Hello Mike, Sure one can directly authenticate against AD on Guacamole and then leverage credential pass-through.
However my take is that others on this list, e.g. Marcel in http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/securing-connection-passwords-tp9001p9010.html, would like to leverage some other authentication mechanism like OpenID, SAML or the like, where credential pass-through is not supported, and do not want to re-enter passwords (irrespective of whether initial authentication is against AD or not). Using a password vault in that scenario is imho degrading security significantly. And whether users maintain their password on their own or not merely affects usability, not security. Best Regards, Joachim Von: Mike Jumper <mjum...@apache.org> Gesendet: Monday, 20 July 2020 11:44 An: user@guacamole.apache.org Betreff: Re: securing connection passwords On Mon, Jul 20, 2020, 00:56 Joachim Lindenberg <joac...@lindenberg.one <mailto:joac...@lindenberg.one> > wrote: Hello all, I have been thinking about the issue a little. Afai understand using a key vault implies a user (assuming we talk about user specific credentials rather than connection specific) has to deposit and then change his/her password in two locations consistently: the active directory (as RDP usually authenticates against that) plus the new key vault. It is not unlikely that a user will forget and lock out himself/herself., calling for additional support. Imho it is also questionable that the key vault worsens your security properties as it has reversable encryption compared to the active directory using one way functions. I don't imagine users would ever be expected to maintain their own passwords in a vault, nor have access to the vault itself. Use of a vault would make sense only when its contents are maintained independently by some other system, presumably the same system which creates and controls the accounts being used. If Active Directory is in use, there is no need for a vault at all. You can just point Guacamole at Active Directory using LDAP and leverage credential pass-through. - Mike
