On 9/25/2023 3:28 AM, Christopher Johnson wrote:
Hi,
I wonder if someone can help?
Since upgrading the Active Directory forest/domain to functional level
2016. If a user resides in the “Protected Users” group in Active
Directory we are unable to RDP to Windows machines from Guacamole. We
can RDP from Guacamole using a user who is not a member of the
“Protected Users” group OK and even taking the user out of the group
then trying the RDP connection works. Also RDP’ing to the same server
using the Microsoft Windows RDP client works OK for users in the
“Protected Users” group.
The problem sounds very similar to this issue that was raised but there
didn’t appear to be a resolution.
[GUACAMOLE-1426] Can't open RDP with user in "Protected Users" group -
ASF JIRA (apache.org <http://apache.org>)
Yes, this sounds like the problem you are encountering.
My understanding is that this is rooted in FreeRDP's implementation of
NLA, which currently only supports the NTLM variant. Until FreeRDP
implements the Kerberos variant of NLA, Windows servers will reject
authentication attempts for users within the "Protected Users" group
when made from applications using FreeRDP, including Guacamole.
It's likely this will change in a future FreeRDP release. I'm not sure
what the status of Kerberos+NLA is there, nor whether additional flags
will need to be set within the Guacamole code once that support lands.
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
