RE: Issues with RDP connections
OK, we got in. It turns out that the user that was being used in the RDP
connection in Guac had 2 issues:
1) It was locked out;
2) It had NLA turned on for it
Once we corrected those, we were able to connect using “Any” as the security
mode in Guac.
Thanks,
Harry
From: Hankins, Jonathan
Sent: Friday, February 18, 2022 12:50 PM
To: user@guacamole.apache.org
Subject: Re: Issues with RDP connections
I was incorrect -- I *did* have a domain user named "guacadmin". I checked the
windows event logs on the 2012 machine I failed to connect to and saw error
4825 in the Windows/Security event log, as an Audit Failure message:
"A user was denied the access to Remote Desktop. By default, users are allowed
to connect only if they are members of the Remote Desktop Users group or
Administrators group."
If I delete the user and try to connect again, I get this expected error from
guacd:
"RDP server closed/refused connection: Authentication failure (invalid
credentials?)"
I hear you saying you can connect to the same server presumably with the same
domain and username credentials via another RDP client, but I'd suggest
double-checking that this is indeed the case as well as check your Windows
Event logs to see if anything is logged when the connection from guacamole
fails.
On Fri, Feb 18, 2022 at 11:23 AM Hankins, Jonathan
mailto:jhank...@homewood.k12.al.us>> wrote:
FWIW, I get the same error "RDP server closed/refused connection: Server
refused connection (wrong security type?)" if I try to connect with a username
passed through that does not exist on the Windows side.
For reference, in my connection, I have the domain set, the login set to
"${GUAC_USERNAME}", security mode set to NLA in guac (also required on the
Windows side). If I login as "guacadmin" to guac and launch that connection, it
fails with the message you are receiving, as there is no "guacadmin" user in my
Windows domain.
On Fri, Feb 18, 2022 at 6:47 AM Devine, Harry (FAA)
mailto:harry.dev...@faa.gov.invalid>> wrote:
It doesn’t look like guacd.conf is being used in our installation. I tried
“/etc/init.d/guacd restart –L”, but /var/log/messages doesn’t look any
different in what its logging. Where else should I be adding/looking for the
debug messages? Perhaps guacamole.properties?
Thanks,
Harry
From: Nick Couchman
mailto:nick.e.couch...@gmail.com>>
Sent: Thursday, February 17, 2022 9:26 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Issues with RDP connections
On Thu, Feb 17, 2022 at 8:34 PM Devine, Harry (FAA)
mailto:harry.dev...@faa.gov.invalid>> wrote:
On the Windows side or the guacamole side? If the user couldn’t write there,
why did the windows 10 rdp work? One of out admins said they can rdp to the
windows 2013 server using MobaXterm and they see the TLS is 1.2. Does guacamole
expect v2? If so, does the 2012 need to update to TLS2?
This would be on the Guacamole side. No, I do not expect that Guacamole would
require a TLS version that Windows doesn't support- I use 1.4.0 to connect to
Server 2003, 2008/r2, 2012/r2, 2016, and 2019, along with Windows 10.
Also, might want to start guacd with debug logging (-L debug on the command
line, or log_level = debug in guacd.conf) to see if you get any more useful
messages.
-Nick
--
Jonathan Hankins
Homewood City Schools
W: 205-877-4548
--
Jonathan Hankins
Homewood City Schools
W: 205-877-4548
This e-mail is intended only for the recipient and may contain confidential or
proprietary information. If you are not the intended recipient, the review,
distribution, duplication or retention of this message and its attachments are
prohibited. Please notify the sender of this error immediately by reply e-mail,
and permanently delete this message and its attachments in any form in which
they may have been preserved.
Re: Issues with RDP connections
I was incorrect -- I *did* have a domain user named "guacadmin". I checked
the windows event logs on the 2012 machine I failed to connect to and saw
error 4825 in the Windows/Security event log, as an Audit Failure message:
"A user was denied the access to Remote Desktop. By default, users are
allowed to connect only if they are members of the Remote Desktop Users
group or Administrators group."
If I delete the user and try to connect again, I get this expected error
from guacd:
"RDP server closed/refused connection: Authentication failure (invalid
credentials?)"
I hear you saying you can connect to the same server presumably with the
same domain and username credentials via another RDP client, but I'd
suggest double-checking that this is indeed the case as well as check your
Windows Event logs to see if anything is logged when the connection from
guacamole fails.
On Fri, Feb 18, 2022 at 11:23 AM Hankins, Jonathan <
jhank...@homewood.k12.al.us> wrote:
> FWIW, I get the same error "RDP server closed/refused connection: Server
> refused connection (wrong security type?)" if I try to connect with a
> username passed through that does not exist on the Windows side.
>
> For reference, in my connection, I have the domain set, the login set to
> "${GUAC_USERNAME}", security mode set to NLA in guac (also required on the
> Windows side). If I login as "guacadmin" to guac and launch that
> connection, it fails with the message you are receiving, as there is no
> "guacadmin" user in my Windows domain.
>
>
>
>
> On Fri, Feb 18, 2022 at 6:47 AM Devine, Harry (FAA)
> wrote:
>
>> It doesn’t look like guacd.conf is being used in our installation. I
>> tried “/etc/init.d/guacd restart –L”, but /var/log/messages doesn’t look
>> any different in what its logging. Where else should I be adding/looking
>> for the debug messages? Perhaps guacamole.properties?
>>
>>
>>
>> Thanks,
>>
>> Harry
>>
>>
>>
>> *From:* Nick Couchman
>> *Sent:* Thursday, February 17, 2022 9:26 PM
>> *To:* user@guacamole.apache.org
>> *Subject:* Re: Issues with RDP connections
>>
>>
>>
>> On Thu, Feb 17, 2022 at 8:34 PM Devine, Harry (FAA) <
>> harry.dev...@faa.gov.invalid> wrote:
>>
>> On the Windows side or the guacamole side? If the user couldn’t write
>> there, why did the windows 10 rdp work? One of out admins said they can
>> rdp to the windows 2013 server using MobaXterm and they see the TLS is 1.2.
>> Does guacamole expect v2? If so, does the 2012 need to update to TLS2?
>>
>>
>>
>>
>>
>> This would be on the Guacamole side. No, I do not expect that Guacamole
>> would require a TLS version that Windows doesn't support- I use 1.4.0 to
>> connect to Server 2003, 2008/r2, 2012/r2, 2016, and 2019, along with
>> Windows 10.
>>
>>
>>
>> Also, might want to start guacd with debug logging (-L debug on the
>> command line, or log_level = debug in guacd.conf) to see if you get any
>> more useful messages.
>>
>>
>>
>> -Nick
>>
>
>
> --
> Jonathan Hankins
>
> Homewood City Schools
>
> W: 205-877-4548
>
--
Jonathan Hankins
Homewood City Schools
W: 205-877-4548
--
This e-mail is intended only for the recipient and may contain confidential
or proprietary information. If you are not the intended recipient, the
review, distribution, duplication or retention of this message and its
attachments are prohibited. Please notify the sender of this error
immediately by reply e-mail, and permanently delete this message and its
attachments in any form in which they may have been preserved.
Re: Issues with RDP connections
On Fri, Feb 18, 2022 at 7:46 AM Devine, Harry (FAA) wrote: > It doesn’t look like guacd.conf is being used in our installation. I > tried “/etc/init.d/guacd restart –L”, but /var/log/messages doesn’t look > any different in what its logging. Where else should I be adding/looking > for the debug messages? Perhaps guacamole.properties? > > You can create guacd.conf - it isn't strictly required, just if you want to change properties like logging. https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-guacd If you are trying to start guacd with different flags, instead of changing the config file, you'll likely need to modify the startup script and add it to the line that actually starts guacd. You can also stop guacd and then run it manually from the console: /path/to/guacd -L debug -f That will start it in debug mode in the foreground, under the current user account, and output will go to the current console. -Nick >
RE: Issues with RDP connections
We have the username and password for the Windows side in the RDP connection in
Guac, and it still fails. I can connect to a Server 2016 server and a Windows
10 box on our same subnet, but the 2012 Server we are trying to connect to is
on another subnet.
We can connect to that Server 2012 box using RDP from one of our local Windows
boxes that can see the other subnet, as well as MobaXterm using a Jump-Host
(that can access the other subnet). Guacamole always fails, and there is
nothing in the logs. The Tomcat catalina.out log doesn’t even have any
information in it whatsoever. And /var/log/messages shows “Server refused
connection (wrong security type?)” no matter what permutation of parameters we
try.
Thanks,
Harry
From: Hankins, Jonathan
Sent: Friday, February 18, 2022 12:23 PM
To: user@guacamole.apache.org
Subject: Re: Issues with RDP connections
FWIW, I get the same error "RDP server closed/refused connection: Server
refused connection (wrong security type?)" if I try to connect with a username
passed through that does not exist on the Windows side.
For reference, in my connection, I have the domain set, the login set to
"${GUAC_USERNAME}", security mode set to NLA in guac (also required on the
Windows side). If I login as "guacadmin" to guac and launch that connection, it
fails with the message you are receiving, as there is no "guacadmin" user in my
Windows domain.
On Fri, Feb 18, 2022 at 6:47 AM Devine, Harry (FAA)
mailto:harry.dev...@faa.gov.invalid>> wrote:
It doesn’t look like guacd.conf is being used in our installation. I tried
“/etc/init.d/guacd restart –L”, but /var/log/messages doesn’t look any
different in what its logging. Where else should I be adding/looking for the
debug messages? Perhaps guacamole.properties?
Thanks,
Harry
From: Nick Couchman
mailto:nick.e.couch...@gmail.com>>
Sent: Thursday, February 17, 2022 9:26 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Issues with RDP connections
On Thu, Feb 17, 2022 at 8:34 PM Devine, Harry (FAA)
mailto:harry.dev...@faa.gov.invalid>> wrote:
On the Windows side or the guacamole side? If the user couldn’t write there,
why did the windows 10 rdp work? One of out admins said they can rdp to the
windows 2013 server using MobaXterm and they see the TLS is 1.2. Does guacamole
expect v2? If so, does the 2012 need to update to TLS2?
This would be on the Guacamole side. No, I do not expect that Guacamole would
require a TLS version that Windows doesn't support- I use 1.4.0 to connect to
Server 2003, 2008/r2, 2012/r2, 2016, and 2019, along with Windows 10.
Also, might want to start guacd with debug logging (-L debug on the command
line, or log_level = debug in guacd.conf) to see if you get any more useful
messages.
-Nick
--
Jonathan Hankins
Homewood City Schools
W: 205-877-4548
This e-mail is intended only for the recipient and may contain confidential or
proprietary information. If you are not the intended recipient, the review,
distribution, duplication or retention of this message and its attachments are
prohibited. Please notify the sender of this error immediately by reply e-mail,
and permanently delete this message and its attachments in any form in which
they may have been preserved.
Re: Issues with RDP connections
FWIW, I get the same error "RDP server closed/refused connection: Server
refused connection (wrong security type?)" if I try to connect with a
username passed through that does not exist on the Windows side.
For reference, in my connection, I have the domain set, the login set to
"${GUAC_USERNAME}", security mode set to NLA in guac (also required on the
Windows side). If I login as "guacadmin" to guac and launch that
connection, it fails with the message you are receiving, as there is no
"guacadmin" user in my Windows domain.
On Fri, Feb 18, 2022 at 6:47 AM Devine, Harry (FAA)
wrote:
> It doesn’t look like guacd.conf is being used in our installation. I
> tried “/etc/init.d/guacd restart –L”, but /var/log/messages doesn’t look
> any different in what its logging. Where else should I be adding/looking
> for the debug messages? Perhaps guacamole.properties?
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Nick Couchman
> *Sent:* Thursday, February 17, 2022 9:26 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Issues with RDP connections
>
>
>
> On Thu, Feb 17, 2022 at 8:34 PM Devine, Harry (FAA) <
> harry.dev...@faa.gov.invalid> wrote:
>
> On the Windows side or the guacamole side? If the user couldn’t write
> there, why did the windows 10 rdp work? One of out admins said they can
> rdp to the windows 2013 server using MobaXterm and they see the TLS is 1.2.
> Does guacamole expect v2? If so, does the 2012 need to update to TLS2?
>
>
>
>
>
> This would be on the Guacamole side. No, I do not expect that Guacamole
> would require a TLS version that Windows doesn't support- I use 1.4.0 to
> connect to Server 2003, 2008/r2, 2012/r2, 2016, and 2019, along with
> Windows 10.
>
>
>
> Also, might want to start guacd with debug logging (-L debug on the
> command line, or log_level = debug in guacd.conf) to see if you get any
> more useful messages.
>
>
>
> -Nick
>
--
Jonathan Hankins
Homewood City Schools
W: 205-877-4548
--
This e-mail is intended only for the recipient and may contain confidential
or proprietary information. If you are not the intended recipient, the
review, distribution, duplication or retention of this message and its
attachments are prohibited. Please notify the sender of this error
immediately by reply e-mail, and permanently delete this message and its
attachments in any form in which they may have been preserved.
RE: Issues with RDP connections
It doesn’t look like guacd.conf is being used in our installation. I tried “/etc/init.d/guacd restart –L”, but /var/log/messages doesn’t look any different in what its logging. Where else should I be adding/looking for the debug messages? Perhaps guacamole.properties? Thanks, Harry From: Nick Couchman Sent: Thursday, February 17, 2022 9:26 PM To: user@guacamole.apache.org Subject: Re: Issues with RDP connections On Thu, Feb 17, 2022 at 8:34 PM Devine, Harry (FAA) mailto:harry.dev...@faa.gov.invalid>> wrote: On the Windows side or the guacamole side? If the user couldn’t write there, why did the windows 10 rdp work? One of out admins said they can rdp to the windows 2013 server using MobaXterm and they see the TLS is 1.2. Does guacamole expect v2? If so, does the 2012 need to update to TLS2? This would be on the Guacamole side. No, I do not expect that Guacamole would require a TLS version that Windows doesn't support- I use 1.4.0 to connect to Server 2003, 2008/r2, 2012/r2, 2016, and 2019, along with Windows 10. Also, might want to start guacd with debug logging (-L debug on the command line, or log_level = debug in guacd.conf) to see if you get any more useful messages. -Nick
Re: Issues with RDP connections
On Thu, Feb 17, 2022 at 8:34 PM Devine, Harry (FAA) wrote: > On the Windows side or the guacamole side? If the user couldn’t write > there, why did the windows 10 rdp work? One of out admins said they can > rdp to the windows 2013 server using MobaXterm and they see the TLS is 1.2. > Does guacamole expect v2? If so, does the 2012 need to update to TLS2? > > This would be on the Guacamole side. No, I do not expect that Guacamole would require a TLS version that Windows doesn't support- I use 1.4.0 to connect to Server 2003, 2008/r2, 2012/r2, 2016, and 2019, along with Windows 10. Also, might want to start guacd with debug logging (-L debug on the command line, or log_level = debug in guacd.conf) to see if you get any more useful messages. -Nick >
Re: Issues with RDP connections
On the Windows side or the guacamole side? If the user couldn’t write there, why did the windows 10 rdp work? One of out admins said they can rdp to the windows 2013 server using MobaXterm and they see the TLS is 1.2. Does guacamole expect v2? If so, does the 2012 need to update to TLS2? Thanks, Harry Harry Devine DOT/FAA/AJM-2432 Secure-OSE Administrator Red Hat Certified System Administrator (RHCSA) harry.dev...@faa.gov Desk: (609)485-4218 FAA Cell: (609)612-7274 Building 300, 3rd floor, Column L20 (3L20) From: Nick Couchman Sent: Thursday, February 17, 2022 7:59:24 PM To: user@guacamole.apache.org Subject: Re: Issues with RDP connections On Thu, Feb 17, 2022 at 4:26 PM Devine, Harry (FAA) wrote: Yeah, on that box, but this Server 2012 server keeps rejecting the attempt with “wrong security type?”. So what do we need to do to make this box work? Harry Check the user that is running guacd and make sure it has write access to its home directory. -Nick
Re: Issues with RDP connections
On Thu, Feb 17, 2022 at 4:26 PM Devine, Harry (FAA) wrote: > Yeah, on that box, but this Server 2012 server keeps rejecting the attempt > with “wrong security type?”. So what do we need to do to make this box > work? > > > > Harry > > > Check the user that is running guacd and make sure it has write access to its home directory. -Nick >
RE: Issues with RDP connections
Yeah, on that box, but this Server 2012 server keeps rejecting the attempt with "wrong security type?". So what do we need to do to make this box work? Harry From: Adrian Owen Sent: Thursday, February 17, 2022 4:24 PM To: user@guacamole.apache.org Subject: RE: Issues with RDP connections > I set TLS and ignore certificate, and it could get in Guacamole settings are ok. From: Devine, Harry (FAA) [mailto:harry.dev...@faa.gov.INVALID] Sent: 17 February 2022 21:11 To: user@guacamole.apache.org<mailto:user@guacamole.apache.org> Subject: RE: Issues with RDP connections Same errors (Guac's web page says the connection is currently unreachable). The log shows: Feb 17 16:09:10 armt guacd[4148]: Creating new client for protocol "rdp" Feb 17 16:09:10 armt guacd[4148]: Connection ID is "$61bba758-ee0f-442d-9c99-03bb6204066d" Feb 17 16:09:10 armt guacd[19478]: Security mode: Negotiate (ANY) Feb 17 16:09:10 armt guacd[19478]: Resize method: none Feb 17 16:09:10 armt guacd[19478]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings. Feb 17 16:09:10 armt server: 16:09:10.650 [http-bio-8080-exec-89] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "2". Feb 17 16:09:10 armt server: 16:09:10.650 [http-bio-8080-exec-89] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. Feb 17 16:09:10 armt guacd[19478]: User "@d394b5b0-4e10-47d1-a237-0d3536b5c921" joined connection "$61bba758-ee0f-442d-9c99-03bb6204066d" (1 users now present) Feb 17 16:09:10 armt guacd[19478]: Loading keymap "base" Feb 17 16:09:10 armt guacd[19478]: Loading keymap "en-us-qwerty" Feb 17 16:09:11 armt guacd[19478]: RDP server closed/refused connection: Server refused connection (wrong security type?) Feb 17 16:09:11 armt guacd[19478]: User "@d394b5b0-4e10-47d1-a237-0d3536b5c921" disconnected (0 users remain) Feb 17 16:09:11 armt guacd[19478]: Last user of connection "$61bba758-ee0f-442d-9c99-03bb6204066d" disconnected Feb 17 16:09:11 armt guacd[4148]: Connection "$61bba758-ee0f-442d-9c99-03bb6204066d" removed. Feb 17 16:09:11 armt server: 16:09:11.387 [http-bio-8080-exec-109] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "2". Duration: 15423 milliseconds Feb 17 16:09:11 armt server: 16:09:11.392 [http-bio-8080-exec-109] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. I created a new connection to another Windows server that's Windows 10, and I set TLS and ignore certificate, and it could get in, so what could be wrong on this Windows server to cause to refuse a connection? Thanks, Harry From: Adrian Owen mailto:adrian.o...@eesm.com>> Sent: Thursday, February 17, 2022 4:08 PM To: user@guacamole.apache.org<mailto:user@guacamole.apache.org> Subject: RE: Issues with RDP connections security any ignore-cert true Adrian From: Devine, Harry (FAA) [mailto:harry.dev...@faa.gov.INVALID] Sent: 17 February 2022 20:45 To: user@guacamole.apache.org<mailto:user@guacamole.apache.org> Subject: Issues with RDP connections We are trying to get RDP connections to a Windows Server 2012 machine, and every time we try, it fails. The /var/log/messages shows the following: Feb 17 15:40:51 armt guacd[4148]: Creating new client for protocol "rdp" Feb 17 15:40:51 armt guacd[4148]: Connection ID is "$4886636f-dd2a-455d-865a-239b95a0f4ae" Feb 17 15:40:51 armt guacd[17756]: Security mode: TLS Feb 17 15:40:51 armt guacd[17756]: Resize method: none Feb 17 15:40:51 armt guacd[17756]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings. Feb 17 15:40:51 armt server: 15:40:51.939 [http-bio-8080-exec-87] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "2". Feb 17 15:40:51 armt server: 15:40:51.939 [http-bio-8080-exec-87] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. Feb 17 15:40:51 armt guacd[17756]: User "@eca84bdc-710e-43f6-88c0-0451531d9a14" joined connection "$4886636f-dd2a-455d-865a-239b95a0f4ae" (1 users now present) Feb 17 15:40:51 armt guacd[17756]: Loading keymap "base" Feb 17 15:40:51 armt guacd[17756]: Loading keymap "en-us-qwerty" Feb 17 15:40:52 armt guacd[17756]: RDP server closed/refused connection: Security negotiation failed (wrong security type?) Feb 17 15:40:52 armt guacd[17756]: User "@eca84bdc-710e-43f6-88c0-0451531d9a14" disconnected (0 users remain) Feb 17 15:40:52 armt guacd[17756]: Last user of connection "$4886636f-dd2a-455d-865a-239b95a0f4ae"
RE: Issues with RDP connections
> I set TLS and ignore certificate, and it could get in Guacamole settings are ok. From: Devine, Harry (FAA) [mailto:harry.dev...@faa.gov.INVALID] Sent: 17 February 2022 21:11 To: user@guacamole.apache.org Subject: RE: Issues with RDP connections Same errors (Guac's web page says the connection is currently unreachable). The log shows: Feb 17 16:09:10 armt guacd[4148]: Creating new client for protocol "rdp" Feb 17 16:09:10 armt guacd[4148]: Connection ID is "$61bba758-ee0f-442d-9c99-03bb6204066d" Feb 17 16:09:10 armt guacd[19478]: Security mode: Negotiate (ANY) Feb 17 16:09:10 armt guacd[19478]: Resize method: none Feb 17 16:09:10 armt guacd[19478]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings. Feb 17 16:09:10 armt server: 16:09:10.650 [http-bio-8080-exec-89] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "2". Feb 17 16:09:10 armt server: 16:09:10.650 [http-bio-8080-exec-89] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. Feb 17 16:09:10 armt guacd[19478]: User "@d394b5b0-4e10-47d1-a237-0d3536b5c921" joined connection "$61bba758-ee0f-442d-9c99-03bb6204066d" (1 users now present) Feb 17 16:09:10 armt guacd[19478]: Loading keymap "base" Feb 17 16:09:10 armt guacd[19478]: Loading keymap "en-us-qwerty" Feb 17 16:09:11 armt guacd[19478]: RDP server closed/refused connection: Server refused connection (wrong security type?) Feb 17 16:09:11 armt guacd[19478]: User "@d394b5b0-4e10-47d1-a237-0d3536b5c921" disconnected (0 users remain) Feb 17 16:09:11 armt guacd[19478]: Last user of connection "$61bba758-ee0f-442d-9c99-03bb6204066d" disconnected Feb 17 16:09:11 armt guacd[4148]: Connection "$61bba758-ee0f-442d-9c99-03bb6204066d" removed. Feb 17 16:09:11 armt server: 16:09:11.387 [http-bio-8080-exec-109] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "2". Duration: 15423 milliseconds Feb 17 16:09:11 armt server: 16:09:11.392 [http-bio-8080-exec-109] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. I created a new connection to another Windows server that's Windows 10, and I set TLS and ignore certificate, and it could get in, so what could be wrong on this Windows server to cause to refuse a connection? Thanks, Harry From: Adrian Owen mailto:adrian.o...@eesm.com>> Sent: Thursday, February 17, 2022 4:08 PM To: user@guacamole.apache.org<mailto:user@guacamole.apache.org> Subject: RE: Issues with RDP connections security any ignore-cert true Adrian From: Devine, Harry (FAA) [mailto:harry.dev...@faa.gov.INVALID] Sent: 17 February 2022 20:45 To: user@guacamole.apache.org<mailto:user@guacamole.apache.org> Subject: Issues with RDP connections We are trying to get RDP connections to a Windows Server 2012 machine, and every time we try, it fails. The /var/log/messages shows the following: Feb 17 15:40:51 armt guacd[4148]: Creating new client for protocol "rdp" Feb 17 15:40:51 armt guacd[4148]: Connection ID is "$4886636f-dd2a-455d-865a-239b95a0f4ae" Feb 17 15:40:51 armt guacd[17756]: Security mode: TLS Feb 17 15:40:51 armt guacd[17756]: Resize method: none Feb 17 15:40:51 armt guacd[17756]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings. Feb 17 15:40:51 armt server: 15:40:51.939 [http-bio-8080-exec-87] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "2". Feb 17 15:40:51 armt server: 15:40:51.939 [http-bio-8080-exec-87] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. Feb 17 15:40:51 armt guacd[17756]: User "@eca84bdc-710e-43f6-88c0-0451531d9a14" joined connection "$4886636f-dd2a-455d-865a-239b95a0f4ae" (1 users now present) Feb 17 15:40:51 armt guacd[17756]: Loading keymap "base" Feb 17 15:40:51 armt guacd[17756]: Loading keymap "en-us-qwerty" Feb 17 15:40:52 armt guacd[17756]: RDP server closed/refused connection: Security negotiation failed (wrong security type?) Feb 17 15:40:52 armt guacd[17756]: User "@eca84bdc-710e-43f6-88c0-0451531d9a14" disconnected (0 users remain) Feb 17 15:40:52 armt guacd[17756]: Last user of connection "$4886636f-dd2a-455d-865a-239b95a0f4ae" disconnected Feb 17 15:40:52 armt guacd[4148]: Connection "$4886636f-dd2a-455d-865a-239b95a0f4ae" removed. Feb 17 15:41:07 armt server: 15:41:07.343 [http-bio-8080-exec-105] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "2". Duration: 15404 milliseconds Feb 17 15:41:07
RE: Issues with RDP connections
Same errors (Guac's web page says the connection is currently unreachable). The log shows: Feb 17 16:09:10 armt guacd[4148]: Creating new client for protocol "rdp" Feb 17 16:09:10 armt guacd[4148]: Connection ID is "$61bba758-ee0f-442d-9c99-03bb6204066d" Feb 17 16:09:10 armt guacd[19478]: Security mode: Negotiate (ANY) Feb 17 16:09:10 armt guacd[19478]: Resize method: none Feb 17 16:09:10 armt guacd[19478]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings. Feb 17 16:09:10 armt server: 16:09:10.650 [http-bio-8080-exec-89] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "2". Feb 17 16:09:10 armt server: 16:09:10.650 [http-bio-8080-exec-89] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. Feb 17 16:09:10 armt guacd[19478]: User "@d394b5b0-4e10-47d1-a237-0d3536b5c921" joined connection "$61bba758-ee0f-442d-9c99-03bb6204066d" (1 users now present) Feb 17 16:09:10 armt guacd[19478]: Loading keymap "base" Feb 17 16:09:10 armt guacd[19478]: Loading keymap "en-us-qwerty" Feb 17 16:09:11 armt guacd[19478]: RDP server closed/refused connection: Server refused connection (wrong security type?) Feb 17 16:09:11 armt guacd[19478]: User "@d394b5b0-4e10-47d1-a237-0d3536b5c921" disconnected (0 users remain) Feb 17 16:09:11 armt guacd[19478]: Last user of connection "$61bba758-ee0f-442d-9c99-03bb6204066d" disconnected Feb 17 16:09:11 armt guacd[4148]: Connection "$61bba758-ee0f-442d-9c99-03bb6204066d" removed. Feb 17 16:09:11 armt server: 16:09:11.387 [http-bio-8080-exec-109] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "2". Duration: 15423 milliseconds Feb 17 16:09:11 armt server: 16:09:11.392 [http-bio-8080-exec-109] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. I created a new connection to another Windows server that's Windows 10, and I set TLS and ignore certificate, and it could get in, so what could be wrong on this Windows server to cause to refuse a connection? Thanks, Harry From: Adrian Owen Sent: Thursday, February 17, 2022 4:08 PM To: user@guacamole.apache.org Subject: RE: Issues with RDP connections security any ignore-cert true Adrian From: Devine, Harry (FAA) [mailto:harry.dev...@faa.gov.INVALID] Sent: 17 February 2022 20:45 To: user@guacamole.apache.org<mailto:user@guacamole.apache.org> Subject: Issues with RDP connections We are trying to get RDP connections to a Windows Server 2012 machine, and every time we try, it fails. The /var/log/messages shows the following: Feb 17 15:40:51 armt guacd[4148]: Creating new client for protocol "rdp" Feb 17 15:40:51 armt guacd[4148]: Connection ID is "$4886636f-dd2a-455d-865a-239b95a0f4ae" Feb 17 15:40:51 armt guacd[17756]: Security mode: TLS Feb 17 15:40:51 armt guacd[17756]: Resize method: none Feb 17 15:40:51 armt guacd[17756]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings. Feb 17 15:40:51 armt server: 15:40:51.939 [http-bio-8080-exec-87] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "2". Feb 17 15:40:51 armt server: 15:40:51.939 [http-bio-8080-exec-87] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. Feb 17 15:40:51 armt guacd[17756]: User "@eca84bdc-710e-43f6-88c0-0451531d9a14" joined connection "$4886636f-dd2a-455d-865a-239b95a0f4ae" (1 users now present) Feb 17 15:40:51 armt guacd[17756]: Loading keymap "base" Feb 17 15:40:51 armt guacd[17756]: Loading keymap "en-us-qwerty" Feb 17 15:40:52 armt guacd[17756]: RDP server closed/refused connection: Security negotiation failed (wrong security type?) Feb 17 15:40:52 armt guacd[17756]: User "@eca84bdc-710e-43f6-88c0-0451531d9a14" disconnected (0 users remain) Feb 17 15:40:52 armt guacd[17756]: Last user of connection "$4886636f-dd2a-455d-865a-239b95a0f4ae" disconnected Feb 17 15:40:52 armt guacd[4148]: Connection "$4886636f-dd2a-455d-865a-239b95a0f4ae" removed. Feb 17 15:41:07 armt server: 15:41:07.343 [http-bio-8080-exec-105] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "2". Duration: 15404 milliseconds Feb 17 15:41:07 armt server: 15:41:07.348 [http-bio-8080-exec-105] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. We have tried all possible values in the connection's Security Mode, as well has having "Ignore Server Certificate" checked and unchecked, and it simply won't co
RE: Issues with RDP connections
security any ignore-cert true Adrian From: Devine, Harry (FAA) [mailto:harry.dev...@faa.gov.INVALID] Sent: 17 February 2022 20:45 To: user@guacamole.apache.org Subject: Issues with RDP connections We are trying to get RDP connections to a Windows Server 2012 machine, and every time we try, it fails. The /var/log/messages shows the following: Feb 17 15:40:51 armt guacd[4148]: Creating new client for protocol "rdp" Feb 17 15:40:51 armt guacd[4148]: Connection ID is "$4886636f-dd2a-455d-865a-239b95a0f4ae" Feb 17 15:40:51 armt guacd[17756]: Security mode: TLS Feb 17 15:40:51 armt guacd[17756]: Resize method: none Feb 17 15:40:51 armt guacd[17756]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings. Feb 17 15:40:51 armt server: 15:40:51.939 [http-bio-8080-exec-87] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "2". Feb 17 15:40:51 armt server: 15:40:51.939 [http-bio-8080-exec-87] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. Feb 17 15:40:51 armt guacd[17756]: User "@eca84bdc-710e-43f6-88c0-0451531d9a14" joined connection "$4886636f-dd2a-455d-865a-239b95a0f4ae" (1 users now present) Feb 17 15:40:51 armt guacd[17756]: Loading keymap "base" Feb 17 15:40:51 armt guacd[17756]: Loading keymap "en-us-qwerty" Feb 17 15:40:52 armt guacd[17756]: RDP server closed/refused connection: Security negotiation failed (wrong security type?) Feb 17 15:40:52 armt guacd[17756]: User "@eca84bdc-710e-43f6-88c0-0451531d9a14" disconnected (0 users remain) Feb 17 15:40:52 armt guacd[17756]: Last user of connection "$4886636f-dd2a-455d-865a-239b95a0f4ae" disconnected Feb 17 15:40:52 armt guacd[4148]: Connection "$4886636f-dd2a-455d-865a-239b95a0f4ae" removed. Feb 17 15:41:07 armt server: 15:41:07.343 [http-bio-8080-exec-105] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "2". Duration: 15404 milliseconds Feb 17 15:41:07 armt server: 15:41:07.348 [http-bio-8080-exec-105] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out. We have tried all possible values in the connection's Security Mode, as well has having "Ignore Server Certificate" checked and unchecked, and it simply won't connect. How can we get this working? This is a high-security item for a client of ours and they have to have connectivity to these machines restored asap. Thanks, Harry Harry Devine Secure-OSE System Administrator Red Hat Certified System Administrator (RHCSA) Work: (609) 485-4218 FAA Cell: (609) 612-7274
