On Wed, Jul 3, 2024 at 6:40 AM Jacob Buus <jacobb...@gmail.com> wrote:
> Hi guys, > > I'm using Guacamole for a project and it works perfectly for both RDP, VNC > and SSH. > However - I have some issues getting it to work when I attempt to RDP into > a server using an Entra ID user. I understand that this is caused by the > NLA negotiation between the client and my server as RDP won't natively let > me connect using Entra ID credentials either. > > I've read the following guide, which allows me to successfully connect to > my server using Entra ID credentials via the ordinary Remote Desktop > Connection program: How to RDP Into Azure AD-Joined VM Using AAD > Credentials - Rublon > <https://rublon.com/blog/how-to-rdp-into-azure-ad-joined-vm/> > However, this method required that you set a few custom properties in the > rdp file: > > - prompt for credentials:i:0 > - authentication level:i:2 > - enablecredsspsupport:i:0 > > My question is: how do I add these custom properties when connecting via > Guacamole? > I'm using a custom setup with guacd and not the Guacamole website, so I'm > looking for what to feed into guacd in order to make this work. > > Well, based on these settings, it looks like you are: * Telling it not to prompt for credentials. * Disabling server authentication (not sure if this equates to NLA or not), which I don't think Guacamole implements, anyway. * Disabling Kerberos support, which Guacamole doesn't actually support at the moment. I'm not sure you can add any of those options to Guacamole, but I'm not sure it matters, as the only one of them that Guacamole actually currently supports is prompting for credentials. > Also - are there any workarounds to getting this to work without needing > to disable NLA? (I'm guessing "no", but better safe than sorry) > > I'm not sure, but I've heard rumors that Microsoft is actually dropping NLA in favor of TLS and/or Kerberos, so this actually may not be as bad as you think. You may want to just try changing the security level of the connection in Guacamole from NLA to TLS and see if that works? If it isn't working, I'd suggest starting guacd with debug or trace logging, and seeing what errors you get when you try to start that RDP connection. This might help us figure out if it's just a setting or something additional that needs to be implemented in Guacamole to get these connections working. It's also worth noting that Guacamole almost certainly will not support any sort of seamless Entra ID login - that is, you won't be able to log in to Guacamole with Entra ID SSO (either SAML or OpenID) and then RDP to the server without entering your password, again - there's currently no pass-through mechanism for that authentication process. -Nick >
