for setting up configurations, I thought it was all done 
though editing the user-mapping.xml file.  I recently deployed a docker 
container of Guacamole to see if that would work, and in there I noticed there 
is an admin login & password and an admin section of the web portal for setting 
up the connections.

How do I log into the admin web portal on the from-scratch install?  I can’t 
find any listing of a default admin login/password in the documentation.  Do I 
somehow add an admin user to user-mapping.xml?  The only user I created (test) 
does not have admin rights.


This very well may be the source of all my problems.

 
--Bill Sandor
Allegiance Technologies & Consulting LLC
http://www.allegiance-it.com
330.315.2867

> On Feb 21, 2021, at 1:57 PM, Mike Jumper  wrote:
> 
> On Sat, Feb 20, 2021 at 7:21 PM Fertig, Brian 
>  wrote:
> So got this issue..  I setup a Windows 10 host in Guac.  I have checked 
> firewalls, settings, etc.  I cant make heads or tails.  This is in the GUACD 
> log..
> 
>  
> 
> Feb 21 03:17:05 ip-172-31-6-188 tomcat9[111889]: 03:17:05.399 
> [http-nio-8080-exec-6] DEBUG o.a.g.net.InetGuacamoleSocket - Connecting to 
> guacd at localhost:4822.
> 
> Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Creating new client for 
> protocol "rdp"
> 
> Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Connection ID is 
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654"
> 
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Security mode: Negotiate (ANY)
> 
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Resize method: none
> 
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: User 
> "@d45054ab-6557-45c8-bc93-b6d06a578993" joined connection 
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654" (1 users now present)
> 
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "base"
> 
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "en-us-qwerty"
> 
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: RDP server closed/refused 
> connection: Connection failed (server unreachable?)
> 
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: User 
> "@d45054ab-6557-45c8-bc93-b6d06a578993" disconnected (0 users remain)
> 
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: Last user of connection 
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654" disconnected
> 
> Feb 21 03:17:20 ip-172-31-6-188 guacd[115076]: Connection 
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654" removed.
> 
>  
> 
> On the windows host I get this error:
> 
> A fatal error occurred while creating a TLS client credential. The internal 
> error state is 10011.
> 
>  
> 
> So I know what the SCHANNEL error is.  I have dealt with it quite a bit.  
> HOWEVER I don’t have the foggiest idea how to fix it with Guac.  What Crypto 
> should I be using?  This is the latest and greatest Windows 10. 
> 
>  
> 
> Now I have said to not use SSL/Crypto in the guac settings.  I have also 
> disabled NLA and enabled the security setting in the registry.  Any insights 
> would be awesome!
> 
> 
> You shouldn't need to disable NLA or TLS, especially with most recent 
> versions of Windows requiring these mechanisms by default. They should just 
> work, either with embedded credentials, credential pass-through, or automatic 
> credential prompting.
> 
> What specific parameters and values are you specifying for the Guacamole 
> connection?
> 
> Michael Jumper
> CEO, Lead Developer
> Glyptodon Inc .

Re: Weird Windows 10 RDP issue

[Mike Jumper]

On Sat, Feb 20, 2021 at 7:21 PM Fertig, Brian
 wrote:

> So got this issue..  I setup a Windows 10 host in Guac.  I have checked
> firewalls, settings, etc.  I cant make heads or tails.  This is in the
> GUACD log..
>
>
>
> Feb 21 03:17:05 ip-172-31-6-188 tomcat9[111889]: 03:17:05.399
> [http-nio-8080-exec-6] DEBUG o.a.g.net.InetGuacamoleSocket - Connecting to
> guacd at localhost:4822.
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Creating new client for
> protocol "rdp"
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Connection ID is
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654"
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Security mode: Negotiate
> (ANY)
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Resize method: none
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: User
> "@d45054ab-6557-45c8-bc93-b6d06a578993" joined connection
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654" (1 users now present)
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "base"
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap
> "en-us-qwerty"
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: RDP server closed/refused
> connection: Connection failed (server unreachable?)
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: User
> "@d45054ab-6557-45c8-bc93-b6d06a578993" disconnected (0 users remain)
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: Last user of connection
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654" disconnected
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[115076]: Connection
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654" removed.
>
>
>
> On the windows host I get this error:
>
> A fatal error occurred while creating a TLS client credential. The
> internal error state is 10011.
>
>
>
> So I know what the SCHANNEL error is.  I have dealt with it quite a bit.
> HOWEVER I don’t have the foggiest idea how to fix it with Guac.  What
> Crypto should I be using?  This is the latest and greatest Windows 10.
>
>
>
> Now I have said to not use SSL/Crypto in the guac settings.  I have also
> disabled NLA and enabled the security setting in the registry.  Any
> insights would be awesome!
>

You shouldn't need to disable NLA or TLS, especially with most recent
versions of Windows requiring these mechanisms by default. They should just
work, either with embedded credentials, credential pass-through, or
automatic credential prompting.

What specific parameters and values are you specifying for the Guacamole
connection?

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .