On Fri, Apr 23, 2021 at 1:46 PM Jelle de Jong <[email protected]> wrote:
> ... > Thank you for your answer and great work on Guacamole! > > Can you explain this use-case to determination "what the user has access > to" especially with 1.3.0 how is the new prompting for credentials take place, I expect this to show up within the guacamole GUI and not as a > dialogue in the RDP client, but if I make a new connection with the GUI > and leave the username and password empty I do not get prompted. > RDP itself defines a means of requesting credentials from the connecting client before the graphical part of the remote desktop session starts. This will be the case for Windows RDP servers that are configured to require NLA (the default for recent versions of Windows), and should also be the case if you explicitly select "NLA" security for the RDP connection within Guacamole's connection parameters. The RDP spec doesn't strictly require that servers deal with credentials before starting the graphical session. It's up to the server and the connection negotiation process. The RDP server *can* choose to accept what you've provided, start the graphical session, and leverage that session to prompt the user for the rest. This is what Windows RDP will do if NLA is not being used. If you omit some credentials, and the RDP server does send a specific request for credentials before starting the graphical session, then Guacamole will issue its own prompt within the UI to obtain what's missing. This prompt will accept only the credentials not already provided by the administrator in the connection parameters. ... > How can I disable the "data retrieval" part so it does a successful login? > There's no configuration option for this. The solution would be to make the changes I mentioned to the LDAP support to allow the original LDAP connection to be used for both the authentication and authorization processes. Michael Jumper CEO, Lead Developer Glyptodon Inc <https://glyp.to/>.
