Howdy, Just to let you know I was able to narrow down the problem - there is something in the Azure app proxy connector group setting which was causing my issue. Once I switched to using the connector group which the other two instances were set to the problem disappeared. Still not a clue what the exact problem is there, but that's beyond my pay grade and to be looked at by someone who actually knows Azure and what to do. Just thought I share this to avoid you guys wasting more time.
Great app, great support. Thanks again and keep up the good work! T On Thu, 3 Mar 2022 at 23:22, chomik MChamster <turasmail...@gmail.com> wrote: > Apologies for late response but due to other projects taking priority I > had little time to troubleshoot this further. > Here is a high level overview of my setup > > ubuntu 20.04 box running guacamole v1.4, mysql, nginx proxy for ssl and > using saml authentication. There is also an Azure App proxy for access from > outside. I know how this is going to sound but I deployed all three > instances using the same steps. 2 are working fine and 1 is having issues. > The troublesome instance is working fine without SAML using mysql > authentication and by working fine I mean I can rdp or ssh into other > servers with it. > Once I turn on saml I can still authenticate and login into the Guacamole > but I cannot rdp nor ssh into any of the servers. Not sure if I've chosen > the correct snippet to include but here is the error that I am not seeing > on the other two instances: > From /var/log/syslog: > > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.120 > [http-nio-8080-exec-3] DEBUG o.a.g.a.j.c.ConnectionMapper.select - ==> > Parameters: 2(String), 2(String), 2(String) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.123 > [http-nio-8080-exec-3] DEBUG o.a.g.a.j.c.ConnectionMapper.select - <== > Total: 1 > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.123 > [http-nio-8080-exec-3] DEBUG o.a.g.a.j.c.ConnectionMapper.select - <== > Total: 0 > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 > [http-nio-8080-exec-3] DEBUG o.a.g.a.j.c.ConnectionMapper.select - <== > Total: 0 > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 > [http-nio-8080-exec-3] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting > autocommit to true on JDBC Connection > [com.mysql.cj.jdbc.ConnectionImpl@60edc299] > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 > [http-nio-8080-exec-3] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC > Connection [com.mysql.cj.jdbc.ConnectionImpl@60edc299] > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 > [http-nio-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Testing > connection 1626194585 ... > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 > [http-nio-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Connection > 1626194585 is GOOD! > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.124 > [http-nio-8080-exec-3] DEBUG o.a.i.d.pooled.PooledDataSource - Returned > connection 1626194585 to pool. > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.719 > [http-nio-8080-exec-2] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - > Creation of WebSocket tunnel to guacd failed: Parameter "GUAC_ID" is > required. > Mar 3 23:01:02 guacamole02 tomcat9[16530]: 23:01:02.719 > [http-nio-8080-exec-2] DEBUG o.a.g.w.GuacamoleWebSocketTunnelEndpoint - > Error connecting WebSocket tunnel. > Mar 3 23:01:02 guacamole02 tomcat9[16530]: > org.apache.guacamole.GuacamoleClientException: Parameter "GUAC_ID" is > required. > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > org.apache.guacamole.tunnel.TunnelRequest.getRequiredParameter(TunnelRequest.java:144) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > org.apache.guacamole.tunnel.TunnelRequest.getIdentifier(TunnelRequest.java:247) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > org.apache.guacamole.tunnel.TunnelRequestService.createTunnel(TunnelRequestService.java:335) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > org.apache.guacamole.tunnel.websocket.RestrictedGuacamoleWebSocketTunnelEndpoint.createTunnel(RestrictedGuacamoleWebSocketTunnelEndpoint.java:113) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.onOpen(GuacamoleWebSocketTunnelEndpoint.java:200) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > org.apache.tomcat.websocket.server.WsHttpUpgradeHandler.init(WsHttpUpgradeHandler.java:133) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:917) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > Mar 3 23:01:02 guacamole02 tomcat9[16530]: #011at > java.base/java.lang.Thread.run(Thread.java:829) > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.725 > [http-nio-8080-exec-10] DEBUG o.m.g.t.TransactionalMethodInterceptor - > [Intercepted method: public java.util.Set<java.lang.String> > org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions<? > extends > org.apache.guacamole.auth.jdbc.base.EntityModel>,java.util.Collection<java.lang.String>)] > - SqlSession not set for thread: 28, creating a new one > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.726 > [http-nio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Opening JDBC > Connection > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.726 > [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Checked out > connection 2111520074 from pool. > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.726 > [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Testing > connection 2111520074 ... > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.727 > [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Connection > 2111520074 is GOOD! > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.727 > [http-nio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Setting > autocommit to false on JDBC Connection > [com.mysql.cj.jdbc.ConnectionImpl@7ddb3d4a] > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.728 > [http-nio-8080-exec-10] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - > Database recognized as MySQL 8.0.28. > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.728 > [http-nio-8080-exec-10] DEBUG o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers > - ==> Preparing: WITH RECURSIVE related_entity(entity_id) AS ( SELECT > guacamole_user_group.entity_id FROM guacamole_user_group JOIN > guacamole_user_group_member ON guacamole_user_group.user_group_id = > guacamole_user_group_member.user_group_id WHERE > guacamole_user_group_member.member_entity_id = ? AND > guacamole_user_group.disabled = false UNION SELECT > guacamole_user_group.entity_id FROM related_entity JOIN > guacamole_user_group_member ON related_entity.entity_id = > guacamole_user_group_member.member_entity_id JOIN guacamole_user_group ON > guacamole_user_group.user_group_id = > guacamole_user_group_member.user_group_id WHERE > guacamole_user_group.disabled = false ) SELECT name FROM related_entity > JOIN guacamole_entity ON related_entity.entity_id = > guacamole_entity.entity_id WHERE guacamole_entity.type = 'USER_GROUP'; > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.729 > [http-nio-8080-exec-10] DEBUG o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers > - ==> Parameters: 8(Integer) > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.730 > [http-nio-8080-exec-10] DEBUG o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers > - <== Total: 0 > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.730 > [http-nio-8080-exec-10] DEBUG o.m.g.t.TransactionalMethodInterceptor - > [Intercepted method: public java.util.Set<java.lang.String> > org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions<? > extends > org.apache.guacamole.auth.jdbc.base.EntityModel>,java.util.Collection<java.lang.String>)] > - SqlSession of thread: 28 committing > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.731 > [http-nio-8080-exec-10] DEBUG o.m.g.t.TransactionalMethodInterceptor - > [Intercepted method: public java.util.Set<java.lang.String> > org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions<? > extends > org.apache.guacamole.auth.jdbc.base.EntityModel>,java.util.Collection<java.lang.String>)] > - SqlSession of thread: 28 terminated its life-cycle, closing it > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.731 > [http-nio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting > autocommit to true on JDBC Connection > [com.mysql.cj.jdbc.ConnectionImpl@7ddb3d4a] > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.731 > [http-nio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC > Connection [com.mysql.cj.jdbc.ConnectionImpl@7ddb3d4a] > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.732 > [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Testing > connection 2111520074 ... > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.732 > [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Connection > 2111520074 is GOOD! > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.732 > [http-nio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Returned > connection 2111520074 to pool. > Mar 3 23:01:03 guacamole02 tomcat9[16530]: 23:01:03.733 > [http-nio-8080-exec-10] DEBUG o.m.g.t.TransactionalMethodInterceptor - > [Intercepted method: public java.util.Set<java.lang.String> > org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions<? > extends > org.apache.guacamole.auth.jdbc.base.EntityModel>,java.util.Collection<java.lang.String>)] > - SqlSession not set for thread: 28, creating a new one > > > The browser just hangs there with "Connected to Guacamole. Waiting for > response..." text and from time to time I can see the yellow square in the > bottom right corner saying connection to the guacamole server is unstable. > > Each Guacamole server is using different Azure proxy and URLs in the > config of each respective one point to the correct server(s). Here is the > example of my guacamole.properties on each server: > > guacd-hostname: localhost > guacd-port: 4822 > user-mapping: /etc/guacamole/user-mapping.xml > auth-provider: > net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider > extension-priority: saml > > # MySQL properties > mysql-hostname: localhost > mysql-port: edited out > mysql-database: edited out > mysql-username: edited out > mysql-password: edited out > mysql-auto-create-accounts: true > mysql-server-timezone: Etc/UTC > > saml-idp-metadata-url: edited out > saml-idp-url: edited out > saml-entity-id: https://server.example.com/ - edited out but has this > structure > saml-callback-url: https://server.example.com/ - edited out but has this > structure > saml-strict: false > saml-debug: true > saml-group-attribute: Roles > > What is really annoying is that I deployed the first server, configured it > and it's working just fine. Then I repeated the same steps and deployed the > second server and this was also fine. The third server (now deployed for > the twentieth time) isn't cooperating. > I am lost as to what could be the problem. > > Any thoughts are much appreciated. > > Thanks > > On Wed, 9 Feb 2022 at 17:03, Mike Jumper <mjum...@apache.org> wrote: > >> On Wed, Feb 9, 2022 at 8:12 AM chomik MChamster <turasmail...@gmail.com> >> wrote: >> >>> Hi Experts, >>> >>> I have three instances of guacamole, deployed using the steps from the >>> official guacamole manual with mysql and saml authentication. >>> From one of those instances I am getting the "GUAC_ID is required" error: >>> >>> tomcat9[505209]: 15:53:04.502 [http-nio-8080-exec-3] DEBUG >>> o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Error connecting WebSocket >>> tunnel. >>> tomcat9[505209]: org.apache.guacamole.GuacamoleClientException: >>> Parameter "GUAC_ID" is required. >>> >>> I did read through this thread - >>> https://www.mail-archive.com/user@guacamole.apache.org/msg07521.html >>> but I'm not a developer, nor am I building a custom app or anything like >>> that (as far as I can tell). The strangest thing to me is that I deployed >>> all three instances following the same process. I have checked the >>> guacamole.properties as well as SAML authentication settings on Azure side >>> but am unable to find the apparent issue. >>> Wondering if you could point me to what could be the reason for this >>> error and/or maybe help me understand where is this GUAC_ID taken or >>> generated from. >>> >> >> That parameter, as well as several others, dictate the details of the >> request to connect. They are always automatically submitted by the web >> application. >> >> Are your three instances behind a balancer? Any chance they may be >> different versions, and requests from one are being misrouted by the >> balancer to another? >> >> Are you sure that this error is coming from legitimate connection >> attempts, and not bogus WebSocket connection attempts from someone probing >> your server? >> >> - Mike >> >>