On Mon, Nov 3, 2025 at 11:39 AM Joachim Lindenberg <[email protected]> wrote:
> I doubt it is that simple. When a user running/interacting with FreeRDP > locally uses Kerberos, there is no Kerberos delegation involved. Of course > one could prompt for credential in Guacamole and turn that into a Kerberos > ticket within the container, but the true elegance of Kerberos – no > password prompts – is only possible with delegation. > Joachim, You make a fair point, and I suppose some clarity is in order here. If the question about whether or not Guacamole supports Kerberos is: * Does it support the ability to authenticate via Kerberos to servers that only accept Kerberos authentication and will no longer accept NTLM? The answer to this is, yes, it does, and it will often work transparently with no changes to Guacamole, so long as Guacamole is built against a version of FreeRDP that supports it. It does not currently support forcing that authentication mechanism to Kerberos - it currently must be negotiated correctly between FreeRDP and the server. * Does it support the ability to transparently pass Kerberos authentication/ticketing through from a client system to a remote server, or even from the Guacamole Client application to the remote server? The answer to this is, no, this is not supported, and would require some further development in the Guacamole code to make this happen. At a minimum we'd need to implement a Kerberos authentication extension (along with configuration of the Tomcat server), and the Guacamole system would have to be part of the Kerberos realm (AD domain in many cases) so that it is trusted to either create Kerberos tickets or be part of the conversation to pass those along. -Nick
