On Fri, Jan 10, 2025 at 11:45 AM Vieri <[email protected]> wrote:
> Hi, > > I'm having an issue with a specific user connecting to several RDP > connections. > Authentication seems to be OK. However, the user reports that the session > is "dead" and a screenshot shows that Guacamole is saying that the session > failed (after NLA login). > A "query session" on the RDP server does not list that user. > > I'm having a hard time associating connections logged in catalina.out and > the ones logged in guacd. I probably overlooked something in the manual... > > Suppose I see this in Tomcat: > > o.a.g.tunnel.TunnelRequestService - User "failingUser" connected to > connection "141". > > How do I know who's who and what's what in the guacd log? > > Suppose I see: > > guacd[ID]: User "@1118f4d2-c513-44d3-85cb-0fbe5f9f94c1" joined connection > "$c1ee996c-99a8-4c1b-b1b2-6329f60725b1" > > Are those IDs taken from the connection and user tables? > Is there a way to quickly get their "readable" values? > I just need to know if failingUser == > @1118f4d2-c513-44d3-85cb-0fbe5f9f94c1 and 141 == > $c1ee996c-99a8-4c1b-b1b2-6329f60725b1. > > These are temporary UUIDs that are generated only by guacd for the connection and the user joining the connection. In general, they have no relationship to the IDs of users in the database, and, unfortunately, it takes a bit of work to track down the correlation between the two - mainly you have to rely on knowing which user was attempting to access a particular connection at a particular time, and line up the times in the log file, or be looking at the browser developer console to see those UUIDs get passed back-and-forth. Also, the user joining the Guacamole connection is distinct from guacd making the connection to the RDP servers - these are two separate processes, related but certainly not identical. As you are seeing, it is completely possible for a user to successfully "join" (create, if they are the first user and connection owner) a connection to guacd, but have the related connection to the RDP server fail and then the guacd connection ends. > Also, I tried to enable recording for that user. > When the user logs in, several short recording files are created and > encoding them with guacencode just show a single green frame. > > The content of one of these recordings (trimming out the png data) looks > like this: > > > 4.size,1.0,4.1280,3.720;4.size,2.-1,2.11,2.16;3.img,1.3,2.12,2.-1,9.image/png,1.0,1.0;4.blob,1.3,232.[TRIM].end,1.3;6.cursor,1.0,1.0,2.-1,1.0,1.0,2.11,2.16; > > Another file shows something like this: > > 4.size,1.0,4.1280,3.720;4.size,2.-1,2.11,2.16;3.img,1.3,2.12,2.-1,9.image/png,1.0,1.0;4.blob,1.3,232.[TRIM].error,45.Authentication > failure (invalid credentials?),3.769;3.end,1.1; > > I must say though that I still haven't found any indication of an > authentication failure. > > The connection could be failing for a wide variety of reasons, and you'll need to do some investigating between guacd and your RDP server to find out why. The first thing I would do is (re)start guacd with debugging enabled and retry the failing connection, and see if you get any more detail as to why the connection is failing. If an authentication error is getting returned from guacd to the client, it's probably _some_ sort of authentication error. With RDP to Windows servers, this could be a lot of different things - with NLA, and invalid or untrusted certificate might cause this, or the authentication protocol (NLA vs. TLS vs. RDP) could be wrong, or the credentials could actually be wrong. You'll just need to dig a little deeper and see what exactly where the failure is occurring. -Nick
