You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by "Fertig, Brian" <br...@philips.com.INVALID> on 2021/02/21 03:21:34 UTC
Weird Windows 10 RDP issue
So got this issue.. I setup a Windows 10 host in Guac. I have checked firewalls, settings, etc. I cant make heads or tails. This is in the GUACD log..
Feb 21 03:17:05 ip-172-31-6-188 tomcat9[111889]: 03:17:05.399 [http-nio-8080-exec-6] DEBUG o.a.g.net.InetGuacamoleSocket - Connecting to guacd at localhost:4822.
Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Creating new client for protocol "rdp"
Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Connection ID is "$1217b78c-d8f5-4826-a381-4cd1ebd85654"
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Security mode: Negotiate (ANY)
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Resize method: none
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: User "@d45054ab-6557-45c8-bc93-b6d06a578993" joined connection "$1217b78c-d8f5-4826-a381-4cd1ebd85654" (1 users now present)
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "base"
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "en-us-qwerty"
Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: RDP server closed/refused connection: Connection failed (server unreachable?)
Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: User "@d45054ab-6557-45c8-bc93-b6d06a578993" disconnected (0 users remain)
Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: Last user of connection "$1217b78c-d8f5-4826-a381-4cd1ebd85654" disconnected
Feb 21 03:17:20 ip-172-31-6-188 guacd[115076]: Connection "$1217b78c-d8f5-4826-a381-4cd1ebd85654" removed.
On the windows host I get this error:
A fatal error occurred while creating a TLS client credential. The internal error state is 10011.
So I know what the SCHANNEL error is. I have dealt with it quite a bit. HOWEVER I don't have the foggiest idea how to fix it with Guac. What Crypto should I be using? This is the latest and greatest Windows 10.
Now I have said to not use SSL/Crypto in the guac settings. I have also disabled NLA and enabled the security setting in the registry. Any insights would be awesome!
-----8< -----------------
Brian Fertig
MATC Tools Solutions Architect
Services & Solutions Delivery Operations
Philips North America
________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
Re: Weird Windows 10 RDP issue
Posted by "Fertig, Brian" <br...@philips.com.INVALID>.
I changed it to RDP. I will remove the NLA settings from the registry and see what happens. But I honestly never get that far in guac.
Brian
Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Mike Jumper <mi...@glyptodon.com>
Sent: Monday, February 22, 2021 8:54:19 PM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Re: Weird Windows 10 RDP issue
Caution: This e-mail originated from outside of Philips, be careful for phishing.
On Mon, Feb 22, 2021 at 2:29 PM Fertig, Brian <br...@philips.com.invalid> wrote:
Mike,
Thanks for the reply this is literally it. I have a bunch of Windows servers but no windows 10. This is my first. I think its something in windows but I cant put my finger on it.. I did make the registry changes for NLA and such but no dice..
You should not need to make any registry changes with respect to NLA. It's an important security feature of RDP which Guacamole supports. If you see a recommendation to disable NLA through registry settings, I recommend dismissing it out of hand unless you (independently of Guacamole) simply do not want NLA to be used.
The only case where disabling NLA would be desirable is if you want Windows to present a graphical login screen of its own.
[cid:177cc90937d4cff311]
What do you see in your guacd logs from this? Your previous logs note security mode "any" (the default), which does not match the above.
Michael Jumper
CEO, Lead Developer
Glyptodon Inc<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fenterprise.glyptodon.com%2F&data=04%7C01%7C%7C7ff76fc5b8ca4f9597cf08d8d79e0c6f%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C637496421124331671%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KL9m01EP0mc%2Baps2RrPJAayxrmNkobgsqvLVMpDXE8w%3D&reserved=0>.
________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
Re: Weird Windows 10 RDP issue
Posted by Mike Jumper <mi...@glyptodon.com>.
On Mon, Feb 22, 2021 at 2:29 PM Fertig, Brian
<br...@philips.com.invalid> wrote:
> Mike,
>
>
>
> Thanks for the reply this is literally it. I have a bunch of Windows
> servers but no windows 10. This is my first. I think its something in
> windows but I cant put my finger on it.. I did make the registry changes
> for NLA and such but no dice..
>
You should not need to make any registry changes with respect to NLA. It's
an important security feature of RDP which Guacamole supports. If you see a
recommendation to disable NLA through registry settings, I recommend
dismissing it out of hand unless you (independently of Guacamole) simply do
not want NLA to be used.
The only case where disabling NLA would be desirable is if you want Windows
to present a graphical login screen of its own.
>
What do you see in your guacd logs from this? Your previous logs note
security mode "any" (the default), which does not match the above.
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://enterprise.glyptodon.com/>.
RE: Weird Windows 10 RDP issue
Posted by "Fertig, Brian" <br...@philips.com.INVALID>.
Mike,
Thanks for the reply this is literally it. I have a bunch of Windows servers but no windows 10. This is my first. I think its something in windows but I cant put my finger on it.. I did make the registry changes for NLA and such but no dice..
[cid:image001.png@01D70940.3773ECA0]
Brian
From: Mike Jumper <mi...@glyptodon.com>
Sent: Sunday, February 21, 2021 1:57 PM
To: user@guacamole.apache.org
Subject: Re: Weird Windows 10 RDP issue
Caution: This e-mail originated from outside of Philips, be careful for phishing.
On Sat, Feb 20, 2021 at 7:21 PM Fertig, Brian <br...@philips.com.invalid>> wrote:
So got this issue.. I setup a Windows 10 host in Guac. I have checked firewalls, settings, etc. I cant make heads or tails. This is in the GUACD log..
Feb 21 03:17:05 ip-172-31-6-188 tomcat9[111889]: 03:17:05.399 [http-nio-8080-exec-6] DEBUG o.a.g.net.InetGuacamoleSocket - Connecting to guacd at localhost:4822.
Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Creating new client for protocol "rdp"
Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Connection ID is "$1217b78c-d8f5-4826-a381-4cd1ebd85654"
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Security mode: Negotiate (ANY)
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Resize method: none
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: User "@d45054ab-6557-45c8-bc93-b6d06a578993" joined connection "$1217b78c-d8f5-4826-a381-4cd1ebd85654" (1 users now present)
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "base"
Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "en-us-qwerty"
Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: RDP server closed/refused connection: Connection failed (server unreachable?)
Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: User "@d45054ab-6557-45c8-bc93-b6d06a578993" disconnected (0 users remain)
Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: Last user of connection "$1217b78c-d8f5-4826-a381-4cd1ebd85654" disconnected
Feb 21 03:17:20 ip-172-31-6-188 guacd[115076]: Connection "$1217b78c-d8f5-4826-a381-4cd1ebd85654" removed.
On the windows host I get this error:
A fatal error occurred while creating a TLS client credential. The internal error state is 10011.
So I know what the SCHANNEL error is. I have dealt with it quite a bit. HOWEVER I don't have the foggiest idea how to fix it with Guac. What Crypto should I be using? This is the latest and greatest Windows 10.
Now I have said to not use SSL/Crypto in the guac settings. I have also disabled NLA and enabled the security setting in the registry. Any insights would be awesome!
You shouldn't need to disable NLA or TLS, especially with most recent versions of Windows requiring these mechanisms by default. They should just work, either with embedded credentials, credential pass-through, or automatic credential prompting.
What specific parameters and values are you specifying for the Guacamole connection?
Michael Jumper
CEO, Lead Developer
Glyptodon Inc<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fenterprise.glyptodon.com%2F&data=04%7C01%7C%7Cb94b833a96ca41ef75f408d8d69a9ca0%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C637495306834006069%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wq1sablzzQz1O4%2FRCd%2F20j%2FeySe5tSsJ5O9yf8rD%2FBg%3D&reserved=0>.
________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
Re: Weird Windows 10 RDP issue
Posted by Mike Jumper <mi...@glyptodon.com>.
On Sat, Feb 20, 2021 at 7:21 PM Fertig, Brian
<br...@philips.com.invalid> wrote:
> So got this issue.. I setup a Windows 10 host in Guac. I have checked
> firewalls, settings, etc. I cant make heads or tails. This is in the
> GUACD log..
>
>
>
> Feb 21 03:17:05 ip-172-31-6-188 tomcat9[111889]: 03:17:05.399
> [http-nio-8080-exec-6] DEBUG o.a.g.net.InetGuacamoleSocket - Connecting to
> guacd at localhost:4822.
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Creating new client for
> protocol "rdp"
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Connection ID is
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654"
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Security mode: Negotiate
> (ANY)
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Resize method: none
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: User
> "@d45054ab-6557-45c8-bc93-b6d06a578993" joined connection
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654" (1 users now present)
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "base"
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap
> "en-us-qwerty"
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: RDP server closed/refused
> connection: Connection failed (server unreachable?)
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: User
> "@d45054ab-6557-45c8-bc93-b6d06a578993" disconnected (0 users remain)
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: Last user of connection
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654" disconnected
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[115076]: Connection
> "$1217b78c-d8f5-4826-a381-4cd1ebd85654" removed.
>
>
>
> On the windows host I get this error:
>
> A fatal error occurred while creating a TLS client credential. The
> internal error state is 10011.
>
>
>
> So I know what the SCHANNEL error is. I have dealt with it quite a bit.
> HOWEVER I don’t have the foggiest idea how to fix it with Guac. What
> Crypto should I be using? This is the latest and greatest Windows 10.
>
>
>
> Now I have said to not use SSL/Crypto in the guac settings. I have also
> disabled NLA and enabled the security setting in the registry. Any
> insights would be awesome!
>
You shouldn't need to disable NLA or TLS, especially with most recent
versions of Windows requiring these mechanisms by default. They should just
work, either with embedded credentials, credential pass-through, or
automatic credential prompting.
What specific parameters and values are you specifying for the Guacamole
connection?
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://enterprise.glyptodon.com/>.
Re: Weird Windows 10 RDP issue
Posted by Mike Jumper <mi...@glyptodon.com>.
On Mon, Feb 22, 2021 at 12:36 PM Bill Sandor <bi...@allegiance-it.com> wrote:
> That is the $50m question. I did not even realize there was an admin
> section of the web portal for setting up configurations, I thought it was
> all done though editing the user-mapping.xml file.
>
Nope - the "user-mapping.xml" file primarily exists to allow quick testing
of a deployment before moving on to one of the supported databases, which
provide the admin interface you mention.
> I recently deployed a docker container of Guacamole to see if that would
> work, and in there I noticed there is an admin login & password and an
> admin section of the web portal for setting up the connections.
>
> How do I log into the admin web portal on the from-scratch install? I
> can’t find any listing of a default admin login/password in the
> documentation. Do I somehow add an admin user to user-mapping.xml? The
> only user I created (test) does not have admin rights.
>
No, you would not use "user-mapping.xml" at all. The admin interface
results from having a supported database installed and configured, and the
default admin account is created as a part of that process:
http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-database-creation
http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-default-user
Once you have the database support in place (or any other authentication
extension), there is no need for "user-mapping.xml".
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://enterprise.glyptodon.com/>.
Re: Weird Windows 10 RDP issue
Posted by Bill Sandor <bi...@allegiance-it.com>.
That is the $50m question. I did not even realize there was an admin section of the web portal for setting up configurations, I thought it was all done though editing the user-mapping.xml file. I recently deployed a docker container of Guacamole to see if that would work, and in there I noticed there is an admin login & password and an admin section of the web portal for setting up the connections.
How do I log into the admin web portal on the from-scratch install? I can’t find any listing of a default admin login/password in the documentation. Do I somehow add an admin user to user-mapping.xml? The only user I created (test) does not have admin rights.
This very well may be the source of all my problems.
--Bill Sandor
Allegiance Technologies & Consulting LLC
http://www.allegiance-it.com
330.315.2867
> On Feb 21, 2021, at 1:57 PM, Mike Jumper <mi...@glyptodon.com> wrote:
>
> On Sat, Feb 20, 2021 at 7:21 PM Fertig, Brian <br...@philips.com.invalid> wrote:
> So got this issue.. I setup a Windows 10 host in Guac. I have checked firewalls, settings, etc. I cant make heads or tails. This is in the GUACD log..
>
>
>
> Feb 21 03:17:05 ip-172-31-6-188 tomcat9[111889]: 03:17:05.399 [http-nio-8080-exec-6] DEBUG o.a.g.net.InetGuacamoleSocket - Connecting to guacd at localhost:4822.
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Creating new client for protocol "rdp"
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[115076]: Connection ID is "$1217b78c-d8f5-4826-a381-4cd1ebd85654"
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Security mode: Negotiate (ANY)
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Resize method: none
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: User "@d45054ab-6557-45c8-bc93-b6d06a578993" joined connection "$1217b78c-d8f5-4826-a381-4cd1ebd85654" (1 users now present)
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "base"
>
> Feb 21 03:17:05 ip-172-31-6-188 guacd[143235]: Loading keymap "en-us-qwerty"
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: RDP server closed/refused connection: Connection failed (server unreachable?)
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: User "@d45054ab-6557-45c8-bc93-b6d06a578993" disconnected (0 users remain)
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[143235]: Last user of connection "$1217b78c-d8f5-4826-a381-4cd1ebd85654" disconnected
>
> Feb 21 03:17:20 ip-172-31-6-188 guacd[115076]: Connection "$1217b78c-d8f5-4826-a381-4cd1ebd85654" removed.
>
>
>
> On the windows host I get this error:
>
> A fatal error occurred while creating a TLS client credential. The internal error state is 10011.
>
>
>
> So I know what the SCHANNEL error is. I have dealt with it quite a bit. HOWEVER I don’t have the foggiest idea how to fix it with Guac. What Crypto should I be using? This is the latest and greatest Windows 10.
>
>
>
> Now I have said to not use SSL/Crypto in the guac settings. I have also disabled NLA and enabled the security setting in the registry. Any insights would be awesome!
>
>
> You shouldn't need to disable NLA or TLS, especially with most recent versions of Windows requiring these mechanisms by default. They should just work, either with embedded credentials, credential pass-through, or automatic credential prompting.
>
> What specific parameters and values are you specifying for the Guacamole connection?
>
> Michael Jumper
> CEO, Lead Developer
> Glyptodon Inc <https://enterprise.glyptodon.com/>.