Hi Michael, Thanks for joining in, I just took another long session on this and finally found a fix, seems like the guacamole headers grew possibly at some point, after adding the following options to my authentik reverse-proxy config:
``` proxy_buffer_size 16k; proxy_buffers 8 16k;``` Now I noticed another problem, on 1.5.5 Nick told me in this report: https://www.mail-archive.com/user@guacamole.apache.org/msg13233.htmlThat when using SSO there won't be an additional 2FA prompt, though it still appears, now since we have guacamole 1.6.0, am I missing any config, looking at the docs, I can't seem to directly find anything. - Tobias Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. On Tuesday, June 24th, 2025 at 20:07, Michael Jumper <mjum...@apache.org> wrote: > On June 24, 2025 5:35:51 AM PDT, newslet...@tobiasmeier.dev.INVALID wrote: > >> Hi >> >> I did an upgrade, and yes I fully replaced and rebuild the guacamole server >> and also ensured the client is rebuilt. >> >> Awesome, yes the problem with the loop in multi connect is solved by hard >> refresh, thanks! >> >> Though I can't say that about the SSO problem, any ideas there? >> >> - Tobias >> >> Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. >> >> On Tuesday, June 24th, 2025 at 12:35, Vincent Sherwood >> <vince...@itsolutions.ie.INVALID> wrote: >> >>> Just checking. Did you do a completely clean install? >>> >>> I upgraded a server yesterday and started to get RDP reconnect loops that I >>> had never experienced before. After some troubleshooting I realised I >>> hadn't restarted guacd - so did a full clear out and restart. >>> >>> Rename the guacamole.war file to guacamole.war.1.6 in the tomcat webapps >>> directory and wait for tomcat to undeploy it (the guacamole folder will >>> disappear) >>> stop guacd >>> stop tomcat >>> restart guacd >>> restart tomcat >>> rename the war file back to guacamole.war so tomcat re-deploys it again >>> Hard reload the guacamole site in the browser (Ctrl-F5) >>> >>> --------------------------------------------------------------- >>> >>> From: newslet...@tobiasmeier.dev.INVALID >>> <newslet...@tobiasmeier.dev.INVALID> >>> Sent: Tuesday 24 June 2025 10:09 >>> To: user@guacamole.apache.org <user@guacamole.apache.org> >>> Subject: Re: Guacamole Crash 1.6.0 multi-connect and SSO >>> >>> Hi >>> Here I add the debug log from SSO process from guacamole side: >>> >>> https://pastebin.com/LMVf9Ejx >>> >>> From authentik side there are no errors: >>> >>> - Tobias >>> >>> Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. >>> >>> On Tuesday, June 24th, 2025 at 10:28, newslet...@tobiasmeier.dev.INVALID >>> <newslet...@tobiasmeier.dev.INVALID> wrote: >>> >>>> Hi >>>> >>>> Since upgrading to 1.6.0 multi-connection SSH seems to be broken, as soon >>>> as I add a second SSH connection, this appears (attatchment) >>>> >>>> Here the debug log: >>>> https://pastebin.com/iGcXZRmE >>>> >>>> After then it just loops left/right conenction infinitely, my internet is >>>> definitely enough stable. >>>> >>>> Second Problem: >>>> OIDC Connection, previously OpenID worked fine, I updated the extension to >>>> 1.6.0 and didn't touch my variables, they are currently like this, now it >>>> does not work anymore. >>>> >>>> ``` >>>> openid-authorization-endpoint: >>>> https://auth.mydomain.dev/application/o/authorize/ >>>> openid-client-id: XXXXX >>>> openid-issuer: https://auth.mydomain.dev/application/o/guacamole/ >>>> openid-jwks-endpoint: >>>> https://auth.mydomain.dev/application/o/guacamole/jwks/ >>>> openid-redirect-uri: https://guac.mydomain.dev/guacamole >>>> openid-scope: openid email profile >>>> openid-username-claim-type: preferred_username extension-priority: *, >>>> openid >>>> ``` >>>> >>>> I get a 502 on authentik side, normally I'd say this is an authentik >>>> issue, but since SSO worked before upgrade and I didn't touch authentik >>>> side nor guacamole side of sso otherwise than updating, I think this is >>>> rather on guacamole? >>>> >>>> (Second Attatchment) >>>> >>>> - Tobias >>>> >>>> Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. >>> >>> IT Solutions Email Disclaimer - This e-mail and any files transmitted with >>> it contain information which may be confidential and which may also be >>> privileged and is intended solely for the use of the individual or entity >>> to whom it is addressed. Unless you are the intended recipient you may not >>> copy or use it, or disclose it to anyone else. Any opinions expressed are >>> that of the individual and not necessarily that of IT Solutions Ltd. If you >>> have received this e-mail in error please notify the sender by return. For >>> further information on IT Solutions visit https://www.itsolutions.ie >>> >>> IT Solutions Email Disclaimer - The information contained in this email >>> message, including any files transmitted with it, is confidential and may >>> be legally privileged. >>> >>> This e-mail is intended only for the personal attention of the stated >>> addressee(s). Any access to this email, including any files transmitted >>> with it, by any other person is unauthorised. If you are not an addressee, >>> you must not disclose, copy, circulate or in any other way use or rely on >>> the accuracy or completeness of the information contained in this email or >>> any files transmitted with it. >>> >>> If you have received this email in error, please inform the sender >>> immediately and delete it and all copies from your system. You may not >>> forward this email without the permission of the authorised sender. >>> >>> The views expressed in this email are those of the author, and do not >>> necessarily represent the views of IT Solutions or its affiliates. Internet >>> communications are not secure and IT Solutions cannot therefore accept >>> legal responsibility for the contents of this message nor for any damage >>> caused by viruses. This email has been scanned at the originating end. For >>> further information on IT Solutions visit https://www.itsolutions.ie > > It's possible that there is something different about what Guacamole is doing > that contributes to the error you're receiving from Authentik, but given that > it's Authentik throwing the error, I think you'll need to look at Authentik's > logs to determine why it's failing. > > If there are no errors from Authentik at all despite the 502, that's > suspicious. > > I'm not too surprised that there are no failures noted on the Guacamole side, > since the failure is occurring within Authentik before the user is redirected > back. The only steps taken by Guacamole for the in-progress authentication > attempt (redirect the user to the IdP) succeeded. > > - Mike
