You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Clement ITIE <cl...@sicoval.fr> on 2023/03/15 10:55:37 UTC
RDP connexion with NLA and Protected Users
Hello everyone,
I would like to known if someone has ever successfully set up an RDP connection to a server with NLA authentication and an user member of « Protected users ».
I have set up a connection to a domain controler with guacamole using RDP and automatic negociation as security mode. I also tired with NLA without result.
The connection works fine directly from my computer, but not from Guacamole.
Logs indicate that authentication process failed due to the combination of NLA protection with Protected Users. NLA has failed and an NTLM connection is attempted but is prohibited by the fact that the account is a member of the special Protected Users group.
Logs are as follows:
guacd[96470]: DEBUG: freerdp_connect:freerdp_set_last_error_ex resetting error state
guacd[96470]: DEBUG: Support for CLIPRDR (clipboard redirection) registered. Awaiting channel connection.
guacd[96470]: DEBUG: Support for static channel "rdpdr" loaded.
guacd[96470]: DEBUG: Support for static channel "rdpsnd" loaded.
guacd[96470]: DEBUG: Local framebuffer format PIXEL_FORMAT_BGRX32
guacd[96470]: DEBUG: Remote framebuffer format PIXEL_FORMAT_RGB16
guacd[96470]: DEBUG: primitives autodetect, using optimized
guacd[96470]: DEBUG: freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state
guacd[96470]: DEBUG: freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state
guacd[96470]: DEBUG: creating directory /root/.config/freerdp
guacd[96470]: DEBUG: creating directory [/root/.config/freerdp/certs]
guacd[96470]: DEBUG: created directory [/root/.config/freerdp/server]
guacd[96470]: DEBUG: SPNEGO received NTSTATUS: STATUS_ACCOUNT_RESTRICTION [0xC000006E] from server
guacd[96470]: DEBUG: nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_ACCOUNT_RESTRICTION [0x00020017]
guacd[96470]: DEBUG: rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
guacd[96470]: DEBUG: transport_check_fds: transport->ReceiveCallback() - -1
guacd[96470]: DEBUG: SVC "rdpdr" disconnected.
guacd[96470]: DEBUG: SVC "rdpsnd" disconnected.
guacd[96470]: INFO: RDP server closed/refused connection: Access denied by server (account locked/disabled?)
guacd[96470]: INFO: User "@6576c64b-07ee-497c-b5d1-e8fd71e2df49" disconnected (0 users remain)
I check the Freerdp project page and found this issue :
https://github.com/FreeRDP/FreeRDP/issues/5258
It seems that the most recent release of freerdp, which is used in guacamole according to the previous logs, is not compatible with NLA + Protected Users security.
So my question is : Has anyone already configured this kind of connections in Guacamole ?
Thank you for your help.
Clément Itié
________________________________
Ce mail a été analysé par Bitdefender
Re: RDP connexion with NLA and Protected Users
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Mar 15, 2023 at 6:56 AM Clement ITIE <cl...@sicoval.fr> wrote:
>
>
>
> I check the Freerdp project page and found this issue :
>
> https://github.com/FreeRDP/FreeRDP/issues/5258
>
>
>
> It seems that the most recent release of freerdp, which is used in guacamole according to the previous logs, is not compatible with NLA + Protected Users security.
>
>
>
> So my question is : Has anyone already configured this kind of connections in Guacamole ?
>
I've never used the Protected Users, but, based on that FreeRDP issue,
I don't think that Guacamole will support it at this point, until that
issue is resolved. Unfortunately, because the upstream library is
where the issue is, there isn't much that can be done about it from
the Guacamole perspective.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org