Hi Nick,
Thanks for your reply. We’ll try setting our Guacamole up with TLS and see if this makes a difference with NLA disabled on the endpoint. I’ll be back with the result 😊 On Wed, 3 Jul 2024 at 13:03, Nick Couchman <vn...@apache.org> wrote: > On Wed, Jul 3, 2024 at 6:40 AM Jacob Buus <jacobb...@gmail.com> wrote: > >> Hi guys, >> >> I'm using Guacamole for a project and it works perfectly for both RDP, >> VNC and SSH. >> However - I have some issues getting it to work when I attempt to RDP >> into a server using an Entra ID user. I understand that this is caused by >> the NLA negotiation between the client and my server as RDP won't natively >> let me connect using Entra ID credentials either. >> >> I've read the following guide, which allows me to successfully connect to >> my server using Entra ID credentials via the ordinary Remote Desktop >> Connection program: How to RDP Into Azure AD-Joined VM Using AAD >> Credentials - Rublon >> <https://rublon.com/blog/how-to-rdp-into-azure-ad-joined-vm/> >> However, this method required that you set a few custom properties in the >> rdp file: >> >> - prompt for credentials:i:0 >> - authentication level:i:2 >> - enablecredsspsupport:i:0 >> >> My question is: how do I add these custom properties when connecting via >> Guacamole? >> I'm using a custom setup with guacd and not the Guacamole website, so I'm >> looking for what to feed into guacd in order to make this work. >> >> > Well, based on these settings, it looks like you are: > * Telling it not to prompt for credentials. > * Disabling server authentication (not sure if this equates to NLA or > not), which I don't think Guacamole implements, anyway. > * Disabling Kerberos support, which Guacamole doesn't actually support at > the moment. > > I'm not sure you can add any of those options to Guacamole, but I'm not > sure it matters, as the only one of them that Guacamole actually currently > supports is prompting for credentials. > > >> Also - are there any workarounds to getting this to work without needing >> to disable NLA? (I'm guessing "no", but better safe than sorry) >> >> > I'm not sure, but I've heard rumors that Microsoft is actually dropping > NLA in favor of TLS and/or Kerberos, so this actually may not be as bad as > you think. You may want to just try changing the security level of the > connection in Guacamole from NLA to TLS and see if that works? > > If it isn't working, I'd suggest starting guacd with debug or trace > logging, and seeing what errors you get when you try to start that RDP > connection. This might help us figure out if it's just a setting or > something additional that needs to be implemented in Guacamole to get these > connections working. > > It's also worth noting that Guacamole almost certainly will not support > any sort of seamless Entra ID login - that is, you won't be able to log in > to Guacamole with Entra ID SSO (either SAML or OpenID) and then RDP to the > server without entering your password, again - there's currently no > pass-through mechanism for that authentication process. > > -Nick > >>
