VNC 403 JSON API

[Adrian Owen <ad...@eesm.com>]

Using JSON API.  I occasionally get 403 Forbbidon when I post to get the Auth Token.

It only happens with VNC connection. When I try RDP connection its ok.


Is there way to get more information? I ran guacd with -L trace to terminal. But get nothing is logged?

Thanks, Adrian

Re: VNC 403 JSON API

[Nick Couchman <vn...@apache.org>]

On Sun, Apr 26, 2020 at 10:32 AM Adrian Owen <ad...@eesm.com> wrote:

> Cleared out calalina.out ready to test, clicked and  403
>
>
>
> I saw hundreds of trace messages, before I cleared it.
>
>
>
> But these only ones shown before 403   . V 0.9.14. No Trace only debug
>
>
>
> JDBC Connection [com.mysql.jdbc.JDBC4Connection@1e709431]
>
> 20:06:57.106 [http-nio-8080-exec-1] DEBUG o.a.i.d.pooled.PooledDataSource
> - Testing connection 510694449 ...
>
> 20:06:57.106 [http-nio-8080-exec-1] DEBUG o.a.i.d.pooled.PooledDataSource
> - Connection 510694449 is GOOD!
>
> 20:06:57.106 [http-nio-8080-exec-1] DEBUG o.a.i.d.pooled.PooledDataSource
> - Returned connection 510694449 to pool.
>
> 20:06:57.129 [http-nio-8080-exec-1] DEBUG
> o.g.g.a.j.RequestValidationService - Authentication request from
> "127.0.0.1" is ALLOWED (no restrictions).
>

My guess is that this is the source of your issue, here.  You mentioned the
"JSON API" in your first post, which, I'm going to guess is Mike's JSON
authentication extension.  My guess is that the extension is, for some
reason, triggering the failure - it looks like whatever data you're
providing with the JSON extension is not recognized by the underlying
Guacamole authentication system as anything but an anonymous login attempt,
and it's rejecting the anonymous login (next message).  At this point I
don't know why that is - I'm not overly-familiar with that particular
extension - but perhaps you could post sample JSON requests you're making
to the REST API portion of that extension - one that succeeds and one that
fails?  That might help narrow down the cause...

20:06:57.191 [http-nio-8080-exec-1] DEBUG
> o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from
> [10.10.220.74, 127.0.0.1] failed.
>
>
>

-Nick

>

RE: VNC 403 JSON API

[Adrian Owen <ad...@eesm.com>]

Cleared out calalina.out ready to test, clicked and  403



I saw hundreds of trace messages, before I cleared it.



But these only ones shown before 403   . V 0.9.14. No Trace only debug



JDBC Connection [com.mysql.jdbc.JDBC4Connection@1e709431]

20:06:57.106 [http-nio-8080-exec-1] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 510694449 ...

20:06:57.106 [http-nio-8080-exec-1] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 510694449 is GOOD!

20:06:57.106 [http-nio-8080-exec-1] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 510694449 to pool.

20:06:57.129 [http-nio-8080-exec-1] DEBUG o.g.g.a.j.RequestValidationService - Authentication request from "127.0.0.1" is ALLOWED (no restrictions).

20:06:57.191 [http-nio-8080-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from [10.10.220.74, 127.0.0.1] failed.

From: Nick Couchman [mailto:vnick@apache.org]
Sent: 26 April 2020 14:01
To: user@guacamole.apache.org
Subject: Re: VNC 403 JSON API

On Sun, Apr 26, 2020 at 7:43 AM Adrian Owen <ad...@eesm.com>> wrote:
I set logback to trace

VNC connection
*** event handler 1
20:06:57.191 [http-nio-8080-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from [10.10.220.74, 127.0.0.1] failed.

RDP Connection
20:14:53.521 [http-nio-8080-exec-7] DEBUG o.a.g.r.auth.AuthenticationService - Login was successful for user "".


On another Guacamole Server VNC connected. Same credentials.

How can I get more detail of the failure?


Well, that's a little hard to say, because of all the log messages that you should have (trace should give you hundreds or thousands of them), you've posted two or three entries.  There's no possible way for us to help with this little information.  In would be good to know:
- What version of Guacamole are you running?
- What authentication modules are you using, and in what order are they being evaluated?
- If you can post the rest of the log messages to some place like PasteBin and link, here, that would help.  If you do this don't forget to sanitize them before posting them so that they don't contain any information that would present a security risk to your environment.

-Nick

Re: VNC 403 JSON API

[Nick Couchman <vn...@apache.org>]

On Sun, Apr 26, 2020 at 7:43 AM Adrian Owen <ad...@eesm.com> wrote:

> I set logback to trace
>
>
>
> VNC connection
>
> *** event handler 1
>
> 20:06:57.191 [http-nio-8080-exec-1] DEBUG
> o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from
> [10.10.220.74, 127.0.0.1] failed.
>
>
>
> RDP Connection
>
> 20:14:53.521 [http-nio-8080-exec-7] DEBUG
> o.a.g.r.auth.AuthenticationService - Login was successful for user "".
>
>
>
>
>
> On another Guacamole Server VNC connected. Same credentials.
>
>
>
> How can I get more detail of the failure?
>
>
>

Well, that's a little hard to say, because of all the log messages that you
should have (trace should give you hundreds or thousands of them), you've
posted two or three entries.  There's no possible way for us to help with
this little information.  In would be good to know:
- What version of Guacamole are you running?
- What authentication modules are you using, and in what order are they
being evaluated?
- If you can post the rest of the log messages to some place like PasteBin
and link, here, that would help.  If you do this don't forget to sanitize
them before posting them so that they don't contain any information that
would present a security risk to your environment.

-Nick

>

RE: VNC 403 JSON API

[Adrian Owen <ad...@eesm.com>]

I set logback to trace

VNC connection
*** event handler 1
20:06:57.191 [http-nio-8080-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from [10.10.220.74, 127.0.0.1] failed.

RDP Connection
20:14:53.521 [http-nio-8080-exec-7] DEBUG o.a.g.r.auth.AuthenticationService - Login was successful for user "".


On another Guacamole Server VNC connected. Same credentials.

How can I get more detail of the failure?

Many thanks

From: Nick Couchman [mailto:vnick@apache.org]
Sent: 24 April 2020 20:43
To: user@guacamole.apache.org
Subject: Re: VNC 403 JSON API

On Fri, Apr 24, 2020 at 3:37 PM Adrian Owen <ad...@eesm.com>> wrote:
Nothing is shown in catalina.out either

Should I update the apache log level?    What do you suggest to get at the error?


yes, you might need to bump up Tomcat logging:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging

Also, note that 403 "errors" are a normal part of Guacamole Client's operation - for example, when you first visit the Guacamole web page, the back-end server issues a 403 status to the web client in order to tell the web application to display the logon page.  So, just because you're receiving this on the client side doesn't mean that anything is occurring that Guacamole Client considers an error.  It could be, but it may not be.

-Nick

Re: VNC 403 JSON API

[Nick Couchman <vn...@apache.org>]

On Fri, Apr 24, 2020 at 3:37 PM Adrian Owen <ad...@eesm.com> wrote:

> Nothing is shown in catalina.out either
>
>
>
> Should I update the apache log level?    What do you suggest to get at the
> error?
>
>
>

yes, you might need to bump up Tomcat logging:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging

Also, note that 403 "errors" are a normal part of Guacamole Client's
operation - for example, when you first visit the Guacamole web page, the
back-end server issues a 403 status to the web client in order to tell the
web application to display the logon page.  So, just because you're
receiving this on the client side doesn't mean that anything is
occurring that Guacamole Client considers an error.  It could be, but it
may not be.

-Nick

RE: VNC 403 JSON API

[Adrian Owen <ad...@eesm.com>]

Nothing is shown in catalina.out either

Should I update the apache log level?    What do you suggest to get at the error?

Many thanks

From: Nick Couchman [mailto:vnick@apache.org]
Sent: 24 April 2020 20:33
To: user@guacamole.apache.org
Subject: Re: VNC 403 JSON API

On Fri, Apr 24, 2020 at 3:15 PM Adrian Owen <ad...@eesm.com>> wrote:
Using JSON API.  I occasionally get 403 Forbbidon when I post to get the Auth Token.

It only happens with VNC connection. When I try RDP connection its ok.


Is there way to get more information? I ran guacd with –L trace to terminal. But get nothing is logged?


guacd does not handle the REST API in any way, so that's not going to help you determine why you're getting 403 errors. You need to look at the Tomcat output (catalina.out, usually) for that.  Also, note that, by default, tokens expire after 60 minutes, so it's possible you're hitting that timeout and just attributing it to a particular protocol even though it's just timing out and becoming invalid.

-Nick

Re: VNC 403 JSON API

[Nick Couchman <vn...@apache.org>]

On Fri, Apr 24, 2020 at 3:15 PM Adrian Owen <ad...@eesm.com> wrote:

> Using JSON API.  I occasionally get 403 Forbbidon when I post to get the
> Auth Token.
>
>
>
> It only happens with VNC connection. When I try RDP connection its ok.
>
>
>
>
>
> Is there way to get more information? I ran guacd with –L trace to
> terminal. But get nothing is logged?
>
>
>
guacd does not handle the REST API in any way, so that's not going to help
you determine why you're getting 403 errors. You need to look at the Tomcat
output (catalina.out, usually) for that.  Also, note that, by default,
tokens expire after 60 minutes, so it's possible you're hitting that
timeout and just attributing it to a particular protocol even though it's
just timing out and becoming invalid.

-Nick