On Mon, Sep 25, 2023 at 12:39 PM Michael Jumper <mjum...@apache.org> wrote:

> On 9/25/2023 3:28 AM, Christopher Johnson wrote:
> > Hi,
> >
> > I wonder if someone can help?
> >
> > Since upgrading the Active Directory forest/domain to functional level
> > 2016. If a user resides in the “Protected Users” group in Active
> > Directory we are unable to RDP to Windows machines from Guacamole. We
> > can RDP from Guacamole using a user who is not a member of the
> > “Protected Users” group OK and even taking the user out of the group
> > then trying the RDP connection works. Also RDP’ing to the same server
> > using the Microsoft Windows RDP client works OK for users in the
> > “Protected Users” group.
> >
> > The problem sounds very similar to this issue that was raised but there
> > didn’t appear to be a resolution.
> > [GUACAMOLE-1426] Can't open RDP with user in "Protected Users" group -
> > ASF JIRA (apache.org <http://apache.org>)
> >
>
> Yes, this sounds like the problem you are encountering.
>
> My understanding is that this is rooted in FreeRDP's implementation of
> NLA, which currently only supports the NTLM variant. Until FreeRDP
> implements the Kerberos variant of NLA, Windows servers will reject
> authentication attempts for users within the "Protected Users" group
> when made from applications using FreeRDP, including Guacamole.
>
> It's likely this will change in a future FreeRDP release. I'm not sure
> what the status of Kerberos+NLA is there, nor whether additional flags
> will need to be set within the Guacamole code once that support lands.
>
>
It's been a while since I tried it, but I _think_ I successfully used
xfreerdp + Kerberos + NLA once upon a time, which I suspect will work with
the Protected Users group.

Getting Guacamole to work with this may be a bit more work - I'm sure it's
doable, but I would imagine that a Kerberos-tied NLA will require setting
up domain membership for the system running Guacamole, and then managing
keytab and/or credential cache files for users attempting to login in from
Guacamole via Kerberos + NLA. And maybe a little black magic :-).

-Nick

Reply via email to