Hello, On our side, we have deployed Guacamole 1.6.0 in Docker with FreeRDP version 3 to enable Kerberos authentication using Protected User accounts.
Before our deployment, we did not have a Guacamole bastion, so I cannot say exactly what impact this change may have on the different configuration options. We currently use RDP connections with Protected User accounts, as well as SSH connections on Linux systems also with Protected User accounts. Please note that Windows does not handle connections via Active Directory accounts in the same way as Linux. Best Regards, De : Tony Guadagno <[email protected]> Envoyé : lundi 3 novembre 2025 16:07 À : [email protected] Objet : RE: [External] Question about current state of RDP + Kerberos support in Guacamole Nick, with respect to the docker instance, does that include FreeRDP2 or FreeRDP3? thanks Tony From: Nick Couchman <[email protected]<mailto:[email protected]>> Sent: Monday, November 3, 2025 9:59 AM To: [email protected]<mailto:[email protected]> Subject: Re: [External] Question about current state of RDP + Kerberos support in Guacamole On Mon, Nov 3, 2025 at 8:53 AM steph01 <[email protected]<mailto:[email protected]>> wrote: Hi everyone, I’m trying to understand the current state of RDP and Kerberos integration in Apache Guacamole. I remember that some work was done around version 1.6.0, but from what I recall, it was later marked as experimental or incomplete. The only change relevant to this that 1.6.0 includes is the ability to use FreeRDP3, which supports Kerberos-based authentication, whereas FreeRDP2 does not. Could someone clarify: * What’s the current status of Kerberos authentication for RDP connections in the latest Guacamole versions? It's sort of a "your mileage may vary" situation. There are some situations in which Guacamole 1.6.0 + FreeRDP3 should actually work fine authenticating via Kerberos - if your environment is set up in such a way that NTLM is not allowed and Kerberos is required, and FreeRDP3 is built with support for it, then Guacamole/FreeRDP may just negotiate up to the Kerberos standard transparently. However, if FreeRDP3 happens to be built without Kerberos support, or some issue occurs in negotiating that connectivity, it may fail the logon. In the released versions of Guacamole, there's no way to force the use of Kerberos over NTLM. * * Is it functional and stable enough for testing in production-like environments? * What’s the recommended way to test and verify its behavior today (e.g. specific build flags, guacd parameters, or configuration examples)? The best way to test is to configure your Windows Servers to not allow NTLM authentication and try to connect to them with Guacamole. You can also use xfreerdp to verify you've set that up correctly, using the /auth-pkg-list parameter to verify that you are unable connect if you specify only ntlm (ntlm,!kerberos), and able to connect only if you specify no NTLM and only Kerberos (!ntlm,kerberos). If you validate with xfreerdp, and then are able to connect with Guacamole, you are using Kerberos authentication. If it works as expected with xfreerdp but fails with Guacamole, you've got some issue, there - either the inability to negotiate it correctly, or FreeRDP isn't built with Kerberos, or you're using a version of FreeRDP that doesn't support it. I've opened a couple of pull requests to try to handle this. They are currently in Draft state, and I've had some mixed results from people testing - it works fine for me, and I think one other person has reported success, but another has reported still being unable to connect. They changes aren't terribly invasive - they're not likely to break anything production-level, just some connection parameter changes - but they aren't released, yet, so...try it if you like, but you've been warned :-). https://github.com/apache/guacamole-server/pull/581<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_guacamole-2Dserver_pull_581&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=FAi7_Un_xIwqyE1tNdU-gb08bRZLlfxR_VZo5-zbQF0&m=b84eJweHiil_udBlVmqE2QZ79e2aN3JyBH_402H7oSqivbJEiuvsiKwH3pDj0s9J&s=48oAV3L6PSrbiooREw2xwYhDOBzmt58OgJagGLMWXzM&e=> https://github.com/apache/guacamole-client/pull/1082<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_guacamole-2Dclient_pull_1082&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=FAi7_Un_xIwqyE1tNdU-gb08bRZLlfxR_VZo5-zbQF0&m=b84eJweHiil_udBlVmqE2QZ79e2aN3JyBH_402H7oSqivbJEiuvsiKwH3pDj0s9J&s=NAxv3oat-aJuNuKtQwAqz8oAKT9AxV3eAi2daYPD_74&e=> https://issues.apache.org/jira/browse/GUACAMOLE-2057<https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_GUACAMOLE-2D2057&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=FAi7_Un_xIwqyE1tNdU-gb08bRZLlfxR_VZo5-zbQF0&m=b84eJweHiil_udBlVmqE2QZ79e2aN3JyBH_402H7oSqivbJEiuvsiKwH3pDj0s9J&s=mJome8cdqiiwXhnhgBV7yOfBIZjeQyExaHC7Nz8WGgk&e=> The main thing that needs to be fixed is the ability for the autoconf script to detect the support/presence of FreeRDP with Kerberos, which I haven't quite nailed down, yet. -Nick ________________________________ This email has been scanned for spam and viruses by Proofpoint Essentials. Click here<https://us1.proofpointessentials.com/app/report_spam.php?mod_id=11&mod_option=logitem&report=1&type=easyspam&k=k1&payload=53616c7465645f5f940e2fb93145cd5cfed43e62f0dd85a2fae990c6eb81ac5ae3b5c6dba80351b08d8bf7ca05a0c3b9b965ce76710d291ef03ea1c405a5d2e64204c43edcf3ab20545040d67fd5405fccae7e170832d1062ee62bff7fc8aa72509884719a415b2e3ff25bfe6b6a471e229875ecb937af5ec446a8032cc205359435b591d94efc57877ae9bf10e79a3168dad8a0c8aca1bc20f0503d693b03ca> to report this email as spam.
