Hi Nick
Thanks for the reply. I've been playing around with the header-auth module and
I can login to guacamole using the REMOTE_USER header. So that part is working
great. But I use a user-mapping.xml file that looks like this:
<user-mapping>
<!-- Example user configurations are given below. For more information,
see the user-mapping.xml section of the Guacamole configuration
documentation: http://guac-dev.org/Configuring%20Guacamole -->
<!-- Per-user authentication and config information -->
<authorize username="fakename" password="fakepassword">
<protocol>vnc</protocol>
<param name="hostname">localhost</param>
<param name="port">5901</param>
<param name="password">fakepassword</param>
</authorize>
</user-mapping>
and the upshot of this is when the user logged in, they were taken immediately
to the VNC service. That's not happening any more. Instead I get a screen like
the following. I couldn't find anything about this in the header-auth
documentation. Any suggestions or ideas?
Here's the screen shot:
[cid:9eee3449-0559-4e91-9887-3814b799bb36]
Thanks much
Howard
________________________________
From: Nick Couchman <[email protected]>
Sent: Thursday, April 9, 2020 5:11 PM
To: [email protected] <[email protected]>
Subject: Re: Running guacamole inside of a secured environment
On Thu, Apr 9, 2020 at 10:37 AM Howard Lander
<[email protected]<mailto:[email protected]>> wrote:
Hi all
We are running guacamole inside of a secured environment. By this I mean that
by the time the user can access our Guacamole server they have already
authenticated. So we really don't want them to have to authenticate again. I
see that there was a noauth extension, but it doesn't seem to be supported in
either version 1.0 or 1.1. I found the docs that describe how to write a
custom authentication module, but I'm not sure I want to go down that path.
What, if anything, is the currently approved method of providing access without
authentication? Did I just miss the noauth support in later versions? If it
matters. the service we are allowing the users to connect to is VNC.
First, regarding the noauth module, no, you are not missing it in the current
versions. It was deprecated in version 0.9.13 or 0.9.14, and completely
removed from version 1.0.0 and later.
Regarding working in a trusted environment, first, please read the following:
http://guacamole.apache.org/faq/#disable-auth
Beyond this, there are a couple of ways you can work through the authentication
mechanism to make the experience more seamless for users. The most common is
to use a SSO extension of some sort to authenticate through an existing SSO
provider. Guacamole currently supports CAS and OpenID providers, and also has
a Header authentication module that can be used to authenticate users through
HTTP headers in trusted environments.
http://guacamole.apache.org/doc/gug/cas-auth.html
http://guacamole.apache.org/doc/gug/openid-auth.html
http://guacamole.apache.org/doc/gug/header-auth.html
Depending on your environment, another option is to use the parameter tokens as
pass through authentication from Guacamole to your destination systems. This
works particularly well in environments where you have AD authentication and
use that with the LDAP extension, and then pass through the LDAP username and
password to the RDP hosts that use the same AD domain.
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
-Nick
