[
https://issues.apache.org/jira/browse/GUACAMOLE-2057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18014215#comment-18014215
]
Nick Couchman commented on GUACAMOLE-2057:
------------------------------------------
[~lexaphix]: No, i did not put the user into the Protected Users group, because
I don't have the ability to do that in my AD environment. I could spin up a
test AD environment, but...so much work :-).
My testing was just to modify the local security policy of the Windows system
that I was connecting to via RDP and disable NTLM authentication to that
system. I was able to verify that NTLM had been successfully disabled by trying
to connect both from Guacamole and xfreerdp using the /auth flag to disable
Kerberos and force NTLM, which failed. I then used the /auth flag for forcing
Kerberos with xfreerdp, and the settings in Guacamole, and it was able to
connect successfully. I did not have to inject any KDC URLs or anything like
that in my environment - it just worked with Kerberos authentication out of the
box.
> Allow RDP connections to leverage FreeRDP3 Kerberos Security
> ------------------------------------------------------------
>
> Key: GUACAMOLE-2057
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2057
> Project: Guacamole
> Issue Type: New Feature
> Components: RDP
> Reporter: Axel D'Olislager
> Assignee: Nick Couchman
> Priority: Major
> Labels: security
> Attachments: image-2025-05-09-15-15-00-772.png,
> image-2025-05-13-15-54-24-075.png, image-2025-05-13-15-54-36-254.png,
> image-2025-05-13-15-54-49-336.png, image-2025-05-13-15-55-00-950.png,
> image-2025-05-19-12-54-13-755.png, image-2025-06-06-10-29-54-989.png,
> image-2025-06-06-12-35-22-685.png, image-2025-06-06-12-53-24-559.png,
> image-2025-07-10-15-28-40-971.png, image-2025-07-10-15-31-15-908.png,
> image-2025-07-10-15-32-40-753.png
>
>
> Since in Guacamole 1.6.0 there will be support for FreeRDP3.0, there is
> currently no way to make use of the new kerberos authentication functionality
> within FreeRDP.
>
> As per deprication of NTLM and security issues the demand for it is becoming
> reasonably high, as in a Active Directory domain, your users cannot be part
> of the Protected Users security group which blocks legacy protocols.
> [https://www.reddit.com/r/sysadmin/comments/1b5o6kx/apache_guacamole_kerberos_support_or_roadmap_for/]
>
> I've personally been playing around with this.
> Manually I am able to create a connection using the FreeRDP package using the
> following command and modifying my krb5.conf file:
> {code:java}
> xfreerdp /auth-pkg-list:'!ntlm,kerberos' /u:<username> /v:<host_ip>
> /d:<domainname> /cert:ignore{code}
>
> krb5.conf:
> {code:java}
> includedir /etc/krb5.conf.d/
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LEXAPHIX.LAB
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> [realms]
> LEXAPHIX.LAB = {
> kdc = besnlexdc03.lexaphix.lab
> admin_server = besnlexdc03.lexaphix.lab
> }[domain_realm]
> .lexaphix.lab = LEXAPHIX.LAB
> lexaphix.lab = LEXAPHIX.LAB{code}
>
>
> I've been trying to get this to work, but because I do not have the knowledge
> of this code base, I'm unable to add these things.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
