I doubt it is that simple. When a user running/interacting with FreeRDP locally uses Kerberos, there is no Kerberos delegation involved. Of course one could prompt for credential in Guacamole and turn that into a Kerberos ticket within the container, but the true elegance of Kerberos – no password prompts – is only possible with delegation.
Regards, Joachim Von: Nick Couchman <[email protected]> Gesendet: Montag, 3. November 2025 16:51 An: [email protected] Betreff: Re: [External] Question about current state of RDP + Kerberos support in Guacamole On Mon, Nov 3, 2025 at 10:17 AM Yohann Feasson <[email protected] <mailto:[email protected]> > wrote: Hello, On our side, we have deployed Guacamole 1.6.0 in Docker with FreeRDP version 3 to enable Kerberos authentication using Protected User accounts. Before our deployment, we did not have a Guacamole bastion, so I cannot say exactly what impact this change may have on the different configuration options. We currently use RDP connections with Protected User accounts, as well as SSH connections on Linux systems also with Protected User accounts. Please note that Windows does not handle connections via Active Directory accounts in the same way as Linux. Thanks for sharing your experience, Yohann - since Protected User accounts do require Kerberos, it sounds like just switching over to FreeRDP3 when building the Docker image probably enables Guacamole to work fine with the Kerberos requirement. -Nick
