Problem Implementing SAML with RDP Windows

[Victor Martinez <vj...@gmail.com>]

Good evening Team.They told me that I could make inquiries in this
list, referring to a problem that we are having for the implementation
of Guacamole + SAML + RDP.
The downside is for authentication with the RDP service.
I entered the Guacamole Portal with the SAML_ID, but when we tried to
connect via rdp to a Windows 10 host, we received the following from
Invalid Credential:
Jul 28 16:27:10 chidmz117 guacd [17514]: guacd [17905]: INFO: # 011RDP
server closed / refused connection: Authentication failure (invalid
credentials?)
We hope we can count on your help.
Thanks a lot

Victor J. Martínez
RHCE
Cel.: (595)972-918-550
Asunción - Paraguay

Re: Problem Implementing SAML with RDP Windows

[Nick Couchman <vn...@apache.org>]

On Thu, Jul 29, 2021 at 11:53 AM Victor Martinez <vj...@gmail.com>
wrote:

> I have deleted the GUAC_PASSWORD token, and it actually asks me back to
> enter the pass and I can now access the device.
> Is there a way that the authentication is transparent?
>
>>
>>
No, not with SAML, because SAML does not provide the password after
authentication. If you use CAS SSO there is a function called "ClearPass"
that encrypts the password from the SSO server and sends it over to the
client, but you have to use that with extreme caution, and I don't know of
any similar functionality in either SAML or OpenID/OAuth.

-Nick

Re: Problem Implementing SAML with RDP Windows

[Victor Martinez <vj...@gmail.com>]

I have deleted the GUAC_PASSWORD token, and it actually asks me back to
enter the pass and I can now access the device.
Is there a way that the authentication is transparent?

Victor J. Martínez
RHCE
Cel.: (595)972-918-550
Asunción - Paraguay



El jue, 29 jul 2021 a las 10:28, Nick Couchman (<vn...@apache.org>)
escribió:

> On Thu, Jul 29, 2021 at 9:56 AM Victor Martinez <vj...@gmail.com>
> wrote:
>
>> Hi Nick.
>> Thank fo you answer.
>>
>> 1) What version of Guacamole are you running?
>> The version is 1.3.0
>>
>> 2) When you create the connection, are you providing values for username
>> and password?
>> We have configured the saml parameters in the guacamole.properties using
>> Azure.
>> The authentication with the Azure-AD is done correctly, once I
>> authenticate to the Azure-AD I enter the Gaucamole portal without problems.
>> But when I try to access a Windows computer that I have configured, I see
>> the Invalid Credential error in the log file.
>>
>>
> I was asking about how the connection itself is configured, not the
> Guacamole login. You say it works fine when you authenticate with LDAP, but
> when you use SAML, it does not. I wondering if you're trying to use the
> GUAC_USERNAME and GUAC_PASSWORD tokens? Those won't be present with the
> SAML extension - at least, the GUAC_PASSWORD token will not be available,
> so you won't be able to transparently authenticate through to Windows
> servers.
>
> However, with 1.3.0 you should be able to clear out the username and
> password fields, and Guacamole should prompt for credentials.
>
> -Nick
>
>>

Re: Problem Implementing SAML with RDP Windows

[Nick Couchman <vn...@apache.org>]

On Thu, Jul 29, 2021 at 9:56 AM Victor Martinez <vj...@gmail.com>
wrote:

> Hi Nick.
> Thank fo you answer.
>
> 1) What version of Guacamole are you running?
> The version is 1.3.0
>
> 2) When you create the connection, are you providing values for username
> and password?
> We have configured the saml parameters in the guacamole.properties using
> Azure.
> The authentication with the Azure-AD is done correctly, once I
> authenticate to the Azure-AD I enter the Gaucamole portal without problems.
> But when I try to access a Windows computer that I have configured, I see
> the Invalid Credential error in the log file.
>
>
I was asking about how the connection itself is configured, not the
Guacamole login. You say it works fine when you authenticate with LDAP, but
when you use SAML, it does not. I wondering if you're trying to use the
GUAC_USERNAME and GUAC_PASSWORD tokens? Those won't be present with the
SAML extension - at least, the GUAC_PASSWORD token will not be available,
so you won't be able to transparently authenticate through to Windows
servers.

However, with 1.3.0 you should be able to clear out the username and
password fields, and Guacamole should prompt for credentials.

-Nick

>

Re: Problem Implementing SAML with RDP Windows

[Victor Martinez <vj...@gmail.com>]

Hi Nick.
Thank fo you answer.

1) What version of Guacamole are you running?
The version is 1.3.0

2) When you create the connection, are you providing values for username
and password?
We have configured the saml parameters in the guacamole.properties using
Azure.
The authentication with the Azure-AD is done correctly, once I authenticate
to the Azure-AD I enter the Gaucamole portal without problems.
But when I try to access a Windows computer that I have configured, I see
the Invalid Credential error in the log file.

3) Are you setting the RDP security type correctly for your version of
Windows (probably NLA or NLA Ext)?
The security type is configured in LA.
I only have the drawback when using saml, if I authenticate via LDAP I
connect without problems.

This is my guacamole.properties
# Hostname and port of guacamole proxy
guacd-hostname: 127.0.0.1
guacd-port:     4822

# MySQL properties

api-session-timeout:1

mysql-hostname: dbsvr.winux
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: xxxxxxxxxxxxxxxxxx
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user: 0
#mysql-auto-create-accounts: true

#skip-if-unavailable: mysql,ldap
#LDAP Properties
#ldap-hostname: chidmzvip.winux
#ldap-port: 389
#ldap-username-attribute: uid
#ldap-member-attribute: memberUid
#ldap-encryption-method: none
#ldap-search-bind-dn: uid=aixldap,ou=openldap,ou=services,dc=winux
#ldap-search-bind-password: xxxxxxxxxx
#ldap-config-base-dn: dc=winux
#ldap-user-base-dn: ou=Users,dc=winux
#ldap-user-search-filter:(objectClass=shadowAccount)
#ldap-group-base-dn: ou=Groups,dc=winux
#ldap-group-name-attribute: cn
#ldap-max-search-results: 6000
#ldap-operation-timeout: 300

saml-idp-url:
https://login.microsoftonline.com/3f27f816-99e9-48e2-96b8-7197a6632921/saml2
saml-callback-url: https://ertest.winux.com
saml-debug: True
saml-strict: False
saml-entity-id: https://ertest.winux.com
saml-debug: true

Victor J. Martínez
RHCE
Cel.: (595)972-918-550
Asunción - Paraguay



El jue, 29 jul 2021 a las 9:36, Nick Couchman (<vn...@apache.org>) escribió:

> On Thu, Jul 29, 2021 at 8:32 AM Victor Martinez <vj...@gmail.com>
> wrote:
>
>> Good evening Team.They told me that I could make inquiries in this
>> list, referring to a problem that we are having for the implementation
>> of Guacamole + SAML + RDP.
>> The downside is for authentication with the RDP service.
>> I entered the Guacamole Portal with the SAML_ID, but when we tried to
>> connect via rdp to a Windows 10 host, we received the following from
>> Invalid Credential:
>> Jul 28 16:27:10 chidmz117 guacd [17514]: guacd [17905]: INFO: # 011RDP
>> server closed / refused connection: Authentication failure (invalid
>> credentials?)
>> We hope we can count on your help.
>> Thanks a lot
>>
>
> Several questions:
> 1) What version of Guacamole are you running?
> 2) When you create the connection, are you providing values for username
> and password?
> 3) Are you setting the RDP security type correctly for your version of
> Windows (probably NLA or NLA Ext)?
>
> As the server indicates, authentication is failing, so it needs to be
> corrected in some form or another.
>
> -Nick
>
>>

Re: Problem Implementing SAML with RDP Windows

[Nick Couchman <vn...@apache.org>]

On Thu, Jul 29, 2021 at 8:32 AM Victor Martinez <vj...@gmail.com>
wrote:

> Good evening Team.They told me that I could make inquiries in this
> list, referring to a problem that we are having for the implementation
> of Guacamole + SAML + RDP.
> The downside is for authentication with the RDP service.
> I entered the Guacamole Portal with the SAML_ID, but when we tried to
> connect via rdp to a Windows 10 host, we received the following from
> Invalid Credential:
> Jul 28 16:27:10 chidmz117 guacd [17514]: guacd [17905]: INFO: # 011RDP
> server closed / refused connection: Authentication failure (invalid
> credentials?)
> We hope we can count on your help.
> Thanks a lot
>

Several questions:
1) What version of Guacamole are you running?
2) When you create the connection, are you providing values for username
and password?
3) Are you setting the RDP security type correctly for your version of
Windows (probably NLA or NLA Ext)?

As the server indicates, authentication is failing, so it needs to be
corrected in some form or another.

-Nick

>