You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Stewart Alexander <st...@alamancecc.edu> on 2020/03/04 14:54:23 UTC
Re[2]: Using 2 factor authentication with Active Directory
Hi all,
Can you tell us more about TOTP and the MS Authenticator App? Sounds
intriguing ..
What's the process for integrating this into Guacamole, can someone
point us to some documentation?
But yeah, 2 factor authentication would be very nice
------ Original Message ------
From: "Andrew Kopp" <AK...@soleilfoodservice.com>
To: "user@guacamole.apache.org" <us...@guacamole.apache.org>
Sent: 3/4/2020 9:45:44 AM
Subject: Re: Using 2 factor authentication with Active Directory
>CAUTION: This email originated from outside your organization. Exercise
>caution when opening attachments or clicking links, especially from
>unknown senders.
>
>+1 I would like this too, but based on my testing I do not think its
>possible quite yet.
>
>Microsoft's graph API's just went under a lot of changes and they
>discontinued support for a lot of their own dev libraries. This will
>need some development effort for sure.
>
>If you disable NLA you could potentially do it on the RDP login screen,
>but this will force the user to authenticate twice.
>
>For now I'm happy with totp and using the MS authenticator app.
>
>I'd probably help fund a project bounty for this add-on however.
>--------------------------------------------------------------------------------
>From: Stewart Alexander <st...@alamancecc.edu>
>Sent: Wednesday, March 4, 2020 9:30:20 AM
>To:user@guacamole.apache.org <us...@guacamole.apache.org>
>Subject: Using 2 factor authentication with Active Directory
>
Hi all,
We are interested in using 2 factor authentication with Active Directory
to have our users log in via RDP to their computer Microsoft Windows
systems.
Is this something possible? Is there documentation on setting this up?
Thanks...
Best Regards,
Stewart Alexander
ACC Network Administrator
E stewart.alexander@alamancecc.edu
P: +1 (336) 506-4181
"Chi poco pensa, molto erra."- Leonardo Di Vinci
(Those who think little err often)
--------------------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please disregard.
This message may contain confidential information and is intended only
for the individual named.
For more information about our privacy policy and how we process data,
please visit our website and use the Privacy Notice link located on the
main page.
Re: Re[2]: Using 2 factor authentication with Active Directory
Posted by Andrew Kopp <AK...@soleilfoodservice.com>.
Hi Stewart,
The MS Authenticator app supports basic TOTP protocol. All you need to do is enable TOTP (not Duo) on guacamole. During the first login of the user, it will ask you to setup the TOTP and display a QR code. In the MS Authenticator app, open top right menu, add new account and select "Other account". Scan the QR code and you are done. This method is not true Azure MFA however. No wonderful Microsoft Azure policies, etc.
Some issues I've noticed - I have many guacamole installs and I've had to rename the guacadmin username specific to each install. It seems the MS authentication app uses the username as the key, so if you use the same username over multiple installs it will overwrite the existing account and locking you out of the previous instance. I haven't even tested this with Google Authenticator so your mileage may vary.
The other issue, which is much bigger to me, (discovered via the above problem 🙂 ) is the lack of TOTP reset function in the web based panel in the event the user looses their phone or deletes the Authenticator app. Basically, you need to manually delete the TOTP keys in the db, so I just re-create the users as of now. Bit of a pain, but it works.
Also, TOTP will not work with LDAP/AD. It needs to be able to write back the TOTP keys to the directory - which isn't implemented with AD yet (or will? I suggest like how ownCloud does this and store them in the local db even with AD auth)
Andrew
________________________________
From: Stewart Alexander <st...@alamancecc.edu>
Sent: Wednesday, March 4, 2020 9:54 AM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Cc: Andrew Kopp <AK...@soleilfoodservice.com>
Subject: Re[2]: Using 2 factor authentication with Active Directory
Hi all,
Can you tell us more about TOTP and the MS Authenticator App? Sounds intriguing ..
What's the process for integrating this into Guacamole, can someone point us to some documentation?
But yeah, 2 factor authentication would be very nice
------ Original Message ------
From: "Andrew Kopp" <AK...@soleilfoodservice.com>>
To: "user@guacamole.apache.org<ma...@guacamole.apache.org>" <us...@guacamole.apache.org>>
Sent: 3/4/2020 9:45:44 AM
Subject: Re: Using 2 factor authentication with Active Directory
CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.
+1 I would like this too, but based on my testing I do not think its possible quite yet.
Microsoft's graph API's just went under a lot of changes and they discontinued support for a lot of their own dev libraries. This will need some development effort for sure.
If you disable NLA you could potentially do it on the RDP login screen, but this will force the user to authenticate twice.
For now I'm happy with totp and using the MS authenticator app.
I'd probably help fund a project bounty for this add-on however.
________________________________
From: Stewart Alexander <st...@alamancecc.edu>>
Sent: Wednesday, March 4, 2020 9:30:20 AM
To: user@guacamole.apache.org<ma...@guacamole.apache.org> <us...@guacamole.apache.org>>
Subject: Using 2 factor authentication with Active Directory
Hi all,
We are interested in using 2 factor authentication with Active Directory to have our users log in via RDP to their computer Microsoft Windows systems.
Is this something possible? Is there documentation on setting this up?
Thanks...
Best Regards,
Stewart Alexander
ACC Network Administrator
E stewart.alexander@alamancecc.edu<ma...@alamancecc.edu>
P: +1 (336) 506-4181
"Chi poco pensa, molto erra."- Leonardo Di Vinci
(Those who think little err often)
________________________________
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please disregard. This message may contain confidential information and is intended only for the individual named.
For more information about our privacy policy and how we process data, please visit our website and use the Privacy Notice link located on the main page.
________________________________
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please disregard. This message may contain confidential information and is intended only for the individual named.
For more information about our privacy policy and how we process data, please visit our website and use the Privacy Notice link located on the main page.