From: Mike Jumper [mailto:[email protected]]
Sent: Tuesday, May 31, 2016 19:00
To: [email protected]
Subject: Re: guacd won't connect to RDP server using NLA and UPN
On Mon, May 30, 2016 at 11:07 PM, James Johnston
<[email protected]> wrote:
Hi,
I'm trying to connect to an RDP server that is set up with both TLS and NLA. I
want the RDP connection to take place using the username of the guacamole user
who has logged in. (guacamole has been linked with LDAP.) Unfortunately, this
doesn't work: the RDP server disconnects the client immediately (according to
the guacamole web GUI). docker logs guacd merely reports:
guacd[41]: ERROR: Error connecting to RDP server
guacd[41]: INFO: Connection did not succeed
My connection username is set to ${GUAC_USERNAME}. Password is set to
${GUAC_PASSWORD}. Domain box is left blank, security mode set to NLA, and
Ignore server certificate has been checked to work around the issue in my last
e-mail. Everything is left at defaults.
Have you tried specifying the domain? (And only specifying the username for the
username, not username@domain)
[James] Yes, see below.
Guacamole is integrated with Active Directory using LDAP, with a PostgreSQL
back-end for configuration. I set up docker to use the userPrincipalName LDAP
attribute for usernames. So e.g. I login to guacamole as "[email protected]".
I'm not sure if the RDP server will happily accept the full user@domain as the
username. If this works with other RDP clients, it may be that those clients
are parsing out the user and domain, and still pass them to the RDP server
separately.
[James] Well, I did only test on Windows 7 Remote Desktop client. This client
was not joined to the domain, and so connected with NTLM. But, the UPN I used
is an alternate UPN suffix that’s not the same as the AD domain name or the
forest name. Yet, this still worked. So I’m thinking it must have sent the
actual UPN over the wire in one way or another, instead of parsing it into
something else.
I usually see users configuring Guacamole + Active Directory by:
1) Providing a search DN and password within guacamole.properties
2) Using "sAMAccountName" as the username attribute
3) Specifying the domain explicitly
4) Using "${GUAC_USERNAME}" for the username in the connection parameters
[James] This is what I wound up doing, and seems to work. I initially shied
away from this because that attribute has a 20 char limit and exists only for
backwards compatibility.
(https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx#sAMAccountName
). For users with multiple domains, that setup wouldn’t work so well (but then
again, I guess only one instance of LDAP plug-in can be loaded == only one
domain supported per Guacamole instance).
I also found I had to do this in order to support logging in to Linux machines
that were joined to AD via winbind – in that case you HAVE to log in with
DOMAIN\username format – so I needed to be able to do “DOMAIN\${GUAC_USERNAME}”.
This will work for now, until maybe someday if Guacamole supports true single
sign on with SPNEGO/Kerberos. (i.e. HTTP SPNEGO authentication from web
browser, pass Kerberos ticket on to RDP or SSH host.)
Note that I am using latest docker images for both guacd and guacamole.
I have verified that logging in with regular Microsoft Remote Desktop client
using the UPN works. So that's not the problem... On the other hand, if I
manually type the UPN into the username box instead of using ${GUAC_USERNAME},
it still doesn't work.
By "the username box", are you referring to Windows' own username/password
prompt when you're logging in, or are you referring to the connection
parameters within Guacamole?
[James] Sorry, to clarify: I meant the Guacamole connection parameters box:
manually typing in a UPN into username box in Guacamole connection parameters
doesn’t work. But typing same UPN into Windows 7 Remote Desktop client worked.
Thanks,
- Mike
