You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by testanier thierry <th...@chi-elbeuf-louviers.fr> on 2021/09/28 06:35:50 UTC
Information on GUACAMOLE-1426
Hi,
I opened a ticket and got an answer super quickly (GUACAMOLE-1426 <https://issues.apache.org/jira/browse/GUACAMOLE-1426> )
The answer concerns a patch of my RDP server but I don't know what it is. is it possible to have more information?
Best regards,
Thierry TESTANIER
Mail : thierry.testanier@chi-elbeuf-louviers.fr <ma...@chi-elbeuf-louviers.fr>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Information on GUACAMOLE-1426
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Sep 28, 2021 at 8:19 AM testanier thierry <
thierry.testanier@chi-elbeuf-louviers.fr> wrote:
> Hi,
>
> I have no problem with Guacamole, i use many RDP without problem.
>
>
Glad to hear that :-)
>
> If i use a user with "Protected Users" (Native group AD), it's not
> fonctionnal.
>
> If the NLA is disabled and security mode is "empty", i have a return of my
> RDP and i can enter the credentials and all are OK.
>
> I will remove the NLA from my servers.
>
> The "Protected Users" group blocks CredSSPs, which is why there is a
> blockage.
>
>
Disabling NLA really isn't a good idea. It sounds like you have some
particular reason for doing it, so without knowing much about your
environment, it's hard to say whether it's really required or not, but NLA
has some specific security built into it designed to protect RDP
connections, so if at all possible it is best to stick with it.
-Nick
RE: Information on GUACAMOLE-1426
Posted by testanier thierry <th...@chi-elbeuf-louviers.fr>.
Hi,
I have no problem with Guacamole, i use many RDP without problem.
If i use a user with "Protected Users" (Native group AD), it's not fonctionnal.
If the NLA is disabled and security mode is "empty", i have a return of my RDP and i can enter the credentials and all are OK.
I will remove the NLA from my servers.
The "Protected Users" group blocks CredSSPs, which is why there is a blockage.
Thierry TESTANIER
-----Message d'origine-----
De : Nick Couchman [mailto:vnick@apache.org]
Envoyé : mardi 28 septembre 2021 13:43
À : user@guacamole.apache.org
Objet : Re: Information on GUACAMOLE-1426
On Tue, Sep 28, 2021 at 2:36 AM testanier thierry <thierry.testanier@chi-elbeuf-louviers.fr <ma...@chi-elbeuf-louviers.fr> > wrote:
Hi,
I opened a ticket and got an answer super quickly (GUACAMOLE-1426 <https://issues.apache.org/jira/browse/GUACAMOLE-1426 <https://antiphishing.vadesecure.com/2/dGhpZXJyeS50ZXN0YW5pZXJAY2hpLWVsYmV1Zi1sb3V2aWVycy5mcnxWUkMxMzUwNTcw/issues.apache.org/jira/browse/GUACAMOLE-1426> > )
The answer concerns a patch of my RDP server but I don't know what it is. is it possible to have more information?
The answer wasn't about patching your RDP server. The error you were receiving was:
> guacamole guacd[61734]: RDP server closed/refused connection: Access denied by server (account locked/disabled?)
This indicates that 1) Guacamole is working fine, and 2) the RDP server is rejecting the connection. My answer was that you need to "fix" the issue on the RDP server side, but in this case "fix" is not the same as "patch." You need to determine why the RDP server is rejecting access and fix that. The error message gives you a couple of hints about possible reasons - account locked or disabled - but there are several possibilities I can think of:
* The user is not a member of a group allowed to make RDP connections (on Windows, this is generally Administrators or Remote Desktop Users).
* The account is disabled, locked, or expired.
* The account is already logged on, and is limited to a single session.
* On Windows, licensing is incorrectly configured and the server is rejecting connections.
I'm sure there are other potential reasons. The point is, Guacamole is functioning and can talk to the RDP server, and the RDP server is rejecting the connection. There isn't anything further to look at in Guacamole, you need to investigate on the RDP server why it is rejecting the connection and make the appropriate configuration changes to allow the account to log in.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Information on GUACAMOLE-1426
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Sep 28, 2021 at 2:36 AM testanier thierry <
thierry.testanier@chi-elbeuf-louviers.fr> wrote:
> Hi,
>
> I opened a ticket and got an answer super quickly (GUACAMOLE-1426 <
> https://issues.apache.org/jira/browse/GUACAMOLE-1426> )
>
> The answer concerns a patch of my RDP server but I don't know what it is.
> is it possible to have more information?
>
>
The answer wasn't about patching your RDP server. The error you were
receiving was:
> guacamole guacd[61734]: RDP server closed/refused connection: Access
denied by server (account locked/disabled?)
This indicates that 1) Guacamole is working fine, and 2) the RDP server is
rejecting the connection. My answer was that you need to "fix" the issue on
the RDP server side, but in this case "fix" is not the same as "patch."
You need to determine why the RDP server is rejecting access and fix that.
The error message gives you a couple of hints about possible reasons -
account locked or disabled - but there are several possibilities I can
think of:
* The user is not a member of a group allowed to make RDP connections (on
Windows, this is generally Administrators or Remote Desktop Users).
* The account is disabled, locked, or expired.
* The account is already logged on, and is limited to a single session.
* On Windows, licensing is incorrectly configured and the server is
rejecting connections.
I'm sure there are other potential reasons. The point is, Guacamole is
functioning and can talk to the RDP server, and the RDP server is rejecting
the connection. There isn't anything further to look at in Guacamole, you
need to investigate on the RDP server why it is rejecting the connection
and make the appropriate configuration changes to allow the account to log
in.
-Nick