Apologies for late response but due to other projects taking priority I had little time to troubleshoot this further. Here is a high level overview of my setup
ubuntu 20.04 box running guacamole v1.4, mysql, nginx proxy for ssl and using saml authentication. There is also an Azure App proxy for access from outside. I know how this is going to sound but I deployed all three instances using the same steps. 2 are working fine and 1 is having issues. The troublesome instance is working fine without SAML using mysql authentication and by working fine I mean I can rdp or ssh into other servers with it. Once I turn on saml I can still authenticate and login into the Guacamole but I cannot rdp nor ssh into any of the servers. Not sure if I've chosen the correct snippet to include but here is the error that I am not seeing on the other two instances: >From /var/log/syslog: Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.120 [http-nio-8080-exec-3] DEBUG o.a.g.a.j.c.ConnectionMapper.select - ==> Parameters: 2(String), 2(String), 2(String) Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.123 [http-nio-8080-exec-3] DEBUG o.a.g.a.j.c.ConnectionMapper.select - <== Total: 1 Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.123 [http-nio-8080-exec-3] DEBUG o.a.g.a.j.c.ConnectionMapper.select - <== Total: 0 Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 [http-nio-8080-exec-3] DEBUG o.a.g.a.j.c.ConnectionMapper.select - <== Total: 0 Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 [http-nio-8080-exec-3] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@60edc299] Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 [http-nio-8080-exec-3] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@60edc299] Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 [http-nio-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1626194585 ... Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 [http-nio-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1626194585 is GOOD! Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 [http-nio-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 1626194585 to pool. Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.719 [http-nio-8080-exec-2] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to guacd failed: Parameter "GUAC_ID" is required. Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.719 [http-nio-8080-exec-2] DEBUG o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Error connecting WebSocket tunnel. Mar 3 23:01:02 guacamole02 tomcat9[16530]: org.apache.guacamole.GuacamoleClientException: Parameter "GUAC_ID" is required. Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at org.apache.guacamole.tunnel.TunnelRequest.getRequiredParameter(TunnelRequest.java:144) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at org.apache.guacamole.tunnel.TunnelRequest.getIdentifier(TunnelRequest.java:247) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at org.apache.guacamole.tunnel.TunnelRequestService.createTunnel(TunnelRequestService.java:335) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at org.apache.guacamole.tunnel.websocket.RestrictedGuacamoleWebSocketTunnelEndpoint.createTunnel(RestrictedGuacamoleWebSocketTunnelEndpoint.java:113) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.onOpen(GuacamoleWebSocketTunnelEndpoint.java:200) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at org.apache.tomcat.websocket.server.WsHttpUpgradeHandler.init(WsHttpUpgradeHandler.java:133) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:917) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at java.base/java.lang.Thread.run(Thread.java:829) Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.725 [http-nio-8080-exec-10] DEBUG o.m.g.t.TransactionalMethodInterceptor - [Intercepted method: public java.util.Set<java.lang.String> org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions<? extends org.apache.guacamole.auth.jdbc.base.EntityModel>,java.util.Collection<java.lang.String>)] - SqlSession not set for thread: 28, creating a new one Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.726 [http-nio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Opening JDBC Connection Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.726 [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Checked out connection 2111520074 from pool. Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.726 [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 2111520074 ... Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.727 [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 2111520074 is GOOD! Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.727 [http-nio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Setting autocommit to false on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@7ddb3d4a] Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.728 [http-nio-8080-exec-10] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 8.0.28. Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.728 [http-nio-8080-exec-10] DEBUG o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - ==> Preparing: WITH RECURSIVE related_entity(entity_id) AS ( SELECT guacamole_user_group.entity_id FROM guacamole_user_group JOIN guacamole_user_group_member ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id WHERE guacamole_user_group_member.member_entity_id = ? AND guacamole_user_group.disabled = false UNION SELECT guacamole_user_group.entity_id FROM related_entity JOIN guacamole_user_group_member ON related_entity.entity_id = guacamole_user_group_member.member_entity_id JOIN guacamole_user_group ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id WHERE guacamole_user_group.disabled = false ) SELECT name FROM related_entity JOIN guacamole_entity ON related_entity.entity_id = guacamole_entity.entity_id WHERE guacamole_entity.type = 'USER_GROUP'; Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.729 [http-nio-8080-exec-10] DEBUG o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - ==> Parameters: 8(Integer) Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.730 [http-nio-8080-exec-10] DEBUG o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - <== Total: 0 Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.730 [http-nio-8080-exec-10] DEBUG o.m.g.t.TransactionalMethodInterceptor - [Intercepted method: public java.util.Set<java.lang.String> org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions<? extends org.apache.guacamole.auth.jdbc.base.EntityModel>,java.util.Collection<java.lang.String>)] - SqlSession of thread: 28 committing Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.731 [http-nio-8080-exec-10] DEBUG o.m.g.t.TransactionalMethodInterceptor - [Intercepted method: public java.util.Set<java.lang.String> org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions<? extends org.apache.guacamole.auth.jdbc.base.EntityModel>,java.util.Collection<java.lang.String>)] - SqlSession of thread: 28 terminated its life-cycle, closing it Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.731 [http-nio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@7ddb3d4a] Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.731 [http-nio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@7ddb3d4a] Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.732 [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 2111520074 ... Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.732 [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 2111520074 is GOOD! Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.732 [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 2111520074 to pool. Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.733 [http-nio-8080-exec-10] DEBUG o.m.g.t.TransactionalMethodInterceptor - [Intercepted method: public java.util.Set<java.lang.String> org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions<? extends org.apache.guacamole.auth.jdbc.base.EntityModel>,java.util.Collection<java.lang.String>)] - SqlSession not set for thread: 28, creating a new one The browser just hangs there with "Connected to Guacamole. Waiting for response..." text and from time to time I can see the yellow square in the bottom right corner saying connection to the guacamole server is unstable. Each Guacamole server is using different Azure proxy and URLs in the config of each respective one point to the correct server(s). Here is the example of my guacamole.properties on each server: guacd-hostname: localhost guacd-port: 4822 user-mapping: /etc/guacamole/user-mapping.xml auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider extension-priority: saml # MySQL properties mysql-hostname: localhost mysql-port: edited out mysql-database: edited out mysql-username: edited out mysql-password: edited out mysql-auto-create-accounts: true mysql-server-timezone: Etc/UTC saml-idp-metadata-url: edited out saml-idp-url: edited out saml-entity-id: https://server.example.com/ - edited out but has this structure saml-callback-url: https://server.example.com/ - edited out but has this structure saml-strict: false saml-debug: true saml-group-attribute: Roles What is really annoying is that I deployed the first server, configured it and it's working just fine. Then I repeated the same steps and deployed the second server and this was also fine. The third server (now deployed for the twentieth time) isn't cooperating. I am lost as to what could be the problem. Any thoughts are much appreciated. Thanks On Wed, 9 Feb 2022 at 17:03, Mike Jumper <[email protected]> wrote: > On Wed, Feb 9, 2022 at 8:12 AM chomik MChamster <[email protected]> > wrote: > >> Hi Experts, >> >> I have three instances of guacamole, deployed using the steps from the >> official guacamole manual with mysql and saml authentication. >> From one of those instances I am getting the "GUAC_ID is required" error: >> >> tomcat9[505209]: 15:53:04.502 [http-nio-8080-exec-3] DEBUG >> o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Error connecting WebSocket >> tunnel. >> tomcat9[505209]: org.apache.guacamole.GuacamoleClientException: Parameter >> "GUAC_ID" is required. >> >> I did read through this thread - >> https://www.mail-archive.com/[email protected]/msg07521.html but >> I'm not a developer, nor am I building a custom app or anything like that >> (as far as I can tell). The strangest thing to me is that I deployed all >> three instances following the same process. I have checked the >> guacamole.properties as well as SAML authentication settings on Azure side >> but am unable to find the apparent issue. >> Wondering if you could point me to what could be the reason for this >> error and/or maybe help me understand where is this GUAC_ID taken or >> generated from. >> > > That parameter, as well as several others, dictate the details of the > request to connect. They are always automatically submitted by the web > application. > > Are your three instances behind a balancer? Any chance they may be > different versions, and requests from one are being misrouted by the > balancer to another? > > Are you sure that this error is coming from legitimate connection > attempts, and not bogus WebSocket connection attempts from someone probing > your server? > > - Mike > >
