Hi Nick/Mike, Thanks for your responses!
I didn't think that this would be straight forward haha. I've pestered FreeRDP on an old issue that they have open for Kerberos+NLA so I'll see what they say as well. Nick, I don't suppose you have any resources to hand that I could reference to give it a bash? Cheers Chris On Mon, Sep 25, 2023 at 5:44 PM Nick Couchman <[email protected]> wrote: > On Mon, Sep 25, 2023 at 12:39 PM Michael Jumper <[email protected]> > wrote: > >> On 9/25/2023 3:28 AM, Christopher Johnson wrote: >> > Hi, >> > >> > I wonder if someone can help? >> > >> > Since upgrading the Active Directory forest/domain to functional level >> > 2016. If a user resides in the “Protected Users” group in Active >> > Directory we are unable to RDP to Windows machines from Guacamole. We >> > can RDP from Guacamole using a user who is not a member of the >> > “Protected Users” group OK and even taking the user out of the group >> > then trying the RDP connection works. Also RDP’ing to the same server >> > using the Microsoft Windows RDP client works OK for users in the >> > “Protected Users” group. >> > >> > The problem sounds very similar to this issue that was raised but there >> > didn’t appear to be a resolution. >> > [GUACAMOLE-1426] Can't open RDP with user in "Protected Users" group - >> > ASF JIRA (apache.org <http://apache.org>) >> > >> >> Yes, this sounds like the problem you are encountering. >> >> My understanding is that this is rooted in FreeRDP's implementation of >> NLA, which currently only supports the NTLM variant. Until FreeRDP >> implements the Kerberos variant of NLA, Windows servers will reject >> authentication attempts for users within the "Protected Users" group >> when made from applications using FreeRDP, including Guacamole. >> >> It's likely this will change in a future FreeRDP release. I'm not sure >> what the status of Kerberos+NLA is there, nor whether additional flags >> will need to be set within the Guacamole code once that support lands. >> >> > It's been a while since I tried it, but I _think_ I successfully used > xfreerdp + Kerberos + NLA once upon a time, which I suspect will work with > the Protected Users group. > > Getting Guacamole to work with this may be a bit more work - I'm sure it's > doable, but I would imagine that a Kerberos-tied NLA will require setting > up domain membership for the system running Guacamole, and then managing > keytab and/or credential cache files for users attempting to login in from > Guacamole via Kerberos + NLA. And maybe a little black magic :-). > > -Nick > >
