Harry, I'm working to try to set up something that will reproduce this issue. So far I've tried the Docker images, because those are the easiest to get my hands on, but they seem to work fine. Working on spinning up a Rocky 9 system to compile guacd on and see if I can break it. I'm hoping Rocky 9 is close enough to RHEL9 that I'll be able to reproduce the failure.
-Nick On Fri, May 15, 2026 at 8:04 AM Devine, Harry (FAA) <[email protected]> wrote: > I’ve been working with Red Hat on this, and while we’re still trying some > things out, they did pose an interesting observation: > > > > “This seemed to work with latest RHEL9 guacd(epel) and the very latest > docker image for guacamole. (Database was postgres running naively on the > same system.) The connection was made to the RHEL9 tigervnc that was > running on the same host as the guacamole docker and guacd just to make > setup of the environment be quicker.” > > > > I don’t have Guac installed via EPEL, or do I use a Docker image. I > compile from source as that’s what I’ve always done, and my Ansible > installation playbooks are written to download the source, compile, and > install that way. So would it be worthwhile to somehow switch to > installing guacd from EPEL instead of compiling from source? Also, how > would that method handle the extensions, such as LDAP and SAML (which we > use extensively for our authentication). I also have a custom branding Jar > file too, so how would that work? > > > > Also, a follow up on what is working/not-working: > > > > 1. Guac 1.6 on RHEL 9.7; RHEL 9.7 server running TigerVNC 1.15 and > securitytype set to vncauth: VNC connection from Guac to VNC server fails > with “Authentication Failed”; > 2. Guac 1.6 on RHEL 9.7; RHEL 9.7 server running TigerVNC 1.15 and > securitytype set to none: VNC connection works successfully; > 3. Using TigerVNC client from the Guac server to the TigerVNC server > (so VNC connection is outside of Guac), and securitytype set to vncauth: > VNC connection works; > > > > So it seems as though the issue with SecurityType set to vncauth only > occurs with Guacamole 1.6 trying to connect to a TigerVNC server running > with SecurityType set to vncauth. Unless I’m missing something in our > configuration. > > > > Any thoughts or ideas? > > > > Thanks, > > Harry > > > > > > [image: Image] > > Harry Devine > > Secure-OSE System Administrator > > U.S. Department of Transportation > > FAA/AJM-2432 > > (609) 485-4218 (Office) > > (609) 612-7274 (FAA Cell) > > [email protected] <[email protected]> > > > > *William J Hughes Technical Center* > > *Building 300 3rd Floor Column L20* > > *Atlantic City NJ 08405* > > > > > > *From:* Devine, Harry (FAA) via user <[email protected]> > *Sent:* Monday, May 11, 2026 6:56 PM > *To:* Adrian Withy <[email protected]>; Nick Couchman < > [email protected]>; [email protected] > *Cc:* Weston Thayer <[email protected]>; Devine, Harry (FAA) < > [email protected]> > *Subject:* Re: Issue with VNC in 1.6.0 > > > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > As a workaround, the system admin changed the security setting on their > VNC servers to none and connections started. Not ideal but good for now > until we can figure out something more definitive. > > > > Thanks, > > Harry > > > ------------------------------ > > *From:* Adrian Withy <[email protected]> > *Sent:* Monday, May 11, 2026 6:50:53 PM > *To:* Nick Couchman <[email protected]>; [email protected] > <[email protected]> > *Cc:* Weston Thayer <[email protected]>; Devine, Harry (FAA) < > [email protected]> > *Subject:* Re: Issue with VNC in 1.6.0 > > > > You don't often get email from [email protected]. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > Going back to your original error message, it's pointing to a password > mismatch: > > > > ``` > > May 8 10:12:33 tfdm-access guacd[78486]: Selected Security Scheme 2 *<—VNC > classic password auth* > > May 8 10:12:33 tfdm-access guacd[78486]: VNC connection failed: > Authentication failure > > May 8 10:12:33 tfdm-access guacd[78486]: Unable to connect to VNC server. > > ``` > > > > It looks like this was throttled later after some number of bad attempts: May > 11 14:13:32 tfdm-access guacd[4048]: VNC connection failed: Too many > security failures > > > > As someone else has mentioned, VNC can be strange with passwords. Some > clients/servers will ignore the password after 8 and some will fail. I > would start by resetting the password on the VNC server (if you're able) to > something <= 8 chars and trying again. If your current password is > 8 > chars, try using only the first 8. Also try omitting the username if you > are providing it. > > > > Getting the VNC server logs would help as well. > > > > > ------------------------------ > > *From:* Devine, Harry (FAA) via user <[email protected]> > *Sent:* Monday, May 11, 2026 1:36 PM > *To:* Nick Couchman <[email protected]>; [email protected] > <[email protected]> > *Cc:* Weston Thayer <[email protected]>; Devine, Harry (FAA) < > [email protected]> > *Subject:* RE: Issue with VNC in 1.6.0 > > > > TigerVNC 1.15 on RHEL 8.10. Everything worked on Guacamole 1.5.5 and RHEL > 8.10 (Guac host), but after going up to RHEL 9.7 and Guac 1.6 (guac host), > those VNC connections are rejecting all connection and login attempts. We > do have another Guac 1.6 server that works with VNC, but those clients are > running TigerVNC 1.8 on RHEL 7.9, so those are pretty old. > > > > Thanks, > > Harry > > > > > > [image: Image] > > Harry Devine > > Secure-OSE System Administrator > > U.S. Department of Transportation > > FAA/AJM-2432 > > (609) 485-4218 (Office) > > (609) 612-7274 (FAA Cell) > > [email protected] <[email protected]> > > > > *William J Hughes Technical Center* > > *Building 300 3rd Floor Column L20* > > *Atlantic City NJ 08405* > > > > > > *From:* Nick Couchman <[email protected]> > *Sent:* Monday, May 11, 2026 4:34 PM > *To:* [email protected] > *Cc:* Devine, Harry (FAA) <[email protected]>; Weston Thayer < > [email protected]> > *Subject:* Re: Issue with VNC in 1.6.0 > > > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > Harry, > > What VNC servers are you having issues connecting to? Apologies if you > already mentioned it, but I didn't see it in the e-mails. I'll try to see > if I can reproduce the issue... > > > > -Nick > > > > On Mon, May 11, 2026 at 3:00 PM Weston Thayer via user < > [email protected]> wrote: > > I’m loathe to toss out AI responses, but it did suggest checking the > password length. Thought 8 was the max but some clients had lax standards > allowing longer, perhaps that is more enforced. > > > > On Mon, May 11, 2026 at 11:54 AM Devine, Harry (FAA) <[email protected]> > wrote: > > I installed libwebsockets-devel, recompiled, and reinstalled the guacd > server (via make install). Restarted everything and it didn’t make a > difference. The clients are using TigerVNC and everything was working on > 1.5.5. Now it seems as though something on that client end is no longer > compatible with 1.6, but I can figure out what it is just yet. The > password is the same as is has been, and the Guac VNC connection doesn’t > have any options for setting security that I can see. > > > > If you can think of anything else, please reach out. I’m grateful for > your help! > > > > Thanks, > > Harry > > > > > > [image: Image] > > Harry Devine > > Secure-OSE System Administrator > > U.S. Department of Transportation > > FAA/AJM-2432 > > (609) 485-4218 (Office) > > (609) 612-7274 (FAA Cell) > > [email protected] <[email protected]> > > > > *William J Hughes Technical Center* > > *Building 300 3rd Floor Column L20* > > *Atlantic City NJ 08405* > > > > > > *From:* Weston Thayer <[email protected]> > *Sent:* Monday, May 11, 2026 2:49 PM > *To:* Devine, Harry (FAA) <[email protected]> > *Cc:* [email protected] > *Subject:* Re: Issue with VNC in 1.6.0 > > > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > IIRC Guacamole can work without WebSockets, but I’ve never used that > feature. Is > > guacamole/websocket-tunnel not logged for all connections for you > (successful or not)? It is for me, that’s where the web client hits to > start a connection. > > > > On Mon, May 11, 2026 at 11:40 AM Devine, Harry (FAA) <[email protected]> > wrote: > > Real quick: I see the following in the Tomcat local_access log when my > VNC connection fails: > > > > 127.0.0.1 - - [11/May/2026:14:35:36 -0400] "GET > /guacamole/websocket-tunnel?token=29F6C76BB08EA28198593B8AF33B99E9F5D040D1BB66AD408590570CA13FC740&GUAC_DATA_SOURCE=mysql&GUAC_ID=243&GUAC_TYPE=c&GUAC_WIDTH=1904&GUAC_HEIGHT=903&GUAC_DPI=96&GUAC_TIMEZONE=America%2FNew_York&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp > HTTP/1.1" 404 781 > > > > It references websocket-tunnel. But when I built from source, I remember > that the ./configure specifically said that libwebsockets was not found: > > > > configure: WARNING: > > -------------------------------------------- > > Unable to find libwebsockets. > > Support for Kubernetes will be disabled. > > -------------------------------------------- > > > > We aren’t using Docker or Kubernetes, but is WebSockets required? Should > I look into installing libwebsockets-devel and recompiling from source? > Would that make a difference? > > > > Thanks, > > Harry > > > > > > > > > > [image: Image] > > Harry Devine > > Secure-OSE System Administrator > > U.S. Department of Transportation > > FAA/AJM-2432 > > (609) 485-4218 (Office) > > (609) 612-7274 (FAA Cell) > > [email protected] <[email protected]> > > > > *William J Hughes Technical Center* > > *Building 300 3rd Floor Column L20* > > *Atlantic City NJ 08405* > > > > > > *From:* Weston Thayer via user <[email protected]> > *Sent:* Monday, May 11, 2026 2:24 PM > *To:* Devine, Harry (FAA) <[email protected]> > *Cc:* [email protected]; Weston Thayer <[email protected]> > *Subject:* Re: Issue with VNC in 1.6.0 > > > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > Maybe a red herring then, strange. Good luck! > > > > On Mon, May 11, 2026 at 11:22 AM Devine, Harry (FAA) <[email protected]> > wrote: > > The “too many security failures” has always been received since I’ve > upgraded. And my RHEL 9 OS doesn’t have any newer libvncserver available. > 0.9.3 is the latest version available from the RHEL9 repos as well as the > EPEL repository. Also, this is the same version that is installed on > several other servers that have 1.6.0 and successfully connect to VNC > connections on those systems. > > > > Thanks, > > Harry > > > > > > [image: Image] > > Harry Devine > > Secure-OSE System Administrator > > U.S. Department of Transportation > > FAA/AJM-2432 > > (609) 485-4218 (Office) > > (609) 612-7274 (FAA Cell) > > [email protected] <[email protected]> > > > > *William J Hughes Technical Center* > > *Building 300 3rd Floor Column L20* > > *Atlantic City NJ 08405* > > > > > > *From:* Weston Thayer <[email protected]> > *Sent:* Monday, May 11, 2026 2:20 PM > *To:* Devine, Harry (FAA) <[email protected]> > *Cc:* [email protected] > *Subject:* Re: Issue with VNC in 1.6.0 > > > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > 0.9.13 is from 2020, I'd upgrade it then were I in your shoes (in a test > environment of course). > > > > Those don't look like the same errors as the log you shared originally, > it's "Security Scheme 0", not 2, and "Too many security failures" is new. > > > > On Mon, May 11, 2026 at 11:15 AM Devine, Harry (FAA) <[email protected]> > wrote: > > For one thing, we’re not using Docker. We compile Guacamole from source. > The VNC server package appears to be 0.9.13-11: > > > > [[email protected] ~]#rpm -qa |grep libvncserver > > libvncserver-0.9.13-11.el9.x86_64 > > libvncserver-devel-0.9.13-11.el9.x86_64 > > > > And that version exists on other Guacamole servers that we support, and > those also use VNC connections, and those all work without incident. But > this server continuously fails VNC. I was able to remove some of the old > packages that were installed via rpmfusion-free-el8 before the OS and Guac > 1.6 upgrade: > > > > rpm -e --nosignature opencore-amr > > rpm -e --nosignature vo-amrwbenc > > rpm -e --nosignature x264-xlibs x265-xlibs > > rpm -e --nosignature x264-libs x265-libs > > Then could reinstall the ffmpeg-devel package: > > dnf install ffmpeg-devel > > Then I recompiled the guacamole-server 1.6 code from source and > reinstalled: > > ./configure –with-init-dir=/etc/init.d > > make > > make install > > I restarted Guacamole and Tomcat: > > /etc/init.d/guacd stop > > /etc/init.d/guacd start > > Systemctl restart tomcat > > And I get the same errors when trying to connect to a VNC connection: > > May 11 14:13:32 tfdm-access guacd[1651]: Creating new client for protocol > "vnc" > > May 11 14:13:32 tfdm-access guacd[1651]: Connection ID is > "$9fb8fa82-153e-48a3-857c-34cd4facbbf3" > > May 11 14:13:32 tfdm-access guacd[4048]: Cursor rendering: local > > May 11 14:13:32 tfdm-access guacd[4048]: The libvncclient library does not > support remote resize. > > May 11 14:13:32 tfdm-access guacd[4048]: User > "@135aab56-f600-4fbb-84a0-a6cc8eee4cca" joined connection > "$9fb8fa82-153e-48a3-857c-34cd4facbbf3" (1 users now present) > > May 11 14:13:32 tfdm-access guacd[4048]: VNC server supports protocol > version 3.3 (viewer 3.8) > > May 11 14:13:32 tfdm-access guacd[4048]: Selected Security Scheme 0 > > *May 11 14:13:32 tfdm-access guacd[4048]: VNC connection failed: Too many > security failures* > > *May 11 14:13:32 tfdm-access guacd[4048]: Unable to connect to VNC server.* > > May 11 14:13:33 tfdm-access guacd[4048]: User > "@135aab56-f600-4fbb-84a0-a6cc8eee4cca" disconnected (0 users remain) > > May 11 14:13:33 tfdm-access guacd[4048]: Last user of connection > "$9fb8fa82-153e-48a3-857c-34cd4facbbf3" disconnected > > > > Thanks, > > Harry > > > > [image: Image] > > Harry Devine > > Secure-OSE System Administrator > > U.S. Department of Transportation > > FAA/AJM-2432 > > (609) 485-4218 (Office) > > (609) 612-7274 (FAA Cell) > > [email protected] <[email protected]> > > > > *William J Hughes Technical Center* > > *Building 300 3rd Floor Column L20* > > *Atlantic City NJ 08405* > > > > > > *From:* Weston Thayer <[email protected]> > *Sent:* Monday, May 11, 2026 1:57 PM > *To:* Devine, Harry (FAA) <[email protected]> > *Cc:* [email protected] > *Subject:* Re: Issue with VNC in 1.6.0 > > > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > Based on guacd’s Dockerfile, I think it will grab whatever release of > libvncclient that happens to be latest is > > https://github.com/LibVNC/libvncserver/tags > > > > Since that last one was 2024, that’s probably what you’re using but you > could query your guacd server. > > > > Was whatever Guacamole version you were on before released before Dec. > 2024? If so seems possible you were using libvnc 0.9.14 (released in 2022). > You could try downgrading to it. > > > > On Mon, May 11, 2026 at 9:38 AM Devine, Harry (FAA) <[email protected]> > wrote: > > I installed the TigerVNC client and connected to one of the VNC servers > successfully. Trying to connect with Guacamole 1.6.0 fails immediately. > > > > Thanks, > > Harry > > > > > > [image: Image] > > Harry Devine > > Secure-OSE System Administrator > > U.S. Department of Transportation > > FAA/AJM-2432 > > (609) 485-4218 (Office) > > (609) 612-7274 (FAA Cell) > > [email protected] <[email protected]> > > > > *William J Hughes Technical Center* > > *Building 300 3rd Floor Column L20* > > *Atlantic City NJ 08405* > > > > > > *From:* Weston Thayer via user <[email protected]> > *Sent:* Monday, May 11, 2026 12:30 PM > *To:* [email protected] > *Cc:* Weston Thayer <[email protected]> > *Subject:* Re: Issue with VNC in 1.6.0 > > > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > Hi Harry, > > > > Guacamole uses libvncclient, 1.6.0 probably brought along an upgrade of > that underlying library, so I think that underlying change is a reasonable > hypothesis. > > Your logs show "Security Type 2 and Scheme 2", which gives important info > on the VNC server. My approach would be to try and connect to the server > with a different VNC client than Guacamole as a way to narrow it down. Also > understand what VNC server software and version is on the problematic > server. Upgrading it might be an easy fix, or switching to a different VNC > auth type. > > > > On Mon, May 11, 2026 at 8:28 AM Devine, Harry (FAA) via user < > [email protected]> wrote: > > Does ANYONE have any ideas on this? I have a few dozen users that can no > longer access any of their VNC connections, and they’re all looking to me > to tell them why. And I can’t find anything. I’m really stuck and could > use some help. > > > > Thanks, > > Harry > > > > > > [image: Image] > > Harry Devine > > Secure-OSE System Administrator > > U.S. Department of Transportation > > FAA/AJM-2432 > > (609) 485-4218 (Office) > > (609) 612-7274 (FAA Cell) > > [email protected] <[email protected]> > > > > *William J Hughes Technical Center* > > *Building 300 3rd Floor Column L20* > > *Atlantic City NJ 08405* > > > > > > *From:* Devine, Harry (FAA) via user <[email protected]> > *Sent:* Friday, May 8, 2026 10:26 AM > *To:* user <[email protected]> > *Cc:* Devine, Harry (FAA) <[email protected]> > *Subject:* Issue with VNC in 1.6.0 > > > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > We upgraded one of our Guacamole servers to 1.6.0 this morning. We’ve > done this to a half-dozen or so previously, so I know it works. But on > this server, the users can now no longer connect to any VNC connections, > and I can’t seem to find what changed. I’ve asked them to verify that the > password for VNC on the connection side is still valid, but they haven’t > checked yet. I thought I’d put an excerpt from the log to see if anyone > has any ideas on where to look for answers. > > > > Thanks, > > Harry > > > > May 8 10:12:33 tfdm-access guacd[78029]: Creating new client for protocol > "vnc" > > May 8 10:12:33 tfdm-access guacd[78029]: Connection ID is > "$40b21c0e-7b73-48b5-88c9-040043ffe7fd" > > May 8 10:12:33 tfdm-access guacd[78486]: Cursor rendering: local > > May 8 10:12:33 tfdm-access guacd[78486]: The libvncclient library does > not support remote resize. > > May 8 10:12:33 tfdm-access guacd[78486]: User > "@e1e7896f-fe81-4967-8fd9-9447460e831a" joined connection > "$40b21c0e-7b73-48b5-88c9-040043ffe7fd" (1 users now present) > > May 8 10:12:33 tfdm-access server[78114]: 10:12:33.494 > [http-nio-8080-exec-1] INFO o.a.g.tunnel.TunnelRequestService - User > "harry.devine" connected to connection "361". > > May 8 10:12:33 tfdm-access server[78114]: 10:12:33.495 > [http-nio-8080-exec-1] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet > - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. > > May 8 10:12:33 tfdm-access guacd[78486]: VNC server supports protocol > version 3.8 (viewer 3.8) > > May 8 10:12:33 tfdm-access guacd[78486]: We have 1 security types to read > > May 8 10:12:33 tfdm-access guacd[78486]: 0) Received security type 2 > > May 8 10:12:33 tfdm-access guacd[78486]: Selecting security type 2 (0/1 > in the list) > > May 8 10:12:33 tfdm-access guacd[78486]: Selected Security Scheme 2 > > May 8 10:12:33 tfdm-access guacd[78486]: VNC connection failed: > Authentication failure > > May 8 10:12:33 tfdm-access guacd[78486]: Unable to connect to VNC server. > > May 8 10:12:33 tfdm-access guacd[78486]: User > "@e1e7896f-fe81-4967-8fd9-9447460e831a" disconnected (0 users remain) > > May 8 10:12:33 tfdm-access guacd[78486]: Last user of connection > "$40b21c0e-7b73-48b5-88c9-040043ffe7fd" disconnected > > May 8 10:12:33 tfdm-access guacd[78029]: Connection > "$40b21c0e-7b73-48b5-88c9-040043ffe7fd" removed. > > > > > > [image: Image] > > Harry Devine > > Secure-OSE System Administrator > > U.S. Department of Transportation > > FAA/AJM-2432 > > (609) 485-4218 (Office) > > (609) 612-7274 (FAA Cell) > > [email protected] <[email protected]> > > > > *William J Hughes Technical Center* > > *Building 300 3rd Floor Column L20* > > *Atlantic City NJ 08405* > > > > > >
