On Mon, Sep 25, 2023 at 12:39 PM Michael Jumper <mjum...@apache.org> wrote:
> On 9/25/2023 3:28 AM, Christopher Johnson wrote: > > Hi, > > > > I wonder if someone can help? > > > > Since upgrading the Active Directory forest/domain to functional level > > 2016. If a user resides in the “Protected Users” group in Active > > Directory we are unable to RDP to Windows machines from Guacamole. We > > can RDP from Guacamole using a user who is not a member of the > > “Protected Users” group OK and even taking the user out of the group > > then trying the RDP connection works. Also RDP’ing to the same server > > using the Microsoft Windows RDP client works OK for users in the > > “Protected Users” group. > > > > The problem sounds very similar to this issue that was raised but there > > didn’t appear to be a resolution. > > [GUACAMOLE-1426] Can't open RDP with user in "Protected Users" group - > > ASF JIRA (apache.org <http://apache.org>) > > > > Yes, this sounds like the problem you are encountering. > > My understanding is that this is rooted in FreeRDP's implementation of > NLA, which currently only supports the NTLM variant. Until FreeRDP > implements the Kerberos variant of NLA, Windows servers will reject > authentication attempts for users within the "Protected Users" group > when made from applications using FreeRDP, including Guacamole. > > It's likely this will change in a future FreeRDP release. I'm not sure > what the status of Kerberos+NLA is there, nor whether additional flags > will need to be set within the Guacamole code once that support lands. > > It's been a while since I tried it, but I _think_ I successfully used xfreerdp + Kerberos + NLA once upon a time, which I suspect will work with the Protected Users group. Getting Guacamole to work with this may be a bit more work - I'm sure it's doable, but I would imagine that a Kerberos-tied NLA will require setting up domain membership for the system running Guacamole, and then managing keytab and/or credential cache files for users attempting to login in from Guacamole via Kerberos + NLA. And maybe a little black magic :-). -Nick